Self-Signed Certificate and How to Create a Using OpenSSL

SSL is for Secure Socket Layer is To secure connection an SSL Certificate is used which is commonly used on web servers.

SSL Certificates mainly serve two functions:

  • Authenticates the identity of the servers (so that users know that they are not sending their information to the wrong server).
  • Encrypts the data that is being transmitted.

Mostly we use CA Certification Authority(Go-Daddy, Verisign, etc..) as a trusted certificate. 
But we can also use a self-signed certificate. 

Self Signed Certificate

A self-signed certificate is a certificate that is signed by its own creator rather than a trusted authority. 
These are less trustworthy as an attacker can create a self-signed certificate and launch a middle attack.

Self-signed certificates in scenarios like:

1) Intranet.
2) Personal sites with few visitors.
3) Development or Testing phase of the application.

Don't use a self-signed certificate for the application that transmits critical data.

How to Create a Self-Signed Certificate Using OpenSSL

OpenSSL is a command-line tool that is used for TLS (Transport Layer Security) and SSL (Secure Socket Layer) protocols.

On Linux please run below commands:

1) openssl genrsa -out server.key 2048 ---> Generate Private key
2) openssl req -new -key server.key -out server.csr ---> Generate a Certificate Signing Request CSR.
3) openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt ---> Self sign the Certificate

[root@oel7 ~]# pwd
[root@oel7 ~]# mkdir certificates
[root@oel7 ~]# pwd
[root@oel7 ~]# cd certificates/
[root@oel7 certificates]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
[root@oel7 certificates]# ls -ltr
total 4
-rw-r--r-- 1 root root 1679 Mar 28 18:09 server.key
[root@oel7 certificates]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Delhi        
Locality Name (eg, city) [Default City]:Delhi
Organization Name (eg, company) [Default Company Ltd]:Funoracleapps Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:*.lab
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@oel7 certificates]# ls -ltr
total 8
-rw-r--r-- 1 root root 1679 Mar 28 18:09 server.key
-rw-r--r-- 1 root root 1001 Mar 28 18:11 server.csr
[root@oel7 certificates]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=IN/ST=Delhi/L=Delhi/O=Funoracleapps Ltd/OU=IT/CN=*.lab
Getting Private key
[root@oel7 certificates]# ls -ltr
total 12
-rw-r--r-- 1 root root 1679 Mar 28 18:09 server.key
-rw-r--r-- 1 root root 1001 Mar 28 18:11 server.csr
-rw-r--r-- 1 root root 1200 Mar 28 18:12 server.crt

I am giving *.domain_name as the CN name to use for multiple servers within the domain.

If you like please follow and comment