Web Server‎ > ‎

SSL

Nothing works better than an example!

##### 1) Create a CA Certificate (self-signed)

$ openssl req -new -x509 -sha1 -newkey rsa:2048 -out my-CA.cert -keyout my-CA.key
> Enter PEM pass phrase: ******
> Verifying - Enter PEM pass phrase: ******
> Country Name (2 letter code) [GB]:US
> State or Province Name (full name) [Berkshire]:Florida
> Locality Name (eg, city) [Newbury]:Miami
> Organization Name (eg, company) [My Company Ltd]:mo-intuition
> Organizational Unit Name (eg, section) []:HQ
> Common Name (eg, your name or your server's hostname) []:Bogus CA
> Email Address []:

##### 2) Create certificate sign request (Done by SW Vendor - e.g. Sega)
$ openssl req -new -newkey rsa:2048 -out my-site.csr -keyout my-site.key
> Enter PEM pass phrase: ******
> Verifying - Enter PEM pass phrase: ******
> Country Name (2 letter code) [GB]:US
> State or Province Name (full name) [Berkshire]:Florida
> Locality Name (eg, city) [Newbury]:Miami
> Organization Name (eg, company) [My Company Ltd]:mo-intuition
> Organizational Unit Name (eg, section) []:HQ
> Common Name (eg, your name or your server's hostname) []:mo-intuition.com
> Email Address []:
> A challenge password []:******
> An optional company name []:mo-intuition

##### 3) Decrypt private key (be careful with this).
openssl rsa -in my-site.key -out my-site2.key

##### 4) Sign CSR (done by CA - e.g. Verisign).
openssl x509 -req -sha1 -days 365 -extensions v3_req -in my-site.csr -out my-site.crt -CA my-CA.cert -CAkey my-CA.key -CAserial my-CA.srl -CAcreateserial
> Enter pass phrase for my-CA.key: ******

##### 5) Command to view text representation of a certificate.
openssl x509 -in my-site.crt -text -noout


##### Options from all commands (above):
  • req
    PKCS#10 certificate request and certificate generating utility.

  • -x509
    Outputs a self signed certificate; used to generate a test certificate or a self signed root CA.

  • -newkey arg
    For a new certificate request, takes the form rsa:nbits, where nbits is the number of bits, generates an RSA key nbits in size.

  • -keyout filename
    Filename for private key.

  • -out filename
    Output filename to write to or standard output by default.

  • -days n
    Specifies the number of days the certificate is valid for (when the -x509 option is used).

  • -nodes
    Specifies to not encrypt the private key.
##### Notes:
Steps (1) and (4) are here for academic purposes. In real life, a vendor (such as Verisign) performs these steps.
Step (3) can be eliminated by specifying "-nodes" in step (2).

Comments