Creating a Self-Signed SSL Certificate

Creating a Self-Signed SSL certificate is a nice option when you need to run a quick https test for a web site. Lets take a look on how we can make one.

I’ll be using OpenSSL toolkit. I’m on Windows therefore package can be ataken from here: http://gnuwin32.sourceforge.net/packages/openssl.htm
“openssl-0.9.8h-1-setup.exe” executable by default drops everything here: “C:\Program Files\GnuWin32\bin”. Or, if you are on 64 bit OS, then here: “C:\Program Files (x86)\GnuWin32\bin”.

OpenSSL package comes with a default config file – openssl.cnf. It is located in the “share” folder, in my case here: “C:\Program Files\GnuWin32\share”. Config file holds important settings that are used to generate the certificate. We need toΒ  comment “attributes” parameter line, otherwise an error will be presented. I also set the default length to 2048, but this one can be controlled with the command line parameters:
OpenSSL0

We need to create an environment variable so that Openssl.exe could find the config file.
Open cmd and type: set OPENSSL_CONF=C:\Program Files\GnuWin32\share\openssl.cnf
OpenSSL1

Now, navigate to the openssl.exe location: cd “C:\Program Files\GnuWin32\bin”. We will be doing everything from here.

So, normaly you would generate your Private key and a Certificate Signing Request (CSR) on your Web server and send them to the certificate authority, but here we’ll be doing everything in one place.

Just to remind you, SSL is using a Private/Public key pair – data is encrypted by one key but can only be decrypted by the other key of the pair. So, the very first step is to create a Private Key:
openssl genrsa -out server.key 2048
OpenSSL3The higher the bit length of your key, the higher the security level. A 2048-bit key is the minimum these days [1024 is not secure anymore]. Here’s how my Private key looks:
OpenSSL4

Obveously you should never show your Private key to anyone πŸ™‚

Next, we need a CSR. A Certificate Signing Request is an encrypted text that contains information that will be included in your certificate such as your organization name, common name, country, etc.
Release the below command and answer all the questions, pay attention to the Common Name, this is your Web server address:
openssl req -new -key server.key -out server.csr
OpenSSL5

Here is how my CSR request looks:
OpenSSL6

Now we are ready to perform a CA role. We will generate a certificate based on the settings in the CSR request:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
OpenSSL7

Certificate [that now holds the Public Key] has been created in the bin folder:
OpenSSL8

We are almost there πŸ™‚

There is one important thing missing – our created SSL certificate [with the Public Key] is separated from the Private Key. We need to combine both in a so called PFX file. The PFX file is a PKCS#12 archive that contains a certificate [Public Key] and the corresponding Private Key protected by a password. PFX can be used in IIS. So lets do it:
openssl pkcs12 -export -in server.crt -inkey server.key -out server.pfx
OpenSSL9

If wee look to the bin folder we should see among others the PFX file created:
OpenSSL10

Now you can copy the PFX file to your Web server and import it to a Computers’ account Personal store:
OpenSSL11

And if you open the certificate you’ll see that now it also holds the Private Key:
OpenSSL12

Done πŸ™‚

Advertisements

Leave a Comment here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s