In some of the previous posts, I gave some overview about SSL and how to configure SSL on a local server. To create a secure channel between two sources using TLS protocol, we need certificates which will have the security algorithm. This post will help you to create the certificates using OpenSSL library. I will try to give brief about each command for better understanding:
Open up your bash/terminal/cmd to run these commands. Also, make sure to create a separate directory structure for certificates.
Generate a CA
openssl req -out ca.pem -new -x509
Description : This command is use to create a self signed certificate which can be used as a local CA.
Note: This command will also create the CA key named as “privkey.pem”.
openssl – This specifies that we are going to use OpenSSL library
req – This refer to the certificate request
-out – This specifies the output filename to write to or use the standard default
-x509 – This option outputs a self-signed certificate.
-new – This option is use to specify that its a new certificate request.
Generate a Server Certificate
openssl genrsa -out server.key 1024
Description : This command is use to generate the RSA key which would form the base algorithm for the Certificate.
genrsa – This command is used to generate RSA private key
1024 – This is the key length (You can use others like 2048, 4096 etc.)
openssl req -key server.key -new -out server.req
Description : This command is used to create a certificate request with embedded key generated in the last step
-key – This specifies the file to read private key.
openssl x509 -req -in server.req -CA CA.pem -CAkey privkey.pem -CAserial CAfile.srl -out server.pem
Description: This command is used to sign the server request and create the certificate authorized by local CA.
Note: If you are using OpenSSL certificates for the first time then instead of “CAserial”, you have to use “CAcreateserial” and later you can use the same file created. This serial file is used by CA to keep the index for certificates created.
x509 – The x509 command is a multi purpose certificate utility. It can be used to display certificate information, convert certificates to various forms, sign certificate requests like a “mini CA” or edit certificate trust settings.
-req – by default, a certificate is expected on input. With this option, a certificate request is expected instead.
-CA – This is used to specify the CA certificate to be used.
-CAkey – This is used to specify the CA key to be used.
-CAserial – This is used to specify the serial file to be used.
Generate a Client Certificate
openssl genrsa -out client.key 1024
Description: This command is similar to what we did in server key generation
openssl req -key client.key -new -out client.req
Description: This command is similar to what we did for creating the server certificate request.
openssl x509 -req -in client.req -CA CA.pem -CAkey privkey.pem -CAserial CAfile.srl -out client.pem
Description: This command is similar to what we did for creating the server certificate.
We are done with creating the certificates. Now you can import the certificates to your server and client to setup a secure channel. In later posts, I would give more about the commands in OpenSSL. You can follow up on this link to check the common commands used: OpenSSL Common Commands