Wednesday 26 October 2016

Quick reminder on self signed certificate generation

Purely a quick reminder to myself on how to generate self-signed certificates . .

This assumes you have openssl - example here works on both Mac and Linux. .

Generate the private key
openssl genrsa -des3 -out privatekey.pem 2048

The -des3 prompts for a passphrase, the -out <<filename>> generates the key, the 2048 is the number of bits

Generate the certificate signing request (csr)
openssl req -new -sha256 -key privatekey.pem -out csr.csr

The -sha256 avoids worrying about whether you'll get a SHA-1 generated with an old version of openssl. -key <<filename>> points to the private key, -out <filename> generates the csr file

Generate the certificate signing request (csr)
openssl x509 -sha256 -req -days 9999 -in csr.csr -signkey privatekey.pem -out certificate.pem

X509 is the certificate type (Note no dash before this parameter), -sha256 avoids SHA-1, -days is how long the certificate is valid for, -in <<filename>> is the CSR file, -signkey <<filename>> is the private key and -out <<filename>> actually generates the certificate to a file.

Check the CSR
openssl req -in csr.csr -text -noout
Make sure this shows the SHA256 (older versions of SSL may default to SHA1)

Check the certificate

openssl x509 -in certificate.pem -text -noout