How to Create Self-Signed Client and Web Server Certificates using openssl

Use CSRs and Keys you got developers for each client, if there are more than one. Get it from them if you don’t have them or create the client key(s).

They should do something like this and send you the csr and key:

openssl genrsa -out client1.key 1024

# /C=US/ST=California/L=San Francisco/O=Your_Company_Name/OU=IT/CN=client1

Create the Certificate Signing Request from the Client Key.(You will use the CSR to create the Signed Certificate (crt).

openssl req -new -key client1.key -out client1.csr

Generate the root CA and the root private key. Keep it in a safe place. Check its expiration date.

do something similar to the following in order to generate the your_company_root_ca.crt or pem file.

First generate a password protected rya key (.key):

openssl genrsa -des3 -out your_company_root_ca.key 1024

If you want to verify the password of the key:

openssl rsa -in your_company_root_ca.key

Use this key to create a self signed X.509 certificate valid to 10 years (.crt):

openssl req -new -x509 -days 3650 -key your_company_root_ca.key -out your_company_root_ca.crt

Create the signed certificates from the csr and keys, using the root CA, for each client. Here you will be generating the .crt file(s). Send the crt files back to the developers to add to their client code.

openssl x509 -req -in client1.csr -CA your_company_root_ca.crt -CAkey your_company_root_ca.key -CAcreateserial -out client1.crt -days 365

Do this for each client. Keep in mind the client signed certs expire in 365 days. Of course, you can have it extend the expiration date. Mark it on the calendar!

Verify that the cert has the right attributes in it

openssl x509  -in client1.crt -subject -noout

Verify Certificate against CA bundle to make sure the client certs are good and then send them to the developers. You should see ‘OK’

openssl verify -CAfile your_company_root_ca.crt client1.crt

client1.crt: OK

Generate the Web Server key and signed cert (signed by the root CA)

# Web server key

openssl genrsa -out your_hostname.com.key 1024

# /C=US/ST=California/L=San Francisco/O=Your_Company_Name/OU=IT/CN=your_hostname.com

openssl req -new -key your_hostname.com.key -out your_hostname.com.csr

openssl x509 -req -in your_hostname.com.csr -CA your_company_root_ca.crt -CAkey your_company_root_ca.key -CAcreateserial -out your_hostname.com.crt -days 1024

Keep in mind the web server signed certs expire in 1024 days. Mark it on the calendar!

Verify Webserver Certificate against CA bundle to make sure the server cert is good. You should see ‘OK’

openssl verify -CAfile your_company_root_ca.crt your_hostname.com.crt

your_hostname.com.crt: OK

# Browser (firefox) test 

generates a p12 file you can import into Firefox.

openssl pkcs12 -export -in client1.crt -inkey client1.key -name “Your Company Client 1” -out client1.p12

================================

You can use the CN attribute for attribute based authentication. From the CN attribute you can allow certain clients different access to different parts of your web services.

VN:F [1.9.22_1171]
Rating: 5.0/5 (3 votes cast)
VN:F [1.9.22_1171]
Rating: +2 (from 2 votes)
How to Create Self-Signed Client and Web Server Certificates using openssl, 5.0 out of 5 based on 3 ratings
Facebook Twitter Email

Leave a Reply