howtos:generate_a_self-signed_certificate_from_scratch
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | howtos:generate_a_self-signed_certificate_from_scratch [02/12/2018 21:34] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | If you know that you only want a self-signed certificate (not one signed by a Certificate Authority (CA)), you can generate a self-signed certficate without first having to generate a Certificate Signing Request (CSR). | ||
+ | |||
+ | A self-signed certificate does not give the security guarantees provided by a certificate signed by a commercial CA. But it will allow you to provide a secure https connection to your web site. Clients will see a warning message stating that your site's identity cannot be verified and thus is not a " | ||
+ | |||
+ | Clients have the option of accepting the certificate for the session and all subsequent https connections with the site will be secure.Here is a typical openssl command and the resulting interactive session when generating a self-signed certificate: | ||
+ | |||
+ | < | ||
+ | |||
+ | openssl req -x509 -days 365 -newkey rsa:1024 -keyout hostkey.pem -nodes -out hostcert.pem | ||
+ | Generating a 1024 bit RSA private key | ||
+ | ........++++++ | ||
+ | ........++++++ | ||
+ | writing new private key to ' | ||
+ | ----- | ||
+ | You are about to be asked to enter information that will be incorporated into your certificate request. | ||
+ | What you are about to enter is what is called a Distinguished Name or a DN. | ||
+ | There are quite a few fields but you can leave some blank. | ||
+ | For some fields there will be a default value, | ||
+ | |||
+ | If you enter ' | ||
+ | ----- | ||
+ | Country Name (2 letter code) [AU]:US | ||
+ | State or Province Name (full name) [Some-State]: | ||
+ | Locality Name (eg, city) []:Urbana | ||
+ | Organization Name (eg, company) [Internet Widgits Pty Ltd]:NCSA | ||
+ | Organizational Unit Name (eg, section) []:Security Research Division | ||
+ | Common Name (eg, YOUR name) []: | ||
+ | Email Address []: | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | First, an explanation of the command line options: | ||
+ | |||
+ | * -x509 - generate a self-signed certificate rather than a CSR. | ||
+ | * -days 365 - make the self-signed certificate valid for one year. | ||
+ | * -newkey rsa:1024 - generate a new private key of type RSA of length 1024 bytes. | ||
+ | |||
+ | If you had previously generated a private RSA key (by using the " | ||
+ | |||
+ | * -keyout hostkey.pem - write out the newly generated RSA private key to the file hostkey.pem. You will want to save this file since it is needed when you use the SSL certificate. | ||
+ | |||
+ | |||
+ | * -nodes - an optional parameter NOT to encrypt the private key. This is useful when your web server starts automatically, | ||
+ | |||
+ | * -out hostcert.pem - write out the self-signed certificate to the file hostcert.pem. | ||
+ | |||
+ | Next, an explanation of the interactive session. | ||
+ | |||
+ | At each prompt, you will see brackets ([ ]) which may or may not contain text. That text is the default option for that prompt. If you simply hit the < | ||
+ | |||
+ | Note: Since you are creating a self-signed certificate for use by a web server, at the prompt " | ||
+ | |||
+ | |||
howtos/generate_a_self-signed_certificate_from_scratch.txt · Last modified: 02/12/2018 21:34 by 127.0.0.1