howtos:create_a_self-signed_certificate_from_a_certificate_signing_request

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

howtos:create_a_self-signed_certificate_from_a_certificate_signing_request [d/m/Y H:i] (current)
Line 1: Line 1:
 +Once you have created a Certificate Signing Request (CSR), you can create a self-signed certificate from it. A self-signed certificate does not give the security guarantees provided by a certificate signed by a commercial CA. But it will allow you to provide a secure https connection to your web site. Clients will see a warning message stating that your site's identity cannot be verified and thus is not a "trusted site". Clients have the option of accepting the certificate for the session and all subsequent https connections with the site will be secure.
 +
 +Assuming you had generated your CSR and private key using the method shown above, you can create a self-signed certificate with the following openssl command:
 +
 +<code>
 +openssl req -x509 -days 365 -in hostcsr.pem -key hostkey.pem -out hostcert.pem
 +</code>
 +
 +Here's and explanation of the command line options:
 +
 +    * -x509 - output a self-signed certificate rather than a CSR.
 +    * -days 365 - make the self-signed certificate valid for one year.
 +    * -in hostcsr.pem - read in the CSR from the file hostcsr.pem.
 +    * -key hostkey.pem - read in the private key from the file hostkey.pem.
 +    * -out hostcert.pem - write out the self-signed certificate to the file hostcert.pem.
 +
 +
 +View The Contents Of A Certificate Signing Request
 +Once you have created a Certificate Signing Request (CSR), you can look at the contents of the file using a text editor. But you will only see a block of PEM-encoded text such as this:
 +<file>
 +    -----BEGIN CERTIFICATE REQUEST-----
 +    MIIBhzCB8QIBADBIMQswCQYDVQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxDzAN
 +    BgNVBAcTBlVyYmFuYTEVMBMGA1UEAxMMVGVycnkgRmxldXJ5MIGfMA0GCSqGSIb3
 +    DQEBAQUAA4GNADCBiQKBgQCo/Dod/sGiCSvi+OV295f3eLMMzPKnNjQKabVpGP3x
 +    2bVHYuJTSz5Umq9DtsaBUMHVgwSCeCjfJAtaONERnJKg7yiyy3kdHgxYeqhoqDoJ
 +    kqZjoN+bOIZGlGs55ke5AqFYdeIaTAcgcxZMmeYZTdZ4n0cCvLHfcyTuKcGmtWsX
 +    +wIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAVUelcfGlgus/OaTZgoePEmcvX4Lp
 +    8ofE4sELbM8sg9xiXyw6yQ3e2T3HsYrJnOUUJkgOnL7zwDr29IQ1dG+ScjXKfxgB
 +    vr2jnwdNbX20YgLyt8ht6NiUE7tQ33zDcSGoi+V2OxSWpbRHnOl6lGdRdh3A1LQj
 +    wpM7Z5VjngNVfWM=
 +    -----END CERTIFICATE REQUEST-----
 +</file>
 +If you want to see the actual entries for this file, you can view the contents as text. Here's is a typical openssl command and the resulting output:
 +
 +    openssl req -text -noout -in hostcsr.pem
 +
 +    Certificate Request:
 +        Data:
 +            Version: 0 (0x0)
 +            Subject: C=US, ST=Illinois, L=Urbana, CN=Terry Fleury
 +            Subject Public Key Info:
 +                Public Key Algorithm: rsaEncryption
 +                RSA Public Key: (1024 bit)
 +                    Modulus (1024 bit):
 +                        00:a8:fc:3a:1d:fe:c1:a2:09:2b:e2:f8:e5:76:f7:
 +                        97:f7:78:b3:0c:cc:f2:a7:36:34:0a:69:b5:69:18:
 +                        fd:f1:d9:b5:47:62:e2:53:4b:3e:54:9a:af:43:b6:
 +                        c6:81:50:c1:d5:83:04:82:78:28:df:24:0b:5a:38:
 +                        d1:11:9c:92:a0:ef:28:b2:cb:79:1d:1e:0c:58:7a:
 +                        a8:68:a8:3a:09:92:a6:63:a0:df:9b:38:86:46:94:
 +                        6b:39:e6:47:b9:02:a1:58:75:e2:1a:4c:07:20:73:
 +                        16:4c:99:e6:19:4d:d6:78:9f:47:02:bc:b1:df:73:
 +                        24:ee:29:c1:a6:b5:6b:17:fb
 +                    Exponent: 65537 (0x10001)
 +            Attributes:
 +                a0:00
 +        Signature Algorithm: sha1WithRSAEncryption
 +            55:47:a5:71:f1:a5:82:eb:3f:39:a4:d9:82:87:8f:12:67:2f:
 +            5f:82:e9:f2:87:c4:e2:c1:0b:6c:cf:2c:83:dc:62:5f:2c:3a:
 +            c9:0d:de:d9:3d:c7:b1:8a:c9:9c:e5:14:26:48:0e:9c:be:f3:
 +            c0:3a:f6:f4:84:35:74:6f:92:72:35:ca:7f:18:01:be:bd:a3:
 +            9f:07:4d:6d:7d:b4:62:02:f2:b7:c8:6d:e8:d8:94:13:bb:50:
 +            df:7c:c3:71:21:a8:8b:e5:76:3b:14:96:a5:b4:47:9c:e9:7a:
 +            94:67:51:76:1d:c0:d4:b4:23:c2:93:3b:67:95:63:9e:03:55:
 +            7d:63
 +    
 +
 +Here's an explanation of the command line options:
 +
 +    * -text - view the contents of the CSR as plain text.
 +    * -noout - do not output the PEM-encoded version of the CSR.
 +    * -in hostcsr.pem - read in the CSR from the file hostcsr.pem.
 +
 +
  
howtos/create_a_self-signed_certificate_from_a_certificate_signing_request.txt · Last modified: d/m/Y H:i (external edit)