[TBD]Certificate creation help guide

Introduction

Laymen explanation

Technical explanation

Simple way to create certificate key pair for a server

simple way to create certificate and private key

614 openssl genrsa -out ingress.key 2048

615 openssl req -new -sha256 -key ingress.key -out csr.csr

616 ls

617 ls csr.csr

618 openssl req -x509 -sha256 -days 365 -key ingress.key -in csr.csr -out ingress.crt

619 ls ingress.crt

Method to create self signed certificate using openssl tool

Steps

configuration file- example-com.conf

[ req ]

default_bits = 2048

default_keyfile = server-key.pem

distinguished_name = subject

req_extensions = req_ext

x509_extensions = x509_ext

string_mask = utf8only

# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).

# Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.

[ subject ]

countryName = Country Name (2 letter code)

countryName_default = US

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = NY

localityName = Locality Name (eg, city)

localityName_default = New York

organizationName = Organization Name (eg, company)

organizationName_default = Example, LLC

# Use a friendly name here because its presented to the user. The server's DNS

# names are placed in Subject Alternate Names. Plus, DNS names here is deprecated

# by both IETF and CA/Browser Forums. If you place a DNS name here, then you

# must include the DNS name in the SAN too (otherwise, Chrome and others that

# strictly follow the CA/Browser Baseline Requirements will fail).

commonName = Common Name (e.g. server FQDN or YOUR name)

commonName_default = Example Company

emailAddress = Email Address

emailAddress_default = test@example.com

# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...

[ x509_ext ]

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid,issuer

# You only need digitalSignature below. *If* you don't allow

# RSA Key transport (i.e., you use ephemeral cipher suites), then

# omit keyEncipherment because that's key transport.

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment

subjectAltName = @alternate_names

nsComment = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional

# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused

# In either case, you probably only need serverAuth.

# extendedKeyUsage = serverAuth, clientAuth

# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...

[ req_ext ]

subjectKeyIdentifier = hash

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment

subjectAltName = @alternate_names

nsComment = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional

# CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused

# In either case, you probably only need serverAuth.

# extendedKeyUsage = serverAuth, clientAuth

[ alternate_names ]

DNS.1 = example.com

DNS.2 = www.example.com

DNS.3 = mail.example.com

DNS.4 = ftp.example.com

# Add these if you need them. But usually you don't want them or

# need them in production. You may need them for development.

# DNS.5 = localhost

# DNS.6 = localhost.localdomain

# DNS.7 = 127.0.0.1

# IPv6 localhost

# DNS.8 = ::1

Sample command to create self signed cert

openssl req -config example-com.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout example-com.key.pem -days 365 -out example-com.cert.pem

root@ns# openssl req -config example-com.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout example-com.key.pem -days 365 -out example-com.cert.pem

Generating a 2048 bit RSA private key

........+++

............................+++

writing new private key to 'example-com.key.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [US]:

State or Province Name (full name) [NY]:

Locality Name (eg, city) [New York]:

Organization Name (eg, company) [Example, LLC]:

Common Name (e.g. server FQDN or YOUR name) [Example Company]:

Email Address [test@example.com]:

Verify the newly created certificate

root@ns# openssl x509 -in example-com.cert.pem -text -noout

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

82:97:63:10:3b:2c:1f:48

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=US, ST=NY, L=New York, O=Example, LLC, CN=Example Company/emailAddress=test@example.com

Validity

Not Before: Nov 16 17:14:56 2016 GMT

Not After : Nov 16 17:14:56 2017 GMT

Subject: C=US, ST=NY, L=New York, O=Example, LLC, CN=Example Company/emailAddress=test@example.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:f2:2a:7d:7d:e6:42:8a:62:59:ac:e3:31:5f:f6:

76:58:a3:a4:8a:05:10:64:30:c0:ad:85:e5:f4:9e:

95:d2:67:6b:67:9f:46:9e:65:04:0e:d7:26:58:82:

0b:c4:40:8b:f6:ca:2b:a7:fc:d4:2a:f3:a8:89:67:

fd:76:c2:4e:5e:7f:df:e4:1b:bb:8f:7f:8b:76:b6:

4f:75:b9:60:68:e4:3e:8b:77:ae:da:28:b7:66:b5:

38:9e:bb:cb:90:a4:9d:4e:13:df:ce:90:3e:6d:55:

a9:b7:4b:e0:8b:a0:9e:fa:7b:5e:32:c2:d3:35:b8:

4a:28:03:fc:ae:82:ef:bc:ee:ee:97:ab:11:06:41:

af:e6:1f:bf:a0:43:16:b6:42:32:77:52:cb:65:b0:

56:f3:cf:4e:3b:62:21:04:34:2f:59:d0:e9:33:22:

64:96:9b:a9:41:63:25:d6:c6:77:99:ba:e4:90:a6:

3f:6b:ed:7d:cf:3c:45:50:bb:94:66:e3:15:df:5e:

20:77:c3:8c:93:06:14:5d:2b:5e:7a:b3:0e:eb:cc:

22:44:9b:1c:c5:e3:41:a8:9b:25:d0:70:bb:28:5c:

a2:e5:18:2b:df:be:2f:86:93:37:6f:54:f8:e4:33:

22:60:35:eb:58:25:ec:d9:5f:f7:e3:af:f9:87:ee:

aa:5f

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Key Identifier:

87:A6:7F:ED:27:00:EC:28:5F:56:25:86:9A:96:D5:F4:FE:5E:62:C5

X509v3 Authority Key Identifier:

keyid:87:A6:7F:ED:27:00:EC:28:5F:56:25:86:9A:96:D5:F4:FE:5E:62:C5

X509v3 Basic Constraints:

CA:FALSE

X509v3 Key Usage:

Digital Signature, Key Encipherment

X509v3 Subject Alternative Name:

DNS:example.com, DNS:www.example.com, DNS:mail.example.com, DNS:ftp.example.com

Netscape Comment:

OpenSSL Generated Certificate

Signature Algorithm: sha256WithRSAEncryption

91:61:36:80:ea:f3:5f:fd:f0:af:c8:a1:8a:0e:a2:f9:16:51:

02:b0:33:48:e9:7a:08:10:85:46:40:3f:b3:93:9c:73:a8:d3:

db:2b:da:95:05:c2:4a:ed:33:c1:92:ea:18:64:ea:6b:4b:a2:

ed:bb:c5:ca:a7:1e:69:ec:cb:53:85:f5:72:28:38:5b:72:a1:

57:8a:12:49:43:4d:5f:dc:9c:62:76:d4:b4:5b:7c:6d:48:7e:

54:97:af:cc:3c:32:4b:70:2d:3f:05:3b:19:9a:ee:b6:b8:6f:

3e:42:9f:80:87:77:8a:90:48:b4:f6:32:82:c8:3f:d8:51:ca:

cc:d6:4a:a5:d9:51:de:8d:76:6c:12:7c:16:45:df:3d:10:94:

0d:56:42:b2:f9:44:15:3d:89:c8:5b:0b:9a:e2:da:3a:2b:55:

c5:28:6c:05:6d:5d:21:72:83:29:ac:d0:1e:74:fb:ee:8a:57:

a8:60:89:6c:48:4e:11:42:4a:e0:8f:a8:8b:c8:18:b9:2d:df:

c5:f5:58:73:86:3b:6d:56:04:a6:5e:4a:12:1e:c1:55:5f:e9:

b9:99:42:2b:c9:f7:2a:e4:53:8c:b5:7d:1c:05:cd:d1:ad:e5:

5c:fc:11:8b:49:3c:ad:b4:b0:b5:30:89:8a:ad:42:6b:f0:98:

7d:1c:cd:48

root@ns#

Verify cert key

root@ns# openssl rsa -in example-com.key.pem -check

RSA key ok

writing RSA key

-----BEGIN RSA PRIVATE KEY-----

MIIEpAIBAAKCAQEA8ip9feZCimJZrOMxX/Z2WKOkigUQZDDArYXl9J6V0mdrZ59G

nmUEDtcmWIILxECL9sorp/zUKvOoiWf9dsJOXn/f5Bu7j3+LdrZPdblgaOQ+i3eu

2ii3ZrU4nrvLkKSdThPfzpA+bVWpt0vgi6Ce+nteMsLTNbhKKAP8roLvvO7ul6sR

BkGv5h+/oEMWtkIyd1LLZbBW889OO2IhBDQvWdDpMyJklpupQWMl1sZ3mbrkkKY/

a+19zzxFULuUZuMV314gd8OMkwYUXSteerMO68wiRJscxeNBqJsl0HC7KFyi5Rgr

374vhpM3b1T45DMiYDXrWCXs2V/346/5h+6qXwIDAQABAoIBAQCuhf7AwDRORQj5

txZ7YUTzJqRLL9EbU6NYqvoJ7ExvQUc/e6NKPeTJyTaCbN6MBjSYnCUQQP6rIcTh

mgcqEmimZCP34iCvDy10VXk4j2uyzGNi4dMquFNMeugeRZs0V95iSaJu3LeQ1j6k

sdNW7WAFhulhTdUnjvQqmIz/O7AJCQYM2KLfSoG0SZLerZtzTK0v+6O6Jj1cJmoX

nfUVM0z1tswRmJY3cn8Pt74fMCcOuEK3A1qhTOHBh1q3HSl6w0qO7ztYm0L46n+W

sx0usZq3w68r2bEpEViuxoKQ1eG4ia6NtEXn8TrIkCUKjX55TXiM+36wjhb49bt0

5gPaXgJBAoGBAP1Bcy3kV9OO5lE3jsVKO7cAtVaZiay67nkjprBvGAs5EkHCDdVe

xH2/KTpUXCY0tidjY0jqkkhe1XJv4KTZOYZ7Que35NeGSr5T9F8lUTv54iZIAXtU

EQC+Zu8M1eLkIji6TJyW2tTjcT80Am7V62i2+sZUWbJIiIfvM4gv8wkhAoGBAPTK

RtOlvwk1wjrmV19PF35ZRW3I7+LNHDmssyjNZBDetk7lTSswUD4w3Bef44GUogpv

NVlxByhq56538W6BReiYTyJw4krQPt1VSz9u+M5V+TtKmNsCE4vZGMv+542tY1ux

dzJnTiu6D3ZAloIP6BIl9a/Yxg7JbJ6rBMGEScN/AoGAeBdiK7/c2cgodRjYTbue

x2/Bjbgu7caSsMT0FTQI/cFpY99GOgi/OjW8shkwvTk/qzvY58m75i96HdLpfqI3

QgsPNdwg2wamSMx80+VZOQyMbcS1VysNCQJAw1id0AKIK8hD7fkm+c6EdAkQokg0

YipqjkOPaRg2Deei0xCRuaECgYAsBrFkYXwRYPzU8RanyqbUD6RAEZKrfO5lpRz3

6rDjo9qwJ+eQK/lSpiD/kr8tUBkwvT2gH4cFCu0uYN4oXNHA+pvI+vqIMBoOXsfQ

2dmf6rCPrGP/h8kSLvKZxffJcHTdSfbBNvlFPgqH3yfyrn+zu+YLQXaltC53/xQ0

5eEKawKBgQD0+ot1/7APBcWWCQsSlML6BxkfnhAGy/y4DZsjQPbSh5EksG32+tOz

f5aEAb1ikvRtwyyLOkciEO4MaBkiu2E07Y2S6yYIk3ttQapItlWznRbCYjoaqLHr

39cVs88UpGT7W+czDF97Nt3rac/4013qo9r7l8tl78t2fNAIRH/kMQ==

-----END RSA PRIVATE KEY-----

You can optionally remove the passphrase from the private key as shown below

Remove pass-phrase

root@ns# openssl rsa -in example-com.key.pem -out example-com.key2.pem

writing RSA key

root@ns#

Reference

http://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl

https://www.sslshopper.com/article-most-common-openssl-commands.html