{"id":560,"date":"2022-08-01T01:11:00","date_gmt":"2022-08-01T01:11:00","guid":{"rendered":"https:\/\/blog.ngocha.biz\/?p=560"},"modified":"2022-08-01T01:11:00","modified_gmt":"2022-08-01T01:11:00","slug":"create-self-signed-certificates-openssl","status":"publish","type":"post","link":"https:\/\/blog.ngocha.biz\/?p=560","title":{"rendered":"How to Create Self-Signed Certificates using OpenSSL"},"content":{"rendered":"

In this guide, we have given step-by-step guides on how to create self-signed certificates<\/strong> using the OpenSSL utility. You can create self-signed certificates using commands or automate them using a shell script by following this guide.<\/p>\n

Openssl <\/a>is a handy utility to create self-signed certificates. You can use OpenSSL on all the operating systems such as Windows, MAC, and Linux flavors<\/strong>.<\/p>\n

What is a Self Signed Certificate?<\/h2>\n

A self-signed certificate is an SSL\/TSL certificate not signed by a public or private certificate authority. Instead, it is signed by the creator’s own personal or root CA certificate.<\/p>\n

Here is what we do to request paid SSL\/TLS certificate from a well-known Certificate Authority<\/strong> like Verisign or comodo.<\/p>\n

\"SSL\/TLS
Click to view in HD<\/span><\/figcaption><\/figure>\n
    \n
  1. Create a certificate signing request (CSR)<\/strong> with a private key. A CSR contains details about location, organization, and FQDN (Fully Qualified Domain Name).<\/li>\n
  2. Send the CSR to the trusted CA authority.<\/li>\n
  3. The CA authority will send you the SSL certificate signed by their root certificate authority and private key.<\/li>\n
  4. You can then validate and use the SSL certificate with your applications.<\/li>\n<\/ol>\n

    But for a self-signed certificate<\/strong>, here is what we do.<\/p>\n

    \"self-signed
    Click to view in HD<\/span><\/figcaption><\/figure>\n
      \n
    1. Create our own root CA certificate & CA private key (We act as a CA on our own)<\/li>\n
    2. Create a server private key to generate CSR<\/li>\n
    3. Create an SSL certificate with CSR using our root CA and CA private key.<\/li>\n
    4. Install the CA certificate in the browser or Operating system to avoid security warnings.<\/li>\n<\/ol>\n

      Need For Our Own Certificate Authority<\/h2>\n

      Most browsers & operating systems hold a copy of root CA certificates of all the trusted certified Certificated Authorities. That’s the reason the browsers won’t show any security messages when you visit standard websites that use SSL from a trusted and well-known commercial Certificate authority.<\/strong><\/p>\n

      The following image shows the root CA present in the Firefox<\/strong> browser by default.<\/p>\n

      \"default<\/figure>\n

      At the same time, if you use a self-signed certificate, your browser will throw a security warning. The reason is browsers only trust SSL from a trusted Certificate authority. For example,<\/p>\n

      Your connection is not private\nAttackers might be trying to steal your information from demo.apps.mlopshub.com (for example, passwords, messages or credit cards)<\/code><\/pre>\n
      But you can force browsers & operating systems to accept our own certificate authority. So you won’t see the security warning once you install the CA certificate and add it to the trusted list. You can also share the CA certificate with your development team to install in their browsers as well.<\/p>\n
      Also, you can use this CA to create more than one SSL certificate<\/strong>.<\/p>\n
      Create Certificate Authority<\/h2>\n
      As discussed earlier, we need to create our own root CA certificate for browsers to trust the self-signed certificate. So let’s create the root CA certificate first.<\/p>\n
      Let’s create a directory named openssl<\/code> to save all the generated keys & certificates.<\/p>\n
      mkdir openssl && cd openssl<\/code><\/pre>\n
      Execute the following openssl<\/code> command to create the rootCA.key<\/code>and rootCA.crt<\/code>. Replace demo.mlopshub.com<\/code> with your domain name or IP address.<\/p>\n
      openssl req -x509 \\\n            -sha256 -days 356 \\\n            -nodes \\\n            -newkey rsa:2048 \\\n            -subj \"\/CN=demo.mlopshub.com\/C=US\/L=San Fransisco\" \\\n            -keyout rootCA.key -out rootCA.crt <\/code><\/pre>\n
      We will use the rootCA.key<\/code>and rootCA.crt<\/code> to sign the SSL certificate.<\/p>\n
      Note<\/strong>: If you get the following error, comment RANDFILE = $ENV::HOME\/.rnd<\/code> line in \/etc\/ssl\/openssl.cnf<\/code><\/p>\n
      Can't load \/home\/vagrant\/.rnd into RNG<\/code><\/pre>\n
      Create Self-Signed Certificates using OpenSSL<\/h2>\n
      Follow the steps given below to create the self-signed certificates. We will sign out certificates using our own root CA created in the previous step.<\/p>\n
      1. Create the Server Private Key<\/h3>\n
      openssl genrsa -out server.key 2048<\/code><\/pre>\n
      2. Create Certificate Signing Request Configuration<\/h3>\n
      We will create a csr.conf<\/code> file to have all the information to generate the CSR. Replace demo.mlopshub.com<\/code> with your domain name or IP address.<\/p>\n
      cat > csr.conf <<EOF\n[ req ]\ndefault_bits = 2048\nprompt = no\ndefault_md = sha256\nreq_extensions = req_ext\ndistinguished_name = dn\n\n[ dn ]\nC = US\nST = California\nL = San Fransisco\nO = MLopsHub\nOU = MlopsHub Dev\nCN = demo.mlopshub.com\n\n[ req_ext ]\nsubjectAltName = @alt_names\n\n[ alt_names ]\nDNS.1 = demo.mlopshub.com\nDNS.2 = www.demo.mlopshub.com\nIP.1 = 192.168.1.5\nIP.2 = 192.168.1.6\n\nEOF<\/code><\/pre>\n
      \n
      \u26a0\ufe0f<\/div>\n
      In the above config file, only use the alt_names you use.<\/p>\n
      For example, if you are using DNS use:
      DNS.1 = demo.mlopshub.com
      DNS.2 = www.demo.mlopshub.com<\/p>\n
      If you are using IP, use:
      IP.1 = 192.168.1.5
      IP.2 = 192.168.1.6<\/div>\n<\/div>\n
      3. Generate Certificate Signing Request (CSR) Using Server Private Key<\/h3>\n
      Now we will generate server.csr<\/code> using the following command.<\/p>\n
      openssl req -new -key server.key -out server.csr -config csr.conf<\/code><\/pre>\n
      Now our folder should have three files. csr.conf<\/code>, server.csr<\/code> and  server.key<\/code><\/p>\n
      4. Create a external file<\/h3>\n
      Execute the following to create cert.conf<\/code>  for the SSL certificate. Replace demo.mlopshub.com<\/code> with your domain name or IP address.<\/p>\n
      cat > cert.conf <<EOF\n\nauthorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\nsubjectAltName = @alt_names\n\n[alt_names]\nDNS.1 = demo.mlopshub.com\n\nEOF<\/code><\/pre>\n
      \n
      \ud83d\udca1<\/div>\n
      Note<\/strong><\/b>: If you are using IP instead of DNS, use the following line:<\/p>\n
      IP.1 = 192.168.1.5<\/p>\n
      Instead of:<\/p>\n
      DNS.1 = demo.mlopshub.com<\/p><\/div>\n<\/div>\n
      5. Generate SSL certificate With self signed CA<\/h3>\n
      Now, execute the following command to generate the SSL certificate that is signed by the rootCA.crt<\/code>  and rootCA.key<\/code> created as part of our own Certificate Authority.<\/p>\n
      openssl x509 -req \\\n    -in server.csr \\\n    -CA rootCA.crt -CAkey rootCA.key \\\n    -CAcreateserial -out server.crt \\\n    -days 365 \\\n    -sha256 -extfile cert.conf<\/code><\/pre>\n
      The above command will generate server.crt<\/code> that will be used with our server.key<\/code> to enable SSL in applications.<\/strong><\/p>\n
      For example, the following config shows the Nginx config using the server certificate and private key used for SSL configuration.<\/p>\n
      server {\n\nlisten   443;\n\nssl    on;\nssl_certificate    \/etc\/ssl\/server.crt;\nssl_certificate_key    \/etc\/ssl\/server.key;\n\nserver_name your.domain.com;\naccess_log \/var\/log\/nginx\/nginx.vhost.access.log;\nerror_log \/var\/log\/nginx\/nginx.vhost.error.log;\nlocation \/ {\nroot   \/home\/www\/public_html\/your.domain.com\/public\/;\nindex  index.html;\n}\n\n}<\/code><\/pre>\n
      Install Certificate Authority In Your Browser\/OS<\/h2>\n
      You need to install the rootCA.crt<\/code> in your browser or operating system to avoid the security message that shows up in the browser when using self-signed certificates.<\/p>\n
      Installing self-signed CA certificates differs in Operating systems. For example, in MAC, you can add the certificate by double-clicking it and adding it to the keychain. Check the respective Operating system guide on installing the certificate.<\/p>\n
        \n
      1. For MAC check this guide<\/a><\/li>\n
      2. Adding certificate to chrome on Windows<\/a><\/li>\n<\/ol>\n
        Shell Script To Create Self-Signed Certificate<\/h2>\n
        If you want to create self-signed certificates quite often, you can make use of the following shell script. You just need to execute the script with the domain name or IP that you want to add to the certificate.<\/p>\n
        Save the following shell script as ssl.sh<\/code><\/p>\n
        #! \/bin\/bash\n\nif [ \"$#\" -ne 1 ]; then\n  echo \"Error: No domain or IP address provided\"\n  echo \"Usage: $0 <domain_or_ip>\"\n  exit 1\nfi\n\nDOMAIN=$1\n\n# Create root CA & Private key\n\nopenssl req -x509 \\\n            -sha256 -days 356 \\\n            -nodes \\\n            -newkey rsa:2048 \\\n            -subj \"\/CN=${DOMAIN}\/C=US\/L=San Fransisco\" \\\n            -keyout rootCA.key -out rootCA.crt\n\n# Generate Private key\n\nopenssl genrsa -out ${DOMAIN}.key 2048\n\n# Detect if input is IP\nif [[ $DOMAIN =~ ^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+$ ]]; then\n  ALT_NAMES=\"[ alt_names ]\nIP.1 = ${DOMAIN}\nIP.2 = 192.168.1.5\nIP.3 = 192.168.1.6\"\nelse\n  ALT_NAMES=\"[ alt_names ]\nDNS.1 = ${DOMAIN}\nDNS.2 = www.${DOMAIN}\"\nfi\n\n# Create csf conf\n\ncat > csr.conf <<EOF\n[ req ]\ndefault_bits = 2048\nprompt = no\ndefault_md = sha256\nreq_extensions = req_ext\ndistinguished_name = dn\n\n[ dn ]\nC = US\nST = California\nL = San Fransisco\nO = MLopsHub\nOU = MlopsHub Dev\nCN = ${DOMAIN}\n\n[ req_ext ]\nsubjectAltName = @alt_names\n\n$ALT_NAMES\nEOF\n\n# create CSR request using private key\n\nopenssl req -new -key ${DOMAIN}.key -out ${DOMAIN}.csr -config csr.conf\n\n# Create a external config file for the certificate\n\ncat > cert.conf <<EOF\n\nauthorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\nsubjectAltName = @alt_names\n\n$ALT_NAMES\n\nEOF\n\n# Create SSl with self signed CA\n\nopenssl x509 -req \\\n    -in ${DOMAIN}.csr \\\n    -CA rootCA.crt -CAkey rootCA.key \\\n    -CAcreateserial -out ${DOMAIN}.crt \\\n    -days 365 \\\n    -sha256 -extfile cert.conf<\/code><\/pre>\n
        Set the script executable permission by executing the following command.<\/p>\n
        chmod +x ssl.sh<\/code><\/pre>\n
        Execute the script with the domain name or IP. For example,<\/p>\n
        .\/ssl.sh demo.mlopshub.com<\/code><\/pre>\n
        The script will create all the certificates and keys we created using the individual commands<\/code>. The SSL certificate and private keys get named with the domain name you pass as the script argument. For example, demo.mlopshub.com.key<\/code> & demo.mlopshub.com.crt<\/code><\/p>\n
        What are the benefits of using a self-signed certificate?<\/h2>\n
        There are several benefits of using a self-signed certificate:<\/p>\n
          \n
        1. You don’t need to rely on a third party to sign your certificate.<\/li>\n
        2. You can create and use your own certificate authority.<\/li>\n
        3. You don’t have to pay for a certificate from a CA.<\/li>\n
        4. You have more control over your certificates.<\/li>\n<\/ol>\n
          What are the drawbacks of using a self-signed certificate?<\/h2>\n
          There are also several drawbacks of using a self-signed certificate:<\/p>\n
            \n
          1. Your users will need to install the certificate in their browsers<\/strong> or applications.<\/li>\n
          2. Your users will need to trust your certificate authority<\/strong> manually.<\/li>\n
          3. They unsafe for public facing applications.<\/li>\n
          4. None of the browsers or operating systems trust the self-signed certificates unless the user installs them.<\/li>\n
          5. Prone to man-in-the-middle attacks.<\/li>\n<\/ol>\n
            In general, self-signed certificates are a good option for applications in which you need to prove your own identity. They’re also a good option for development and testing environments<\/strong>. However, they shouldn’t be used for production applications.<\/p>\n
            Self-Signed Certificates in Organizations<\/h2>\n
            Many organizations use self-signed certificated for their internal applications that are not internet-facing. These certificates are generated using the organization’s internal PKI infrastructure.<\/p>\n
            DevOps<\/a> teams and developers can request SSL certificates from the PKI infrastructure to be used in applications.<\/p>\n
            Self-Signed Certificate FAQ’s<\/h2>\n
            Following are the frequently asked questions about self-signed certificate.<\/p>\n
            How to create self-signed certificated on Windows?<\/h3>\n
            You can create a self-signed <\/strong>certificate on windows<\/strong> using Openssl. The OpenSSL commands are the same for all operating systems. You can follow this guide to create a self-signed <\/strong>certificate on windows<\/strong> using this guide.<\/p>\n
            How do I get a self-signed certificate?<\/h3>\n
            Self-signed certificate can be generated by you using tools like openSSL or CDSSL PKI toolkit.<\/p>\n
            Conclusion<\/h2>\n
            In this guide, we have learned how to create self-signed SSL certificates<\/strong> using OpenSSL.<\/p>\n
            For production use cases, if you don’t want to spend money on SSL certificates, you can try out Letsencrypt<\/a>.<\/p>\n
            Hope this self-signed SSL guide was helpful with the script to automate the certificate generation. Do let us know if you face any issues.<\/p>\n
            Also, SSL\/TLS is one of the important topics in DevOps. You can check out the how to become a devops engineer<\/a> blog to know more.<\/p>\n
            \n
            Ngu\u1ed3n:<\/strong> How to Create Self-Signed Certificates using OpenSSL \u2014 DevOpsCube<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
            Source: https:\/\/devopscube.com\/create-self-signed-certificates-openssl\/<\/p>\n","protected":false},"author":1,"featured_media":561,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-560","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts\/560","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=560"}],"version-history":[{"count":0,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts\/560\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/media\/561"}],"wp:attachment":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=560"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=560"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=560"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}