Creating Self-Signed Certificates on Ubuntu Server


As I investigated how to set up Apache2 on Ubuntu/Debian, I found out that there were different ways of generating self-signed certificates.

I’ll try to summarise what I gathered in this post, for the sake of understanding and remembering.

Procedure 1: The Ubuntu/Debian way

On Ubuntu/Debian,there is a utility named make-ssl-cert that is a debconf to openssl wrapper whose description is available at http://man.he.net/man8/make-ssl-cert
The utility will generate a .pem file containing both a certificate and a private key

$sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf ./myCertificate.pem

The commands needs a template (/usr/share/ssl-cert/ssleay.cnf) to generate the certificate.

The generated PEM file contains both the private key and the certificate:

—–BEGIN PRIVATE KEY—–

—–END PRIVATE KEY—–
—–BEGIN CERTIFICATE—–

—–END CERTIFICATE—–

Procedure 2: The OpenSSL way with a passphrase

To generate a self-signed certificate with OpenSSL, one must go through several steps. To generate the certificate, one needs:

  • A private key
  • A Certificate Signing Request (CSR)

To generate a private key using the RSA algorithm, run the following command:

$ openssl genrsa -des3 -out myKey.pem 2048

The command works as follows:

  • The command genrsa generates an RSA private key
  • The option -des3 encrypts the private key with triple DES
  • The option -out outputs to the provided filename
  • 2048 is the size of the private key to generate in bits

The outcome of the command will be

Generating RSA private key, 2048 bit long modulus
..........+++
...................................................+++
e is 65537 (0x10001)
Enter pass phrase for myKey.pem:
Verifying - Enter pass phrase for myKey.pem:

The key is generated in a PEM format.
The contents of the generated file looks as follows:

Here is an example
----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B86D06044242EA6B

...
-----END RSA PRIVATE KEY-----

Caveat: As the key was used to generate a passphrase, you will have to keep it preciously. For example, when using the certificate with Apache2, the passphrase will be requested at each startup of the server.

Now that we have a private key, we have two possibilities. Either we generate the Certificate Signing Request and the Certificate in one command, or we do it with two commands

Variant a – step 1: Generate a Certificate Signing Request

Run the command:

$ openssl req -new -key myKey.pem -out server.csr

The command will request you to enter quite some information as you can see on the following output:

Enter pass phrase for myKey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BE
State or Province Name (full name) [Some-State]:Brabant
Locality Name (eg, city) []:Brussels
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:My Division
Common Name (eg, YOUR name) []:My Name
Email Address []:my.name@myorganisation.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

The contents of the generated server.csr looks like this:

-----BEGIN CERTIFICATE REQUEST-----
...
-----END CERTIFICATE REQUEST-----

Variant a – step 2: Generate the self-signed certificate based on the CSR

Run the following command to issue a certificate that will be valid for 365 days.

$ openssl x509 -req -days 365 -in server.csr -signkey myKey.pem -out myCertificate.pem

The output will look like:

Signature ok
subject=/C=BE/ST=Brabant/L=Brussels/O=My Company/OU=My Division/CN=My Name/emailAddress=my.name@myorganisation.com
Getting Private key
Enter pass phrase for myKey.pem:

The contents of the certificate file looks liks:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Variant b: Generate the Certificate without generating the CSR

Run the following command to issue a certificate that will be valid for 365 days. You will have to enter the data as for the CSR but none will be generated.

$ openssl req -new -x509 -key myKey.pem -out myCertificate.pem -days 365

The output will look like:

Enter pass phrase for myKey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BE
State or Province Name (full name) [Some-State]:Brabant
Locality Name (eg, city) []:Brussels
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Organisation
Organizational Unit Name (eg, section) []:My Division
Common Name (eg, YOUR name) []:My Name
Email Address []:my.name@mycompany.com

Variant c: Remove the passphrase from the key

It is also possible to remove the Triple DES encryption from the key and therefore the need to input the passphrase. This requires that one knows the passphrase and that the access rights on the certificate be well set and be only readable by the root user.

$ openssl rsa -in myKey.pem -out myCertificate.pem

The output of the command looks like:

Enter pass phrase for myKey.pem:
writing RSA key

The contents of the generated PEM file looks like this:


-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

Procedure 3:  The OpenSSL way without a passphrase

The procedure using OpenSSL without the passphrase differs at the key generation phase. In order to generate the private key this way, run the following command, which does not request to use Triple DES:

$ openssl genrsa -out myKey.pem 2048

The output looks like:

Generating RSA private key, 2048 bit long modulus
.......+++
...+++
e is 65537 (0x10001)

The contents of the server.key file looks like:

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

Let’s now generate the Certificate with generating an intermediate CSR

$ openssl req -new -x509 -key myKey.pem -out myCertificate.pem -days 365

The output looks like:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BE
State or Province Name (full name) [Some-State]:Brabant
Locality Name (eg, city) []:Brussels
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:My Division
Common Name (eg, YOUR name) []:My Name
Email Address []:my.name@mycompany.com
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: