generating SSL Certificates with your own CA

If you are running a website where login credentials are exchanged between a browser and a webserver, ssl is a very good idea to make that transmission more secure.

There are some CAs where you can get a certificate for free, but sometimes there is no need to involve an official CA.

This Howto describes how to set up your own CA and generate a self-signed Certificate quickly. All you will need is a Computer with an openssl binary.

  • Generate the CAs key:
openssl genrsa -des3 -out ca.key 4096

Store this key on a safe place and don’t forget the password!

  • Generate the CAs certificate
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

There are some ways to create a sign request, sometimes you already have a private-key

  • If you already have a key
openssl req -out my.csr -key my-hosts_old.key -new
  • If you need a new key
openssl req -newkey rsa:2048 -nodes -keyout my.key -out my.csr
  • Sign your CSR with your CA to get the Certificate
openssl x509 -req -days 3650 -in my.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out my.crt

You can now use the certificate/key pair to secure your Webserver/Mailserver/Serverserver.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">