Table of Contents
What is Self Signed Certificates ?
Self-signed certificates are digital certificates that are not signed by any public Certificate Authority (CA). Usually CA signs the CSR with CA key available from a public CA. But in case of self signed certificates, the certificate will be signed by one's own private key. The advantage of Self-Signed Certificates is, that they are free of cost. These can be used for private intranet connections and test environment. This certificate functions just like any other certificates which is using for the SSL communication.
Disadvantage of the use of self signed certificates are, No browsers will be trusting the self signed certificates, Most of the browsers will indicate a warning or will prevent the user to browse further, unless we make it as an exception list in the browser. This can seriously affect if you are running a business online.
How to Create Self Signed Certificates ?
We can create Self-Signed Certs in a three step process and in a one step process. In this article, we will see both approaches. If you are having a CSR already with you, and you need to get it self signed, you can skip to three step process.
Create Self Signed Certs in one step
In this approach, the certificate private key and self-signed certificate will be created by executing openssl req -new command. The details for the certificate( normally this is taken as user input while creating CSR) is taken as user input . Command execution will be creating a private key and self signed certificate as output. Below code snippet shows the same.
[root@3-vcp self_signed_approach1]# openssl req -new -newkey rsa:4096 -x509 -days 365 -nodes -out LDHCertificate.crt -keyout LDH_self_Key Generating a 4096 bit RSA private key .............................................++ .......................................................................................................................................++ writing new private key to 'LDH_self_Key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:AS State or Province Name (full name) []:Tasmania Locality Name (eg, city) [Default City]:Hobart Organization Name (eg, company) [Default Company Ltd]:LinuxDataHub-Australia Organizational Unit Name (eg, section) []:LDH-AUS-RW Common Name (eg, your name or your server's hostname) []:LDH-Review-Aus Email Address []:[email protected] [root@3-vcp self_signed_approach1]# ll total 8 -rw-r--r--. 1 root root 2199 Aug 6 22:09 LDHCertificate.crt -rw-r--r--. 1 root root 3272 Aug 6 22:09 LDH_self_Key [root@3-vcp self_signed_approach1]#
Create Self Signed Certs in three step [via CSR creation]
Even though , we can create self signed certificate in single step. We can check the three step process of the self-signed certificate creation. This is because, some time users will be having a certificate signing request (CSR) with them, which need to be self signed. In this article, we will be creating CSR, if you already have CSR, you skip to third step of this three step approach.
Create private key
We need to create a private key for creating a CSR. If you want to password protect the key file, you can use -des3 option
[root@3-vcp self_signed_approach2]# openssl genrsa -out LDH_self_Key.key
Generating RSA private key, 2048 bit long modulus
.........................................................................+++
.......................................+++
e is 65537 (0x10001)
Create Certificate Signing Request
We can create a CSR using the private key we created in the above step
[root@3-vcp self_signed_approach2]# openssl req -new -key LDH_self_Key.key -out Self_cert_req.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:AS State or Province Name (full name) []:Tasmania Locality Name (eg, city) [Default City]:Hobart Organization Name (eg, company) [Default Company Ltd]:LinuxDataHub-Australia Organizational Unit Name (eg, section) []:LDH-AUS-RW Common Name (eg, your name or your server's hostname) []:LDH-Review-Aus Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Create Self-Signed Certificate
We can create create a self-signed certificate from the csr, using the below command.
[root@3-vcp self_signed_approach2]# openssl x509 -req -days 365 -in Self_cert_req.csr -signkey LDH_self_Key.key -out self_signed_cert.crt Signature ok subject=/C=AS/ST=Tasmania/L=Hobart/O=LinuxDataHub-Australia/OU=LDH-AUS-RW/CN=LDH-Review-Aus/[email protected] Getting Private key [root@3-vcp self_signed_approach2]# ll total 12 -rw-r--r--. 1 root root 1675 Aug 6 22:21 LDH_self_Key.key -rw-r--r--. 1 root root 1098 Aug 6 22:25 Self_cert_req.csr -rw-r--r--. 1 root root 1387 Aug 6 22:29 self_signed_cert.crt
Conclusion
- In this article, we have seen how to create a self signed certificate. It is important to keep in mind, that self signed certs should not be used in live production environments. It should only be used in intranet communication and testing use cases.
- It is always recommended to get the CSR signed from a trusted CAs like DigiCert, IdenTrust, Go Daddy, Let's Encrypt etc.
References