Recently I’d to generate an X.509 certificate to enable encryption connections to a web app. The browser performs a check to ensure that the connection is via a valid, trusted certificate, later on we’ll be using a 3rd party entity known as a Certificate Authority (CA) to do just that.
We’ll be using
openssl to generate a private key. This key manifests in the form of a file, so we’ll call it a .key file, which we’ll also make read only:
$ openssl genrsa -out hostname.key 2048 $ chmod 400 hostname.key
cat hostname.key, the first and last lines of your .key will be
-----BEGIN RSA PRIVATE KEY----- and
-----END RSA PRIVATE KEY-----.
Your .key file is the first half of the equation in public key cryptography. For the second half, we need to submit a Certificate Signing Request (CSR) to a 3rd party entity known as a Certificate Authority (CA).
We’ll be using
openssl to generate our CSR, with
hostname.key as one of its inputs. A CSR manifests in the form of a file, so which we’ll call a .csr file. Samples for the various other inputs are also provided below:
$ openssl req -new -sha256 -days 3650 -key hostname.key -out hostname.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [SG]:SG State or Province Name (full name) [Singapore]:Singapore Locality Name (eg, city) [Singapore]:Singapore Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) :waynekhan.net Email Address :firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
cat hostname.csr, the first and last lines will be
-----BEGIN CERTIFICATE REQUEST----- and
-----END CERTIFICATE REQUEST-----.
Your CA will then use your CSR to generate a public certificate (e.g., a .pem file), typically Base 64-encoded. If you
cat this file, the first and last lines will be
-----BEGIN CERTIFICATE----- and
Thereafter, depending on what kind of web server you use (e.g., httpd, nginx), the process is different. Regardless, you’ll always need to use your
hostname.key (.key file) together with your .pem file.