pki // generate a self-signed certificate

self-signed

be it for a CA or for testing, here we go — basically the same as for generating a csr but adding -x509 to it.

quick shot RSA w/o being prompted for any value

    cd /etc/ssl/
    #cd /etc/openssl/

    openssl req -x509 -newkey rsa:2048 -nodes \
            -subj /CN=*.lab.nethence.com \
            -keyout /etc/ssl/self.key \
            -out /etc/ssl/self.crt
            # -days 9999
            # -sha256
    chmod 400 /etc/ssl/*.key
    chmod 444 /etc/ssl/*.crt

instead of tweaking openssl.cnf you may also define more from the command line

    -subj "/C=RU/L=Innopolis/O=Innopolis University/OU=SNE/CN=*.example.local/emailAddress=YOUR-EMAIL"

ECDSA with a 256-bit curve

    openssl req -x509 -days 9999 -nodes \
            -newkey ec:<(openssl ecparam -name prime256v1) \
            -keyout prime256v1.key \
            -out prime256v1.crt

ECDSA with a 384-bit curve

    openssl req -x509 -days 9999 -nodes \
            -newkey ec:<(openssl ecparam -name secp384r1) \
            -keyout secp384r1.key \
            -out secp384r1.crt

Note - you can also use stdout instead of -out and stdin instead of -in

Note - -nodes to avoid encrypting the private key hence no passphrase

eventually harden the perms

    chmod 444 prime256v1.crt
    chmod 400 prime256v1.key

and review the newly created dummy certificate

    ls -lF *.crt *.key
    openssl x509 -in self.crt -text -noout -fingerprint
    openssl x509 -in self.crt -text -noout | less

ubuntu’s snake-oil

you already have a pair on Ubuntu

    ls -lF /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key

but in case you need to re-generate those

    make-ssl-cert generate-default-snakeoil --force-overwrite

    #openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
    #       -keyout /etc/ssl/private/ssl-cert-snakeoil.key \
    #       -out /etc/ssl/certs/ssl-cert-snakeoil.pem

resources

self-signed

Create a self-signed ECC certificate https://msol.io/blog/tech/create-a-self-signed-ecc-certificate/

Generate self-signed certificate and key in one line https://major.io/2007/08/02/generate-self-signed-certificate-and-key-in-one-line/

Generate Self-Signed SSL Certificate without prompt https://gist.github.com/thbkrkr/aa16435cb6c183e55a33

Frequently used OpenSSL Commands https://www.xolphin.com/support/OpenSSL/Frequently_used_OpenSSL_Commands

self-signed w/ san

Create an OpenSSL self-signed SAN cert in a single command https://medium.com/@groksrc/create-an-openssl-self-signed-san-cert-in-a-single-command-627fd771f25

https://somoit.net/security/security-create-self-signed-san-certificate-openssl

https://serverfault.com/questions/845766/generating-a-self-signed-cert-with-openssl-that-works-in-chrome-58


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Licensed under MIT