Many situations demand secure connections, one of the most common ways to encrypt a connection is using TLS/SSL. This post serves as an introduction on how to create the necessary certificates for a typical TLS/SSL connection using the OpenSSL tool. OpenSSL can be used to generate all the certificates.
Self-signed vs CA-signed
All SSL certificates are signed by another certificate. One that is signed by itself is called a Self-signed certificate, a certificate authority (CA) certificate is also a self-signed one. A self-signed certificate can then sign other certificates establishing a chain of trust based on the first signed certificate (aka root certificate). The certificate that is signed by the CA certificate would be called CA-signed certificate.
Key, Certificate Request, Certificate
To generate a certificate, first a private key is needed. Openssl genrsa command is used to generate the private key used for a certificate
- openssl genrsa -des3 -out <key file name> 2048
The command generate a 2048-bit RSA private key and store it in the file specified in the key file name. The key itself look something like this:
To generate a self-signed certificate using the priviously generated private key, use “req” command
- openssl req -x509 -new -nodes -key <key file name> -sha1 -days 1024 -out <self-signed certificate file name> -config <openssl configuration file path>
Enter any information as necessary when prompted. The Openssl configuration file <openssl.cnf> is usually located in the share directory of the installed Openssl directory.
“req” command here generate a x509 certificate with SHA1 signature algorithm and with an expiration of 1024 days. The resulting self-signed certificate can be used to sign other certificate.
The generated certificate is a text file similar to the key.
To generated a certificate that is signed by a CA. A private key (e.g. device.key) is generated similar to the self-sign certificate case. After that a certificate request is generated using the “req” command
- openssl req -new -key <private key file name> -out <certificate request file name> -config <openssl configuration file path>
This would generate a certificate request (CSR) to be signed by another certificate. It is also the file that would be sent to a commercial certificate authority to sign. Note that the common name in this file would be the domain name that the certification is certifying on.
To sign a certificate locally, pass in the certificate request, the CA key, and the CA certificate to openssl.
- openssl x509 -req -in <certificate request file name> -CA <CA certificate file name> -CAkey <CA key file name> -CAcreateserial -out <signed certificat file name> -days 500
This signed the certificate with a expiration of 500 days.
The entire process generated five files (CA key, CA certificate, Device key, Device certificate, Device certificate request.) Three of them (CA certificate, Device key, Device certificate) are used to configure the SSL connection. Typically the CA certificate is installed in the trust store of the authenticating machine, and the device key and device certificate is installed on the machine to be authenticated.