Self Signed Certficates

How to self signed certificate on Debian 12

Server Configuration

Create your server’s self signed SSL Certificate. If you use your server as a business, it had better buy and use Formal Certificate.

Create self signed SSL Certificate

root@dlp:~#cd /etc/ssl/private

root@dlp:/etc/ssl/private# openssl genrsa -aes128 -out server.key 2048

Generating RSA private key, 2048 bit long modulus (2 primes)
...........................+++++
............+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:              # set passphrase
Verifying - Enter pass phrase for server.key:  # confirm

# remove passphrase from private key

root@dlp:/etc/ssl/private# openssl rsa -in server.key -out server.key

Enter pass phrase for server.key:

# input passphrase

writing RSA key

root@dlp:/etc/ssl/private# openssl req -new -days 3650 -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:JP # country code
State or Province Name (full name) [Some-State]:Hiroshima # state
Locality Name (eg, city) []:Hiroshima # city
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GTS # company
Organizational Unit Name (eg, section) []:Server World # department
Common Name (e.g. server FQDN or YOUR name) []:dlp.srv.world # server's FQDN
Email Address []:root@srv.world # admin email address

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:



root@dlp:/etc/ssl/private# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650


Signature ok
subject=C = JP, ST = Hiroshima, L = Hiroshima, O = GTS, OU = Server World, CN = dlp.srv.world, emailAddress = root@srv.world
Getting Private key


root@dlp:/etc/ssl/private#

total 12
-rw-r--r-- 1 root root 1334 Aug 19 19:31 server.crt
-rw-r--r-- 1 root root 1062 Aug 19 19:30 server.csr
-rw------- 1 root root 1675 Aug 19 19:30 server.key

PEM Certificate

Use the following command to convert a base64-encoded .cer file to a .pem format file: Syntax: openssl x509 -in <path-to-cer-file> -outform pem -out <path-to-pem-file>

Example: openssl x509 -in C:CertificatesAnyCert.cer -outform pem -out C:CertificatesAnyCertInPem.pem

sources:

Read the SSL Certificate information from a remote server

You may want to monitor the validity of an SSL certificate from a remote server, without having the certificate.crt text file locally on your server? You can use the same openssl for that.

To connect to a remote host and retrieve the public key of the SSL certificate, use the following command.

$ openssl s_client -showcerts -connect ma.ttias.be:443

This will connect to the host ma.ttias.be on port 443 and show the certificate.

openssl s_client -servername <NAME> -connect <HOST:PORT> 2>/dev/null | openssl x509 -noout -dates


openssl s_client  -connect baizabal.xyz:443 2>/dev/null | openssl x509 -noout -dates

Models

Diagram of the

erDiagram
     CUSTOMER ||--o{ ORDER : places
     ORDER ||--|{ LINE-ITEM : contains
     CUSTOMER }|..|{ DELIVERY-ADDRESS : uses

Build Certificates Proxmox and More

Los siguientes pasos son los pasos con OpenSSL que me sirvieron para generar un Certificado CA y un Certificado SSL con sus llaves (Auto-Firmados) para Proxmox o para cualquier otro sitio local: 1. Generar la Llave Privada:

sudo openssl genrsa -aes256 -out ca-key.pem 4096

  1. Generar el Certificado CA:

sudo openssl req -new -x509 -sha256 -days 3650 -key ca-key.pem -out ca.pem

  1. Generar una Llave Privada del Certificado Auto-Firmado:

sudo openssl genrsa -out cert-key.pem 4096

  1. Generar la Petición de Firma del Certificado (CSR):

sudo openssl req -new -sha256 -subj "/CN=myprox.mgnetwork.home" -key cert-key.pem -out cert.csr

  1. Crear archivo “extfile” con los Nombres Alternativos:

sudo echo "subjectAltName=DNS:myprox.mgnetwork.home,IP:192.168.200.2" >> extfile.cnf

  1. Generar un Certificado SSL Auto-Firmado:

sudo openssl x509 -req -sha256 -days 3650 -in cert.csr -CA ca.pem -CAkey ca-key.pem -out cert.pem -extfile extfile.cnf -CAcreateserial

  1. Crear la Cadena del Certificado SSL (Certificate Chain):

sudo cat cert.pem >> fullchain.pem && sudo cat ca.pem >> fullchain.pem

  1. Convertir PEM a CRT del Certificado CA para la Instalación o Importación del Certificado en Navegadores o en Windows:

sudo openssl x509 -outform der -in ca.pem -out ca.crt

Self-Signed & Own CA Root [Digest]

How to create self-signed (or signed by own CA) SSL certificate that can be trusted by Chrome (after adding CA certificate to local machine).

Certificate must be valid for local network IPs, localhost and multiple domains

  1. Prepare config files for creating certificates non-interactivelly (without prompts)

CA.cnf

[ req ]
prompt = no
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
C = US
ST = Localzone
L = localhost
O = Certificate Authority Local Center
OU = Develop
CN = develop.localhost.localdomain
emailAddress = root@localhost.localdomain

localhost.cnf

[req]
default_bits  = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
countryName = US
stateOrProvinceName = Localzone
localityName = Localhost
organizationName = Certificate signed by my CA
commonName = localhost.localdomain

[req_ext]
subjectAltName = @alt_names

[v3_req]
subjectAltName = @alt_names

[alt_names]
IP.1 = 127.0.0.1
IP.2 = 127.0.0.2
IP.3 = 127.0.0.3
IP.4 = 192.168.0.1
IP.5 = 192.168.0.2
IP.6 = 192.168.0.3
DNS.1 = localhost
DNS.2 = localhost.localdomain
DNS.3 = dev.local

  1. Generate a CA private key and Certificate (valid for 5 years)

    openssl req -nodes -new -x509 -keyout CA_key.pem -out CA_cert.pem -days 1825 -config CA.cnf

  2. Generate web server secret key and CSR

    openssl req -sha256 -nodes -newkey rsa:2048 -keyout localhost_key.pem -out localhost.csr -config localhost.cnf

  3. Create certificate and sign it by own certificate authority (valid 1 year)

    openssl x509 -req -days 398 -in localhost.csr -CA CA_cert.pem -CAkey CA_key.pem -CAcreateserial -out localhost_cert.pem -extensions req_ext -extfile localhost.cnf

  4. Profit

Output files will be:

  • CA.cnf → OpenSSL CA config file. May be deleted after certificate creation process.

  • CA_cert.pem → [Certificate Authority] certificate. This certificate must be added to the browser local authority storage to make trust all certificates that created with using this CA.

  • CA_cert.srl → Random serial number. May be deleted after certificate creation process.

  • CA_key.pem → Must be used when creating new [localhost] certificate. May be deleted after certificate creation process (if you do not plan reuse it and CA_cert.pem).

  • localhost.cnf → OpenSSL SSL certificate config file. May be deleted after certificate creation process.

  • localhost.csr → Certificate Signing Request. May be deleted after certificate creation process.

  • localhost_cert.pem → SSL certificate. Must be installed at WEB server.

  • localhost_key.pem → Secret key. Must be installed at WEB server.

SSL Certificate alternative names can be checked by

openssl x509 -noout -text -in localhost_cert.pem | grep 'X509v3 Subject Alternative Name' -A 1

2nd approach

Summary

Summary of the commands used to create a root CA, an intermediate CA, and a leaf certificate:

openssl genrsa -out root.key 2048
openssl req -new -key root.key -out root.csr -config root_req.config
openssl ca -in root.csr -out root.pem -config root.config -selfsign -extfile ca.ext -days 1095

openssl genrsa -out intermediate.key 2048
openssl req -new -key intermediate.key -out intermediate.csr -config intermediate_req.config
openssl ca -in intermediate.csr -out intermediate.pem -config root.config -extfile ca.ext -days 730

openssl genrsa -out leaf.key 2048
openssl req -new -key leaf.key -out leaf.csr -config leaf_req.config
openssl ca -in leaf.csr -out leaf.pem -config intermediate.config -days 365

openssl verify -x509_strict -CAfile root.pem -untrusted intermediate.pem leaf.pem

These commands rely on some setup which I will describe below. They are a bit of an overkill if you just want a few certs in a chain, which can be done with just the x509 command. These commands will also track your certs in a text database and auto-increment a serial number. I would recommend reading the warnings and bugs section of the openssl ca man page before or after reading this answer.

Directory Structure

We will need the following directory structure before starting.

ca.ext              # the extensions required for a CA certificate for signing certs
intermediate.config # configuration for the intermediate CA
root.config         # configuration for the root CA

leaf_req.config         # configuration for the leaf cert's csr
intermediate_req.config # configuration for the intermediate CA's csr
root_req.config         # configuration for the root CA's csr

intermediate_ca/    # state files specific to the intermediate CA
    index           # a text database of issued certificates
    serial          # an auto-incrementing serial number for issued certificates
root_ca/            # state files specific to the root CA
    index           # a text database of issued certificates
    serial          # an auto-incrementing serial number for issued certificates

If this is a more permanent CA, the following changes are probably a good idea:

  1. Moving each CA’s configuration file, private key (generated later), and certificate file (generated later) to the CA’s directory. This will require changes to the configuration file.

  2. Creating a subdirectory in the CA’s directory for issued certificates. This requires changes to the configuration file

  3. Encrypting the private key

  4. Setting a default number of days for issued certificates in the CA configuration files

Starting Directory Structure File Contents

The contents of each of the files in the directory structure are as follows:

ca.ext

[ default ]
basicConstraints = critical,CA:true     # recommended to be marked critical. required for a ca
keyUsage         = critical,keyCertSign # required to be marked critical. required for signing certs

intermediate.config

[ ca ]
default_ca      = CA_default

[ CA_default]
dir             = ./intermediate_ca   # helper variable pointing to ca specific files
database        = $dir/index          # database of certs generated by the ca
new_certs_dir   = ./                  # one dir up to make the demo easier
certificate     = ./intermediate.pem  # one dir up to make the demo easier
serial          = $dir/serial         # file with incrementing hex serial number for certs
private_key     = ./intermediate.key

policy          = policy_any
email_in_dn     = no                  # recommended
unique_subject  = no                  # recommended for easier certificate rollover
copy_extensions = none                # don't honor the extensions in the csr
default_md      = sha256

[ policy_any ]
countryName            = optional
stateOrProvinceName    = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied

root.config

[ ca ]
default_ca      = CA_default

[ CA_default]
dir             = ./root_ca      # helper variable pointing to ca specific files
database        = $dir/index     # database of certs generated by the ca
new_certs_dir   = ./             # one dir up to make the demo easier
certificate     = ./root.pem     # one dir up to make the demo easier
serial          = $dir/serial    # file with incrementing hex serial number for certs
private_key     = ./root.key

policy          = policy_any
email_in_dn     = no             # recommended
unique_subject  = no             # recommended for easier certificate rollover
copy_extensions = none           # don't honor the extensions in the csr
default_md      = sha256

[ policy_any ]
countryName            = optional
stateOrProvinceName    = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied

leaf_req.config

[ req ]
distinguished_name = req_distinguished_name
prompt             = no

[ req_distinguished_name ]
countryName = US
commonName  = Test Leaf

intermediate_req.config

[ req ]
distinguished_name = req_distinguished_name
prompt             = no

[ req_distinguished_name ]
countryName = US
commonName  = Test Intermediate CA

root_req.config

[ req ]
distinguished_name = req_distinguished_name
prompt             = no

[ req_distinguished_name ]
countryName = US
commonName  = Test Root CA

intermediate_ca/index (empty file). Database of issued certs. Updates automatically

[empty]

intermediate_ca/serial (a single 0 does not work). This file auto-increments

00

root_ca/index (empty file). Database of issued certs. Updates automatically

[empty]

root_ca/serial (a single 0 does not work). This file auto-increments

00

Detailed commands

Now we can run the commands from the start of this answer:

# create the private key for the root CA
openssl genrsa
    -out root.key # output file
    2048          # bitcount

# create the csr for the root CA
openssl req
    -new
    -key root.key           # private key associated with the csr
    -out root.csr           # output file
    -config root_req.config # contains config for generating the csr such as the distinguished name

# create the root CA cert
openssl ca
    -in root.csr        # csr file
    -out root.pem       # output certificate file
    -config root.config # CA configuration file
    -selfsign           # create a self-signed certificate
    -extfile ca.ext     # extensions that must be present for CAs that sign certificates
    -days 1095          # 3 years

# create the private key for the intermediate CA
openssl genrsa
    -out intermediate.key # output file
    2048                  # bitcount

# create the csr for the intermediate CA
openssl req
    -new
    -key intermediate.key           # private key associated with the csr
    -out intermediate.csr           # output file
    -config intermediate_req.config # contains config for generating the csr such as the distinguished name

# create the intermediate CA cert
openssl ca
    -in intermediate.csr  # csr file
    -out intermediate.pem # output certificate file
    -config root.config   # CA configuration file (note: root is still issuing)
    -extfile ca.ext       # extensions that must be present for CAs that sign certificates
    -days 730             # 2 years

# create the private key for the leaf certificate
openssl genrsa
    -out leaf.key # output file
    2048          # bitcount

# create the csr for the leaf certificate
openssl req
    -new
    -key leaf.key           # private key associated with the csr
    -out leaf.csr           # output file
    -config leaf_req.config # contains config for generating the csr such as the distinguished name

# create the leaf certificate (note: no ca.ext. this certificate is not a CA)
openssl ca
    -in leaf.csr                # csr file
    -out leaf.pem               # output certificate file
    -config intermediate.config # CA configuration file (note: intermediate is issuing)
    -days 365                   # 1 year

# verify the certificate chain
openssl verify
    -x509_strict                # strict adherence to rules
    -CAfile root.pem            # root certificate
    -untrusted intermediate.pem # file with all intermediates
    leaf.pem                    # leaf certificate to verify

Final thoughts

If you’re looking to use a CA in production, please read the warnings and bugs sections of the openssl ca man page (or just the whole man page).

Last update: Nov 20, 2024