In a previous post, we covered how to create a self signed SSL certificate using openssl. However, there are some consequences when using self signed certificates… Some web browsers will return warnings/errors because the certificate isn’t trusted. Typically “trusted certificates” are signed by a single or possibly multiple certificate authorities (certificate chain) that are trusted by the browser. With a self signed certificate, there is no “trust” since anyone can create these certificates with tools such as openssl or keytool.
Another downside of using self signed SSL certificates is that some security applications (including the Identity and Access Management applications that I work with) require that the SSL cert being uploaded to the application / appliance be a signed certificate. The signer cert (root cert) must also be loaded into the trust store in order for the application to work properly.
Luckily, we can once again use openssl to create a root certificate. Obviously this root certificate isn’t a trusted root certificate that comes loaded on your OS or browser. However, it can easily be imported into Windows (via MMC) or MacOS (via keychain).
Generating the root cert:
The first step is to generate the private key for the root certificate.
openssl genrsa -des3 -out root.key 2048You will be prompted for a password to protect the private key. You will need this password in the next step to generate the root certificate.
Next, create the root certificate using the private key (root.key) created above.
openssl req -x509 -new -nodes -key root.key -sha256 -days 3650 -out root.pem -subj '/CN=My Root'
You have completed the creation of the root cert and private keys. We will now use them to sign an SSL certificate.
Creating the signed SSL cert:
Now we are going to create a new certificate for our website / application. This involves generating a new private key.
openssl genrsa -out sslprivate.key 2048Once the private key has been generated, we need to create a certificate signing request (CSR). Replace the www.domain.com with the FQDN of your website or URL.
openssl req -new -key sslprivate.key -out sslprivate.csr -subj '/CN=www.domain.com'
Once the CSR has been created, we need to create a file that contains the policies and information we want included in the certificate. In order to do this, create a new file called sslprivate.ext. In this file, paste in the following text.
authorityKeyIdentifier=keyid,issuerÂ
basicConstraints=CA:FALSE
keyUsage=digitalSignature
subjectAltName=@alt_namesÂ
[alt_names]
DNS.1=domain.com
DNS.2=www.domain.comUpdate the domain.com and www.domain.com to match up with the FQDN for your site/server.
Then run the following command to create the SSL certificate signed by the root certificate.
openssl x509 -req -in sslprivate.csr -CA root.pem -CAkey root.key -CAcreateserial -out sslprivate.crt -sha256 -days 365 -extfile sslprivate.extIt will prompt you for the password of the root private key. Once you provide the password you have now created an SSL certificate named sslprivate.crt valid for 365 days.
To verify that the certificate was created successfully, you can view the contents of the certificate by running this command:
openssl x509 -in sslprivate.crt -text -nooutYou have successfully created an SSL certificate (sslprivate.crt) and root cert (root.pem) which can be used to simulate a signed SSL certificate in a test or development environment. At this time, it is not recommended to use these certificates in a production environment since the root certificate is not trusted. This will lead users to see certificate exceptions in the browser. However, in a future post, I will cover one of my favorite free services for a trusted SSL certificate via certbot and Let’s Encrypt.