Requesting SSL Certificates can be a bit of a hassle, so today I’m going to show you how to easily generate SSL certificates with the help of OpenSSL and your CA of choice.
First we need to generate a Certificate Signing Request (CSR) and a private key using OpenSSL, I’m running it in Ubuntu on WSL2, which is a handy way of using Linux tools on your Windows machine.
Generating Private Key and Certificate Signing Request
openssl req -newkey rsa:4096 -keyout PRIVATEKEY.key -out MYCSR.csr
Let’s break down what the command does and what the parameters do:
openssl
OpenSSL is the tool used to (amongst a lot of other things) generate our private key and CSR
reg
Tells OpenSSL to generate a Certificate Signing Request (CSR) which is what we’ll send to the Certificate Authority (CA)
-newkey rsa:4096
Tells OpenSSL that we also would like a new private key, and to generate that using RSA with a key length of 4096 bits.
You can also use 2048 bits, which is a bit faster (some researchers have found that the TLS handshake takes around 25 ms longer with a 4096 bit key instead of 2048 bits) but I usually stick to 4096 bits.
-keyout PRIVATEKEY.key
Fairly straight forward, this simply tells OpenSSL where to save the private key file.
-out MYCSR.csr
Likewise, this tells OpenSSL where we want the CSR-file.
OpenSSL will now ask you quite a lot of information
grumpy@Aora:/$ openssl req -newkey rsa:4096 -keyout PRIVATEKEY.key -out MYCSR.csr
Generating a RSA private key
…………………………….++++
……………………………………………………………………………………………………………………..++++
writing new private key to 'PRIVATEKEY.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:FI
State or Province Name (full name) [Some-State]:Pohjanmaa
Locality Name (eg, city) []:Vaasa
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Fun Facts Oyj
Organizational Unit Name (eg, section) []:Department of Paranormal Affairs
Common Name (e.g. server FQDN or YOUR name) []:testserver.example.org
Email Address []:somedude@example.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
The most important part here is the PEM pass phrase, aka. the password that let’s you decrypt the private key. It’s really important that you don’t loose this, otherwise you will not be able to use the certificate.
What of this that actually needs to be filled out depends on your CA and how strict of a certificate you’re looking to get, but you’ll need to at least provide a Common Name, which is the DNS name of the server/website you’re trying to secure.
Acquiring a Certificate
When all this is said and done, you’ll just have to upload your certificate to your CA, and they will usually give you back a file or a block of text looking something like this.
-----BEGIN CERTIFICATE-----
RmluZCBhIGhvYmJ5IGZvciBHb2QncyBzYWtlLiBEaWQgeW91IHRoaW5rIEkgd291bGQgcHV0IGEgcmVhbCBjZXJ0aWZpY2F0ZSBoZXJlPyAKCkxvcmVtIGlwc3VtIGRvbG9yIHNpdCBhbWV0LCBjb25zZWN0ZXR1ciBhZGlwaXNjaW5nIGVsaXQuIFF1aXNxdWUgbGFvcmVldCBzZWQgbnVuYyBpZCBmYXVjaWJ1cy4gUGVsbGVudGVzcXVlIHByZXRpdW0sIHR1cnBpcyBuZWMgbW9sbGlzIGVsZWlmZW5kLCBsaWJlcm8gZXN0IGV1aXNtb2QganVzdG8sIGVnZXQgdGluY2lkdW50IGxpYmVybyBudWxsYSBhIGxvcmVtLiBEdWlzIG1hbGVzdWFkYSB0dXJwaXMgdXQgbW9sbGlzIGdyYXZpZGEuIEN1cmFiaXR1ciBhYyBuZXF1ZSBlbmltLiBWaXZhbXVzIGZldWdpYXQgZXJvcyBub24gbmliaCBjb25ndWUgc2VtcGVyIGVnZXQgaWQgZXJvcy4gUGhhc2VsbHVzIGlkIG51bmMgbmVjIG1ldHVzIHZpdmVycmEgZWZmaWNpdHVyLiBNYXVyaXMgc2VkIGVsaXQgZmluaWJ1cywgdmVoaWN1bGEgbmlzaSBpZCwgY29tbW9kbyBsaWd1bGEuIEludGVnZXIgc2FnaXR0aXMgbmVxdWUgdmVsIHRvcnRvciBmZXVnaWF0LCBhIGFjY3Vtc2FuIGVyb3MgZGFwaWJ1cy4gU2VkIGF1Z3VlIG1hZ25hLCBjb25zZWN0ZXR1ciBhYyBqdXN0byBpbiwgdHJpc3RpcXVlIGN1cnN1cyBuZXF1ZS4gTmFtIHZlc3RpYnVsdW0gYWMgbGFjdXMgcXVpcyBvcm5hcmUuIEFlbmVhbiBhYyBiaWJlbmR1bSBuaXNsLiBBbGlxdWFtIG9kaW8gbGVvLCBwb3J0YSB1dCBzb2RhbGVzIHNpdCBhbWV0LCBoZW5kcmVyaXQgdmVsIG5pYmguIFByb2luIGlhY3VsaXMgZGljdHVtIHVybmEgZWdldCB0ZW1wdXMuCgpRdWlzcXVlIHNlZCB2ZWhpY3VsYSBhbnRlLiBRdWlzcXVlIHV0IGxpYmVybyBtYXhpbXVzIGVuaW0gc2NlbGVyaXNxdWUgdGVtcG9yIHNlZCBzZWQgdmVsaXQuIFF1aXNxdWUgbmlzbCB2ZWxpdCwgdGluY2lkdW50IHNlZCBsb3JlbSBpZCwgY29tbW9kbyB2b2x1dHBhdCBlc3QuIE51bmMgYXQgZW5pbSBmZXVnaWF0LCBjb25zZXF1YXQgbG9yZW0gYWMsIHJ1dHJ1bSBkdWkuIE1hZWNlbmFzIHRyaXN0aXF1ZSBwbGFjZXJhdCBwdXJ1cyBldSBzb2xsaWNpdHVkaW4uIExvcmVtIGlwc3VtIGRvbG9yIHNpdCBhbWV0LCBjb25zZWN0ZXR1ciBhZGlwaXNjaW5nIGVsaXQuIERvbmVjIG5vbiBjdXJzdXMgZXN0LCBuZWMgY29udmFsbGlzIGVyYXQuIFBoYXNlbGx1cyBldCBibGFuZGl0IGxlbywgdmVsIGNvbnNlY3RldHVyIGR1aS4gRnVzY2UgdHJpc3RpcXVlLCBuaXNsIGEgdmVoaWN1bGEgZnJpbmdpbGxhLCBmZWxpcyBkaWFtIHZlbmVuYXRpcyBlc3QsIGEgbHVjdHVzIGZlbGlzIGVsaXQgYXQgc2FwaWVuLiBFdGlhbSBpbXBlcmRpZXQgaW4gYXVndWUgaWQgaWFjdWxpcy4gQ3VyYWJpdHVyIGlhY3VsaXMgbmlzaSBtYWduYSwgZXUgY29tbW9kbyBsZWN0dXMgYmxhbmRpdCBhdC4gRG9uZWMgcG9ydGEgbGVvIHNlZCBtYWduYSBzdXNjaXBpdCwgdXQgZWdlc3RhcyBlbGl0IGFjY3Vtc2FuLiBQcmFlc2VudCBhbGlxdWFtIG1ldHVzIGluIG1hdXJpcyBhbGlxdWFtLCBhIHRpbmNpZHVudCBlbmltIGZpbmlidXMuIENyYXMgZWxlbWVudHVtIGF1Y3RvciBtaSBzaXQgYW1ldCB2aXZlcnJhLiBBbGlxdWFtIGNvbmd1ZSBzZW1wZXIganVzdG8gdmVsIG9ybmFyZS4gUHJvaW4gdmVzdGlidWx1bSBzYXBpZW4gaW4gZmF1Y2lidXMgbHVjdHVzLgoKVXQgY29uc2VxdWF0IGxhY3VzIGF0IHZlbGl0IHZhcml1cyBvcm5hcmUuIE51bmMgZHVpIHNlbSwgZmV1Z2lhdCBpbiB0aW5jaWR1bnQgdmVsLCB0ZW1wb3IgcXVpcyBtaS4gQ3JhcyBldCBldWlzbW9kIGVyYXQuIFBoYXNlbGx1cyBldSBleCBwb3J0YSwgb3JuYXJlIGlwc3VtIGF0LCBsYWNpbmlhIGxpZ3VsYS4gQWxpcXVhbSBkaWFtIGxlbywgY29uZ3VlIHZlbmVuYXRpcyBvZGlvIGlkLCBhdWN0b3IgZWdlc3RhcyBlbGl0LiBNYWVjZW5hcyB2b2x1dHBhdCBmZXVnaWF0IHZlbGl0LCBlZ2V0IGNvbnNlcXVhdCBtYXNzYSBwb3J0dGl0b3IgYXQuIFV0IGVsZW1lbnR1bSBsYWNpbmlhIHNhcGllbiBpZCBjb252YWxsaXMuIEN1cmFiaXR1ciBtYWxlc3VhZGEgdGVtcHVzIG51bmMuIFByb2luIGVnZXQgbmlzaSB2ZWwgdHVycGlzIHNvZGFsZXMgcHVsdmluYXIgZWdldCBpZCBhdWd1ZS4gRG9uZWMgYWMgc2FwaWVuIGRhcGlidXMsIGVsZWlmZW5kIGxlbyB2aXRhZSwgdGluY2lkdW50IGVyYXQuCgpNYXVyaXMgcXVpcyBtYXNzYSBsb3JlbS4gU3VzcGVuZGlzc2UgcG90ZW50aS4gTWF1cmlzIHZlc3RpYnVsdW0gdG9ydG9yIGFjIG5pc2wgYmxhbmRpdCBjb25ndWUuIERvbmVjIHZpdmVycmEgdmVzdGlidWx1bSBxdWFtIGV1IGxvYm9ydGlzLiBWaXZhbXVzIHV0IHRlbXBvciBzYXBpZW4uIE5hbSBmcmluZ2lsbGEgcGVsbGVudGVzcXVlIGFyY3Ugbm9uIHJob25jdXMuIEFsaXF1YW0gdGluY2lkdW50LCB2ZWxpdCB2b2x1dHBhdCB0aW5jaWR1bnQgc3VzY2lwaXQsIGVyYXQgYW50ZSBydXRydW0gbWFnbmEsIGEgYmxhbmRpdCBqdXN0byBudWxsYSB1dCBhcmN1LiBTZWQgYSBlbGVtZW50dW0gdG9ydG9yLiBQZWxsZW50ZXNxdWUgY29uZGltZW50dW0gc2FwaWVuIGluIHNhcGllbiBzY2VsZXJpc3F1ZSwgbm9uIGZlcm1lbnR1bSBuaWJoIHJ1dHJ1bS4gUHJhZXNlbnQgc2NlbGVyaXNxdWUgZmVsaXMgbmliaCwgaWQgZmluaWJ1cyBzYXBpZW4gcHVsdmluYXIgYWMuCgpTdXNwZW5kaXNzZSBwb3RlbnRpLiBOdWxsYW0gYWMganVzdG8gdXQgbmliaCB2YXJpdXMgbWF0dGlzLiBOdWxsYSBwdWx2aW5hciwgbWFzc2EgY29uc2VxdWF0IGxhY2luaWEgZGFwaWJ1cywgbmlzaSB0dXJwaXMgcG9ydHRpdG9yIGFudGUsIGEgdnVscHV0YXRlIG5pc2kgbGVjdHVzIGluIG51bGxhLiBEb25lYyBmYXVjaWJ1cyB0b3J0b3Igdml0YWUgbGliZXJvIGNvbnNlcXVhdCBjb25zZXF1YXQuIERvbmVjIG5lYyBtYWduYSBldSBsYWN1cyBldWlzbW9kIGNvbnNlcXVhdC4gVmVzdGlidWx1bSBtb2xsaXMsIHRvcnRvciBzaXQgYW1ldCBydXRydW0gbWF4aW11cywgbWFnbmEgZHVpIHVsdHJpY2llcyBmZWxpcywgcXVpcyBkaWduaXNzaW0gYXVndWUgbGFjdXMgcXVpcyBsb3JlbS4gTWFlY2VuYXMgc29kYWxlcyBzZWQu
-----END CERTIFICATE-----
Save this as a .pem file in the same directory as the CSR and private key you entered earlier.
Generating PKCS #12 Files
Usually most systems will accept the separate PEM certificate and private key, but it’s a lot handier if you can just store them as a single file. PKCS #12 allows you to bundle certificates and keys together, which is handy when you need to install your certificate, along with it’s key and other intermediate CA certificates. This can be easily done as well with OpenSSL
grumpy@Aora:/$ openssl pkcs12 -export -out CERTIFICATE_BUNDLE.pfx -inkey PRIVATEKEY.key -in CERTIFICATE.pem
Enter pass phrase for PRIVATEKEY.key:
Enter Export Password:
Verifying - Enter Export Password:
OpenSSL will ask you for the passphrase for you private key file, and then for another passphrase which it uses to encrypt the private key inside the PKCS #12 file.
You can use both .pfx
or .p12
as the file extension for PKCS #12 files.
Categories: Tech
Leave a comment