SSL Certificates
Creating a Self-Signed Certificate
Most people will be happy having generated their CSR and sent it off to their certificate signing authority (along with their hard-earned cash). However, we're interested in being a CA so let's dive in.
Generating
You can generate your own self-signed certificate from your private key:
openssl req -x509 -sha256 -new -key ssl-certificate.key -out ssl-certificate.crt
which will prompt you for the same information as for a CSR, however this time you have a self-signed certificate in ssl-certificate.crt.
Checking
You can check the contents of your certificate with:
openssl x509 -in ssl-certificate.crt -noout -text
Note that here the Issuer and the Subject are the same entity. When someone else signs your certificate they will appear as the Issuer.
What's more, your self-signed certificate is a fully fledged CA and SSL server certificate (even if your browser doesn't automatically trust it). You can check this with:
openssl x509 -in ssl-certificate.crt -noout -purpose
which should give output suggesting it does everything.
SHA256
Again, check your certificate reports:
Signature Algorithm: sha256WithRSAEncryption
One-Liner
If you're feeling particularly keen you can avoid generating the private key in a separate command:
openssl req -x509 -sha256 -newkey rsa:1024 -keyout server-key.pem -out server-req.pem
Note that you'll be forcibly asked for a pass phrase for your key (you can always hit RETURN).
Document Actions