Wayne Khan

Technology musings...

OpenSSL for X.509 certificates

Recently I’d to generate an X.509 certificate to enable encryption connections to a web app. The browser performs a check to ensure that the connection is via a valid, trusted certificate, later on we’ll be using a 3rd party entity known as a Certificate Authority (CA) to do just that.

We’ll be using openssl to generate a private key. This key manifests in the form of a file, so we’ll call it a .key file, which we’ll also make read only:

$ openssl genrsa -out hostname.key 2048
$ chmod 400 hostname.key

If you cat hostname.key, the first and last lines of your .key will be -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----.

Your .key file is the first half of the equation in public key cryptography. For the second half, we need to submit a Certificate Signing Request (CSR) to a 3rd party entity known as a Certificate Authority (CA).

We’ll be using openssl to generate our CSR, with hostname.key as one of its inputs. A CSR manifests in the form of a file, so which we’ll call a .csr file. Samples for the various other inputs are also provided below:

$ openssl req -new -sha256 -days 3650 -key hostname.key -out hostname.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [SG]:SG
State or Province Name (full name) [Singapore]:Singapore
Locality Name (eg, city) [Singapore]:Singapore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:waynekhan.net
Email Address []:solitrestless@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

If you cat hostname.csr, the first and last lines will be -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----.

Your CA will then use your CSR to generate a public certificate (e.g., a .pem file), typically Base 64-encoded. If you cat this file, the first and last lines will be -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

Thereafter, depending on what kind of web server you use (e.g., httpd, nginx), the process is different. Regardless, you’ll always need to use your hostname.key (.key file) together with your .pem file.