Generating a Self Signed Certificate for SSL

. 2 min read

Howdy Folks!! We often need to protect our HTTP endpoints with encrypted connections. Be it a website that needs to be accessed in the browser or an internal service end-point for B2B communications, an SSL certificate makes the channel encrypted for communication and hence much more protected from getting sniffed.

Although for the consuming clients to ensure the identity of the server, the SSL certificate needs to be signed by a Certifying Authority. However, since the process is cumbersome, expensive and time-consuming, we might need to temporarily opt for a self-signed certificate.

Note that the self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. Hence, this will not be trusted by the public clients and will be treated unsafe due to lack of a certifying authority trust.

Before we get started with creating a self-signed certificate, you can refer here to create an Open CA certificate for free.

Here we will use OpenSSL to create a self-signed certificate. To install OpenSSL in an ubuntu based operating system, you can use the following commands

apt-get install openssl

Generating the private key and SSL certificate

To generate a private key with 2048 bit encryption, we can run this

openssl genrsa -out ca.key 2048

This will generate a private key file for the certificate named ca.key.

Next, we generate a certificate signing request using the following command. This will require us to fill in certain identity information about your organization, server name etc.

openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

This will generate a certificate named ca.crt using the above defined private key ca.key.

Generating the pem key and certificates

There are a number of existing standards and formats for generating and delivering the SSL certificates. Following commands can be used to generate the pem keys and certificates. This will ask the similar identity information as in the above case.

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

Generating the P12 bundle

Similar to the above defined standards, another standard PKCS#12 defines an encoding format to bundle the private key and certificates in an encoded format rather than plain text.

Use the following command to generate the PKCS#12 bundle. This will require the private key and certificate file for bundling.

openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12

A very nice detail of understanding the various file types can be found here.