Programster's Blog

Tutorials focusing on Linux, programming, and open-source

Create Your Own Private SSL/TLS Certificates

Simple Setup

If you just need a public/private certificate pair, then you can use:

openssl req \
  -newkey rsa:2048 \
  -nodes -keyout private.pem \
  -x509 \
  -days 365 \
  -out site.crt

Certificate Authority Method

If you also need to act as your own certificate authority that signed the certificate then...

Create your a private key for your certificate authority.

openssl genrsa -des3 -out ca.pem 2048

Now create the public certificate for that certificate authority. This may be referred to as the "root certificate".

openssl req \
  -x509 \
  -new \
  -nodes \
  -key ca.pem \
  -sha256 \
  -days 1825 \
  -out ca.crt

Now create a private certificate for your site:

openssl genrsa -out my.domain.com.pem 2048

Now we need to create a "certificate signing request" to "give" to our CA to sign:

openssl req \
  -new \
  -key my.domain.com.pem \
  -out certificate-request.csr

Now we hand that over to the certificate authority (which is ourselves), and they use it to create a public certificate for the site (which we hand back to ourselves).

However, first they (us) need to create a configuration file ( which tweaks the data within the generated certificate to state things like what the certificate can be used for:

editor configuration.ext

Fill it with the following, changing the DNS.1 value to whatever your site FQDN is:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = my.domain.com

@TODO - tutorial on all the options for this configuration file.

Now we have all of these files, we can finally use them to create the site certificate file:

openssl x509 \
  -req \
  -in certificate-request.csr \
  -CA ca.crt \
  -CAkey ca.pem \
  -CAcreateserial \
  -out my.domain.com.crt \
  -days 365 \
  -sha256 \
  -extfile configuration.ext

Now you have all of your certificates. If you use Apache, you will need the three files:

  • ca.crt - the certificate authorities public certificate.
  • site.crt - the public certificate for our site.
  • site.pem - the private key for our site

If you are using Nginx, you need to bundle the ca.crt and site.crt files together:

cat my.domain.com.crt > bundle.crt
cat ca.crt >> bundle.crt

... so then you only need:

  • site.pem - your site's private certificate file
  • bundle.crt - a single public certificate file representing your site and the certificate authority.

References

Last updated: 12th August 2021
First published: 12th August 2021