Originally posted on Medium.
Generating Self-Signed Certificates
From time to time there is a need to generate X.509 certificates. In some cases it is enough to generate self signed certificates. This can be achieved by one-line command such as:
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
Commands such as above can be found at The Most Common OpenSSL Commands, very usefull reference for OpenSSL tool. If, for some reason, self signed certificate is not what you need you can always be your own certificate authority.
Generating Certificates Using Local CA
Step 1: Root Key and Certificate
For CA you need private key and certificate. Private key can be generated with command:
openssl genrsa -des3 -out rootCA.key 4096
Above command created a file rootCA.key which has private key of length 4 KB and encoded in triple DES. Second step is to create public key for CA.
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 730 -out my-root-ca-cert.pem
Step 2: Server(s) Key and Certificate
For each of the server we can use our root CA to sign certificates. But first we need to create private key for the server. Private key will not be shared with our CA. Command is similar to the first one for the CA:
openssl genrsa -out server-one-key.pem 2048
For this private key we stick to the defaults. It generates 2 kilobytes key which is not encrypted (so no password needed). Next step is to generate Certificate Signing Request (CSR) file
openssl req -new -key server-one-key.pem -out server-one-key.csr
We then need to use this .csr file together with root CA key and certificate to sign certificate for the server:
openssl x509 -req -in server-one-key.csr -CA my-root-ca-cert.pem -CAkey rootCA.key -CAcreateserial -out server-one-cert.pem -days 3650 -sha256
Checking Certificates and Keys
In the end two nice commands to check key and certificate: To check private key
openssl rsa -in server-one-key.pem -check
To check certificate
openssl x509 -in server-one-cert.pem -text -noout
Hope it helps somewhat. Miro