Creating a self-signed certificate with an RSA key

A self-signed certificate is useful when all you need is encryption, or for testing purposes. There's no identity verification involved with self-signed certificates, so you never want to use them on servers that your users need to trust. Let's say that I need to test my new website setup before putting it into production, and I don't want to do my testing with a for-real key and certificate. I'll create the key and the self-signed certificate with one single command:

openssl req -newkey rsa:2048 -nodes -keyout donnie-domain.key-x509 -days 365 -out donnie-domain.crt

Here's the breakdown:

  • openssl: I'm using OpenSSL with just my normal user privileges. For now, I'm doing everything in my own home directory, so there's no need for root or sudo privileges.
  • req: This is the sub-command for managing certificate signing requests (CSRs). When creating self-signed certificates, OpenSSL will create a temporary CSR.
  • -newkey rsa:2048: I'm creating an RSA keypair that's 2,048 bits in length. I'd actually like to use something a bit longer, but that will impact server performance when setting up the TLS handshake. (Again, this is preceded by only a single dash.)
  • -nodes: This means that I'm not encrypting the private key that I'm about to create. If I were to encrypt the private key, I would have to enter the private key passphrase every time I restart the web server.
  • -keyout donnie-domain.key-x509: I'm creating the private key with the name donnie-domain.key-x509. The x509 part indicates that this will be used for a self-signed certificate.
  • -days 365: The certificate will expire in one year.
  • -out donnie-domain.crt: Finally, I'm creating the donnie-domain.crt certificate.

When you run this command, you'll be prompted to enter information about your business and your server. (We'll look at that in just a moment.) After creating this key and certificate, I'll need to move them to their proper locations and configure my web server to find them. (We'll also touch on that in a bit.)

Encrypting the private key is an optional step, which I didn't do. If I were to encrypt the private key, I would have to enter the passphrase every time that I restart the web server. That could be problematic if there are any web server admins who don't have the passphrase. And, even though this sounds counter-intuitive, encrypting the private key that's on the web server doesn't really help that much with security. Any malicious person who can get physical access to the web server can use memory forensics tools to get the private key from system memory, even if the key is encrypted. But if you plan to make a backup of the key to store elsewhere, definitely encrypt that copy. So now, let's make an encrypted backup copy of my private key that I can safely store somewhere other than on the web server:

[donnie@localhost ~]$ openssl rsa -aes256 -in donnie-domain.key-x509 -out donnie-domain-encrypted.key-x509 

writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
[donnie@localhost ~]$

There are two things to look at here:

  • rsa -aes256 means that I'm using the AES256 encryption algorithm to encrypt an RSA key.
  • To ensure that I made a copy instead of overwriting the original unencrypted key, I specified donnie-domain-encrypted.key-x509 as the name for the copy.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.147.42.168