SSL certificate for websites and other applications

Share

HTTPSIn order to obtain SSL certificate you have generate certificate signing request file(CSR) and a private key. Then you send CSR file to signing authority who will then generate and deliver SSL certificate using CSR file. Never leak out private key to anyone, not even signing authority.

CSR holds information like domain name, country, city, organization, department, email address. It can be generated using desired PKI algorithm like DSA or RSA and desired key size.

Use following command to generate CSR and corresponding private key

marya@home:~/CSRs$ openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Generating a 2048 bit RSA private key
……………………….+++
……….+++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]:IN
State or Province Name (full name) [Some-State]:Haryana
Locality Name (eg, city) []:Kurukshetra
Organization Name (eg, company) [Unconfigured OpenSSL Installation]:Test Company
Organizational Unit Name (eg, section) []:Engineering department
Common Name (eg, YOUR name) []:mydomain.com
Email Address []:myemail@mydomain.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

List generated files
marya@home:~/CSRs$ ls
server.csr server.key

You can also pass CSR information in command line to generate CSR file and corresponding private key

openssl req -new -newkey rsa:2048 -nodes -out server.csr -keyout server.key -subj “/C=IN/ST=HR/L=Kurukshetra/O=Test Company/OU=Engineering department/CN=mydomain.com”

Use following command to verify information in CSR file.

marya@home:~/CSRs$ openssl req -in server.csr -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=IN, ST=Haryana, L=Kurukshetra, O=Test Company, OU=Engineering department, CN=mydomain.com/emailAddress=myemail@mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:e0:3b:95:20:e4:53:eb:52:9a:c7:36:63:7f:e4:
8e:04:80:5f:7e:59:0c:5d:8e:0f:f4:d4:75:d3:b9:
7c:47:34:ff:37:43:a2:a7:1e:98:a3:8e:bc:1e:44:
cc:5a:e6:08:3e:b7:48:d5:09:55:97:18:63:f0:2e:
2f:1a:8f:b3:96:3d:01:b7:be:e1:58:09:ba:0a:db:
55:18:c0:d8:2e:f1:a7:06:f3:29:ae:8a:b2:ae:62:
f8:6d:bf:a2:80:ec:62:49:f8:2d:ae:1c:ba:c4:ed:
98:1b:a7:cd:7f:44:cc:70:d0:b1:83:36:df:b7:0c:
6e:23:2b:d4:a9:7f:c9:0f:75:39:c7:04:96:d1:55:
c4:fe:ed:30:08:5f:16:84:66:82:0c:da:f9:ea:62:
ca:a6:84:3a:c1:1c:ec:a2:37:3f:6a:d1:88:f8:98:
ab:e7:17:13:a1:5c:ce:eb:7d:c8:4d:72:1f:2f:ea:
0c:df:e0:8a:77:76:e2:36:6e:21:d8:c5:09:3c:22:
97:df:cf:c2:95:1f:da:86:6b:79:19:1f:d0:78:d6:
36:11:ca:4c:7b:13:36:32:80:0b:40:b4:dc:09:4d:
03:fb:d3:bc:5d:84:31:c8:8b:ae:f9:81:58:1a:96:
8d:16:55:67:42:1d:f3:76:3d:7e:68:52:82:37:16:
6b:27
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: md5WithRSAEncryption
b4:69:41:c1:a0:a2:6d:e6:4b:ab:a8:80:c6:30:b7:ec:d8:79:
9e:b8:51:38:8f:97:b4:fd:d7:d3:e9:03:49:92:27:c0:61:62:
ed:25:64:16:4d:44:c4:ea:0f:89:3d:8c:f7:5f:19:22:65:73:
c4:17:36:48:69:ec:95:35:cf:0b:bb:0e:34:7b:e0:c3:cb:af:
c0:f5:cb:83:28:9c:9f:f7:8b:cb:94:26:d6:3f:1e:16:a7:ef:
9b:65:6c:5a:78:3c:ed:58:61:db:0b:de:d2:74:6a:46:95:54:
24:fc:58:8e:61:2e:4f:6c:bb:6b:2f:a6:e0:76:b7:90:95:ec:
9f:d9:86:f0:f3:82:b3:53:20:e9:14:b2:10:74:c8:30:45:d3:
12:0f:89:b4:4e:86:22:73:26:05:d2:2d:74:de:3d:76:20:cf:
3a:28:7a:48:3d:35:a5:98:63:d5:d9:a2:c5:ed:c4:3b:d9:53:
7a:9b:86:c0:6f:8a:e0:79:49:6e:91:70:57:8f:28:19:14:bf:
cd:b1:97:e1:f1:0a:b5:48:cd:a2:5a:ac:f0:f4:91:83:70:04:
46:ce:08:f7:0f:06:da:77:6c:ac:07:dd:9a:2a:52:0e:8e:e6:
3f:b2:45:c4:55:92:e0:21:c6:30:c9:95:c8:ea:bb:03:80:b2:
37:47:f1:13

Next You have to submit CSR file to certificate signing authority and once signing authority delivers certificate then you can place certificate and key in your server (apache/tomcat/or other application)

In case you need SSL certificate for internal use, you can generate self signed certificate with desired validity period

marya@home:~/CSRs$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Signature ok
subject=/C=IN/ST=Haryana/L=Kurukshetra/O=Test Company/OU=Engineering department/CN=mydomain.com/emailAddress=myemail@mydomain.com
Getting Private key

List files


marya@home:~/CSRs$ ls
server.crt server.csr server.key

Read out content of certificate

marya@home:~/CSRs$ openssl x509 -in server.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=IN, ST=Haryana, L=Kurukshetra, O=Test Company, OU=Engineering department, CN=mydomain.com/emailAddress=myemail@mydomain.com
Validity
Not Before: Dec 10 04:03:54 2015 GMT
Not After : Dec 9 04:03:54 2016 GMT
Subject: C=IN, ST=Haryana, L=Kurukshetra, O=Test Company, OU=Engineering department, CN=mydomain.com/emailAddress=myemail@mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:e1:f9:a3:a1:70:47:53:c9:a0:b7:79:9e:c4:7e:
8b:12:c8:06:33:03:13:ea:40:68:e0:fa:8a:a4:c3:
e5:50:d0:04:17:17:6e:17:f5:9e:24:48:a5:29:94:
14:6c:36:a9:a7:44:a2:58:9b:1a:7a:56:27:d9:c5:
e1:ff:b2:aa:57:db:51:6d:11:0e:88:be:2f:36:5d:
4b:91:46:03:10:aa:1c:f0:a2:68:3a:90:c3:00:27:
f6:f6:02:b0:f8:71:68:d2:bb:33:c9:95:76:e9:59:
a0:37:92:22:5f:19:93:d0:ed:0b:bf:61:e3:c1:b9:
0c:79:7f:4d:1f:35:42:45:d1:36:14:ec:f5:b2:ef:
0f:42:d6:64:a7:89:3f:64:41:f2:e0:d5:0b:f0:16:
f7:ed:d3:55:0a:da:f2:78:d1:ba:e2:29:1c:b1:47:
d6:be:4e:1e:6f:ad:de:53:f2:3b:f6:f8:47:cb:9b:
7b:20:2d:a4:f6:24:b6:1a:43:ce:e7:7e:5a:04:b9:
b3:7b:77:80:70:70:b9:be:d1:1c:72:cc:9d:0a:04:
ba:a8:7b:2c:92:65:ee:e1:0b:7d:3b:fb:ae:03:b6:
71:08:6d:7e:6b:84:5c:d1:72:93:95:0d:d2:1b:3d:
e8:29:a5:4e:a4:3c:2a:ae:b5:a7:55:98:b8:b3:c5:
77:f9
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
6b:25:e4:cf:4a:aa:77:24:c1:45:47:5b:4f:94:e1:52:fc:ee:
cb:8a:81:ab:89:7f:ae:24:64:d7:f2:76:7e:b7:2d:20:24:c6:
21:75:50:d2:7e:f8:88:7d:ba:82:ef:29:f3:53:30:0a:7a:98:
b9:21:cb:cc:8c:f8:f3:69:35:74:74:a4:58:48:b1:49:c1:f6:
c6:9b:31:6c:30:f8:b0:06:50:ea:16:fd:bc:02:2b:78:82:fd:
36:9c:de:32:90:bd:7f:03:e2:a6:68:a6:28:55:8c:4f:73:97:
8d:cd:ab:11:6c:90:8a:20:7a:7e:3a:8e:aa:14:e2:d0:08:db:
59:a0:ee:b8:a4:76:5e:92:ab:d8:23:9e:f7:d2:65:84:44:ad:
72:8f:b1:42:d2:e0:60:26:9f:ec:c3:a3:0a:35:9b:6f:75:28:
94:b0:96:98:69:ca:6e:ec:36:9f:68:b2:32:ed:7d:c3:b9:17:
75:e2:c2:6e:55:bb:37:1b:b1:a0:a4:82:13:e9:74:fe:97:90:
65:b6:75:7b:03:44:82:14:11:ba:35:58:b6:5d:e5:4d:56:89:
fd:b2:b3:c8:b3:3a:2a:51:25:f3:32:20:b7:8c:49:d2:bf:97:
e7:7b:c2:29:df:6e:94:03:f8:5e:93:f6:6e:2d:82:a0:22:3c:
ce:56:62:41

You can also extract public key out of SSL certificate by

openssl x509 -pubkey -noout -in test.crt

—–BEGIN PUBLIC KEY—–
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsbXOIJwuNeLO1nME/dht
NCcWW+n52nGWA/wOI17bt7LZM6bXRIC1wuysTbfl1ZhJuOT0inFW9M7vhwoVsN+5
7/9PafNhXMVGySBn4EJOIbKaRcRNxZSwx7eNaaS764gTe+8TaRwRcvM8kky38T1I
oHlmSxqPHwiJ/eTTVrNOzAlQNRFB/Zy4osOF9h6/sxaNU6pNKsNpZV8H6ez1G3x2
F9xBYYPp5yDKuz32KscuEg5d9vJNgx1GpDhnSN8ncGsI3Iw673ot9ZwVzCWAIVhg
fpHXMWZLUJKb/1Md+g0Y6tYZGVwUgS++5ZlmzMyyh7xCOFibss+6iBP6A+p/82lW
3QIDAQAB
—–END PUBLIC KEY—–