Create an SSL Certificate/Old: Difference between revisions
From charlesreid1
(Created page with "= Installing = == Prerequisites == In order to create your own SSL certificate, you'll need OpenSSL installed on your machine. = Creating a Certificate Authority = Typically,...") |
m (Admin moved page Create an SSL Certificate to Create an SSL Certificate/Old) |
||
| (8 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
'''WARNING: These instructions are old, this Digital Ocean tutorial is recommended instead: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-20-04''' | |||
= Installing = | = Installing = | ||
| Line 10: | Line 12: | ||
A signed SSL Certificate means the SSL Certificate is trusted by an authority. This makes it possible to make secure connections between a user and a server. | A signed SSL Certificate means the SSL Certificate is trusted by an authority. This makes it possible to make secure connections between a user and a server. | ||
To create a self-signed certificate, we will create our OWN certificate authority, and sign our own certificate using that certificate authority. | |||
To create a new CA: | To create a new CA: | ||
< | <pre> | ||
$ /usr/local/ssl/misc/CA.pl -newca | $ /usr/local/ssl/misc/CA.pl -newca | ||
</ | </pre> | ||
If you want to go back and change information about the key (e.g. you wanted to change the number of days it will be valid), you can run: | If you want to go back and change information about the key (e.g. you wanted to change the number of days it will be valid), you can run: | ||
< | <pre> | ||
$ openssl x509 -in demoCA/cacert.pem -days 1024 -out cacert.pem -signkey demoCA/private/cakey.pem | $ openssl x509 -in demoCA/cacert.pem -days 1024 -out cacert.pem -signkey demoCA/private/cakey.pem | ||
$ cp cacert.pem demoCA | $ cp cacert.pem demoCA | ||
</ | </pre> | ||
= Generating the Server Certificate = | = Generating the Server Certificate = | ||
| Line 32: | Line 34: | ||
The "-nodes" option prevents the pass phase from being required at each reboot. | The "-nodes" option prevents the pass phase from being required at each reboot. | ||
< | <pre> | ||
$ openssl req -new -nodes \ | $ openssl req -new -nodes \ | ||
-subj '/CN=mydomain.com/O=Blah blah blah/C=US/ST=State/L=Place/emailAddress=username@somewhere.com' \ | -subj '/CN=mydomain.com/O=Blah blah blah/C=US/ST=State/L=Place/emailAddress=username@somewhere.com' \ | ||
-keyout FOO-key.pem -out FOO-req.pem -days 3650 | -keyout FOO-key.pem -out FOO-req.pem -days 3650 | ||
</ | </pre> | ||
Note above that "/0=Blah blah blah" must match the name given in the the origional CA. For example, "/0=blahblahblah." will not work. It must be exact. | Note above that "/0=Blah blah blah" must match the name given in the the origional CA. For example, "/0=blahblahblah." will not work. It must be exact. | ||
| Line 44: | Line 46: | ||
Once you've created the server certificate, it's time to sign it using the certificate authority power, which we granted ourselves. | Once you've created the server certificate, it's time to sign it using the certificate authority power, which we granted ourselves. | ||
< | <pre> | ||
$ openssl ca -out FOO-cert.pem -infiles FOO-req.pem | $ openssl ca -out FOO-cert.pem -infiles FOO-req.pem | ||
</ | </pre> | ||
[[Category:SSL]] | |||
[[Category:HTTPS]] | |||
[[Category:Linux]] | |||
[[Category:Networking]] | |||
Latest revision as of 19:31, 7 October 2020
WARNING: These instructions are old, this Digital Ocean tutorial is recommended instead: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-20-04
Installing
Prerequisites
In order to create your own SSL certificate, you'll need OpenSSL installed on your machine.
Creating a Certificate Authority
Typically, a company will pay hundreds or thousands of dollars to a Certificate Authority, and in return that company's website will be granted an "official" signed SSL Certificate.
A signed SSL Certificate means the SSL Certificate is trusted by an authority. This makes it possible to make secure connections between a user and a server.
To create a self-signed certificate, we will create our OWN certificate authority, and sign our own certificate using that certificate authority.
To create a new CA:
$ /usr/local/ssl/misc/CA.pl -newca
If you want to go back and change information about the key (e.g. you wanted to change the number of days it will be valid), you can run:
$ openssl x509 -in demoCA/cacert.pem -days 1024 -out cacert.pem -signkey demoCA/private/cakey.pem $ cp cacert.pem demoCA
Generating the Server Certificate
This creates a certificate for your server, which is signed by the CA authority (normally someone like Verisign, but in this case YOU).
The "-nodes" option prevents the pass phase from being required at each reboot.
$ openssl req -new -nodes \ -subj '/CN=mydomain.com/O=Blah blah blah/C=US/ST=State/L=Place/emailAddress=username@somewhere.com' \ -keyout FOO-key.pem -out FOO-req.pem -days 3650
Note above that "/0=Blah blah blah" must match the name given in the the origional CA. For example, "/0=blahblahblah." will not work. It must be exact.
Signing the Server Certificate
Once you've created the server certificate, it's time to sign it using the certificate authority power, which we granted ourselves.
$ openssl ca -out FOO-cert.pem -infiles FOO-req.pem