Wiki

User Tools

Site Tools

Trace:
ubuntu:certificates:create_a_self-signed_certificate

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
ubuntu:certificates:create_a_self-signed_certificate [2023/06/09 16:10] – [Create a self-signed certificate] peterubuntu:certificates:create_a_self-signed_certificate [2023/06/09 16:26] (current) peter
Line 1: Line 1:
 ====== Ubuntu - Certificates - Create a self-signed certificate ====== ====== Ubuntu - Certificates - Create a self-signed certificate ======
 +
 +A self-signed certificate made in this way is sufficient for testing, but should not be used in a production environment.
 +
 +
 +<WRAP info>
 +**NOTE:**  
 +
 +  * Many clients require that the certificate presented by the server be a user (also called “leaf” or “site”) certificate, and not a self-signed certificate.
 +    * In this situation, the self-signed certificate must be installed on the client host as a trusted root certification authority (CA), and the certificate used must be a user certificate signed with that self-signed certificate.
 +
 +  * For information on creating self-signed CA certificates and using them to sign user certificates, see the General implementation overview chapter of the Open-source PKI book, available online at http://ospkibook.sourceforge.net/.
 +
 +</WRAP>
 +
 +----
 +
 +===== Prerequisites =====
 +
 +Ensure that openssl is installed. 
 +
 +<code bash>
 +sudo apt install openssl
 +</code>
 +
 +<WRAP info>
 +**NOTE:**  Look at the openssl man page to understand all of the openssl options.
 +
 +<code bash>
 +man openssl
 +</code>
 +
 +</WRAP>
 +
 +----
  
 ===== Create a self-signed certificate ===== ===== Create a self-signed certificate =====
Line 8: Line 42:
 openssl req -x509 -newkey rsa:2048 -keyout file1.key -out file2.crt -days 9999 -nodes openssl req -x509 -newkey rsa:2048 -keyout file1.key -out file2.crt -days 9999 -nodes
 </code> </code>
 +
 +or
 +
 +<code bash>
 +openssl req -new -x509 -days 9999 -nodes -out file1.pem -keyout file2.key
 +</code>
 +
 +<WRAP info>
 +**NOTE:**  Here, we name our certificate and key "file1" and "file2", but when you have multiple certificates, they will require different names, or, should reside in different sub-directories of **/etc/ssl**.
 +
 +  * You could, in **/etc/ssl/localcerts**, have several certificates and name them according to domain (i.e. somesite.com.pem and somesite.com.key, othersite.net.pem and othersite.net.key, etc.). 
 +
 +</WRAP>
 +
 +
 +This will prompt with a number of questions.  Answer as appropriate.
 +
 +<code>
 +Generating a 2048 bit RSA private key
 +...........................+++
 +...........................................................................+++
 +writing new private key to 'my_cert.key'
 +-----
 +You are about to be asked to enter information that will be incorporated
 +into your certificate request.
 +What you are about to enter is what is called a Distinguished Name or a DN.
 +There are quite a few fields but you can leave some blank
 +For some fields there will be a default value,
 +If you enter '.', the field will be left blank.
 +-----
 +Country Name (2 letter code) [AU]:JE
 +State or Province Name (full name) [Some-State]:Jersey  
 +Locality Name (eg, city) []:St. Helier
 +Organization Name (eg, company) [Internet Widgits Pty Ltd]:ShareWiz International
 +Organizational Unit Name (eg, section) []:
 +Common Name (e.g. server FQDN or YOUR name) []:sharewiz.net
 +Email Address []:admin@sharewiz.net
 +</code>
 +
 +
 +
  
 <WRAP info> <WRAP info>
Line 33: Line 108:
 </WRAP> </WRAP>
  
-<WRAP info> 
-**NOTE:**  A self-signed certificate made in this way is sufficient for testing, and may be adequate for all your requirements if you are mainly interested in encrypting transfers, and not in secure identification. 
  
-  * However, many clients require that the certificate presented by the server be a user (also called “leaf” or “site”) certificate, and not a self-signed certificate. 
-  * In this situation, the self-signed certificate described above must be installed on the client host as a trusted root certification authority (CA), and the certificate used by Exim must be a user certificate signed with that self-signed certificate. 
- 
-  * For information on creating self-signed CA certificates and using them to sign user certificates, see the General implementation overview chapter of the Open-source PKI book, available online at http://ospkibook.sourceforge.net/. 
- 
-</WRAP> 
  
 ---- ----
  
-===== References =====+===== Broken down =====
  
-http://ospkibook.sourceforge.net/ +The same code as above, but split into separate commands:
-===== Broken down =====+
  
 <code bash> <code bash>
Line 67: Line 133:
 </code> </code>
  
 +
 +----
 +
 +===== Set Permissions for the certificate files =====
 +
 +<code bash>
 +chmod 600 file1*
 +chmod 600 file2*
 +</code>
 +
 +----
 +
 +===== References =====
 +
 +https://wiki.debian.org/Self-Signed_Certificate
 +
 +http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#aboutcerts
 +
 +http://nginx.org/en/docs/http/configuring_https_servers.html
 +
 +http://ospkibook.sourceforge.net/
ubuntu/certificates/create_a_self-signed_certificate.1686327005.txt.gz · Last modified: 2023/06/09 16:10 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki