Creating a Self-Signed Server Certificate Using OpenSSL
Creating a self-signed server certificate can be a bit daunting, but with OpenSSL, it's a breeze. Follow this step-by-step guide to create your own self-signed server certificate.
Step 1: Create a Certificate Authority (CA)
First, we need to create a Certificate Authority (CA). The CA is responsible for signing the server certificate.
openssl req -x509 -newkey rsa:4096 -days 3650 -noenc -sha256 -utf8 -keyout ca-key.pem -out ca-cert.pem -subj \
"/C=US/ST=Sample Region/L=Sample City/O=Sample Org/OU=Certificate Authority/CN=ca.sample.com/[email protected]"
This command generates a new private key (ca-key.pem
) and a self-signed certificate (ca-cert.pem
) valid for 10 years.
Step 2: Output the X.509 Certificate
To verify the details of the CA certificate, use the following command:
openssl x509 -in ca-cert.pem -noout -text
This command displays the certificate details in a human-readable format.
Step 3: Create a Server Certificate Signing Request (CSR)
Next, we need to create a Certificate Signing Request (CSR) for the server certificate.
openssl req -newkey rsa:4096 -noenc -utf8 -sha256 -keyout server-key.pem -out server-csr.pem -subj \
"/C=US/ST=Sample Region/L=Sample City/O=Sample Org/OU=Certificate Authority/CN=server.sample.com/[email protected]"
This command generates a new private key (server-key.pem
) and a CSR (server-csr.pem
).
Step 4: Add Subject Alternative Name (SAN)
To include Subject Alternative Names (SAN) in the server certificate, use the following command:
openssl x509 -req -in server-csr.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out sample-cert.pem -extfile \
&<(printf "extendedKeyUsage=serverAuth\nsubjectAltName=DNS:server.sample.com,DNS:localhost,IP:10.0.0.1")
This command signs the CSR with the CA certificate and includes the SANs server.sample.com
, localhost
, and 10.0.0.1
.
Step 5: Output the Server X.509 Certificate
To verify the details of the server certificate, use the following command:
openssl x509 -in sample-cert.pem -noout -text
This command displays the server certificate details in a human-readable format.
Step 6: Verify the Certificate Chain
Finally, verify the certificate chain to ensure that the server certificate is correctly signed by the CA:
openssl verify -CAfile ca-cert.pem sample-cert.pem
This command verifies that the server certificate (sample-cert.pem
) is signed by the CA certificate (ca-cert.pem
).
And there you have it! You've successfully created a self-signed server certificate using OpenSSL. If you have any questions or need further assistance, feel free to ask. Happy coding! 😊