Create a self-signed SSL Certificate using OpenSSL.
In this blog I’ll be giving a little bit of insight on SSL certificates and then how to create a self-signed certificate using OpenSSL.
Let’s start with “What is an SSL Certificate?”
SSL stands for Secure Socket Layer. SSL is a global standard technology that creates encrypted communication between web browser and web server. It helps to decrease the risk of losing your personal information(e.g passwords, emails, credit card numbers etc.) .
To create this secure connection a SSL Certificate is used, which is installed on the web server. So, SSL Certificate is a bit of code on your web server that provides security for your online communications. SSL certificate also contains identification information(i.e your organisational information).
SSL Certificates mainly serves two functions:
- Authenticates the identity of the servers(so that users know that they are not sending their information to wrong server).
- Encrypts the data that is being transmitted.
Now,
Securing your application with an SSL certificate is extremely important. In most of the situations we require a trusted certificate(generated by CA-Certification Authority), but there are many cases where you can use a self signed certificate.
So, the next question comes is “when to use a self-signed certificate?”
A self-signed certificate is a certificate that is signed by its own creator rather than a trusted authority. Self signed certificates are less trustworthy, since any attacker can create a self signed certificate and launch a man in the middle attack.
Self-signed certificates can be used at places like:
- Intranet
- Personal sites with few visitors
- During development or testing phase of your application you can use self-signed certificate.
Never use a self signed certificate on applications that transfers valuable information like credit card numbers, bank account numbers etc.
When using a self-signed certificate, visitors will see the following warning in their browser until the user permanently stores the certificate in their certificate store.
So, till now you got the insight on SSL certificates. Now lets see how to create one using OpenSSL.
Creating a self-signed certificate using OpenSSL
OpenSSL is a command line tool that is used for TLS(Transport Layer Security) and SSL(Secure Socket Layer) protocols.
Now let’s create the certificate:
- Open terminal(linux).
- Run the following commands:
- openssl genrsa -des3 -out server.key 2048
- openssl req -new -key server.key -out server.csr
- openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
The first command will generate a 2048 bit(recommended) RSA private key . After running the command it will ask for the passphrase. If you want to create a key without the passphrase you can remove the (-des3) from the command.
The second command generates a CSR(Certificate Signing Request). The CA will use the .csr file and issue the certificate, but in your case you can use this .csr file to create your self-signed certificate. Once you run the command, it will prompt you to enter your country, company name, etc.
If you want to configure your certificate for localhost you can give ‘localhost’ in Common Name field instead of domain name.
The third command will create the self-signed x509 certificate suitable for use on web server.
So this is how you can create a self-signed certificated. In my next blog, I will be explaining KeyStore generation in PKCS12 Format. Here is the link:
Enjoy ! :)
References:
