Created
September 1, 2018 00:10
-
-
Save dryliketoast/5c62027480e21db95703219689de1793 to your computer and use it in GitHub Desktop.
Creating a Self-Signed Certificate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Creating a Self-Signed Certificate | |
| As an example, we'll create a certificate that might be used to secure a personal website that's hosted with Apache. | |
| The example will create a certificate valid for 365 days; we may wish to increase this value. We've specified the FQDN (fully qualified domain name) of the VPS for the "Common Name" entry, as this certificate will be used for generic SSL service. | |
| $ sudo openssl req -new -x509 -sha256 -days 365 -nodes -out /etc/ssl/localcerts/apache.pem -keyout /etc/ssl/localcerts/apache.key | |
| Generating a 2048 bit RSA private key | |
| .............................+++ | |
| .........................................................+++ | |
| writing new private key to '/etc/ssl/localcerts/apache.key' | |
| ----- | |
| You are about to be asked to enter information that will be incorporated | |
| into your certificate request. | |
| What you are about to enter is what is called a Distinguished Name or a DN. | |
| There are quite a few fields but you can leave some blank | |
| For some fields there will be a default value, | |
| If you enter '.', the field will be left blank. | |
| ----- | |
| Country Name (2 letter code) [XX]:US | |
| State or Province Name (full name) []: | |
| Locality Name (eg, city) [Default City]: | |
| Organization Name (eg, company) [Default Company Ltd]: | |
| Organizational Unit Name (eg, section) []: | |
| Common Name (eg, your name or your server's hostname) []:djangotest.com | |
| Email Address []: | |
| $ sudo chmod 600 /etc/ssl/localcerts/apache* | |
| After we enter the request, we were taken to a prompt where we can enter information about our website. Before we go over that, let's take a look at what is happening in the command we are issuing: | |
| openssl: This is the basic command line tool for creating and managing OpenSSL certificates, keys, and other files. req -x509: This specifies that we want to use X.509 certificate signing request (CSR) management. The "X.509" is a public key infrastructure standard that SSL and TLS adhere to for key and certificate management. | |
| nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Apache to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening, since we would have to enter it after every restart. | |
| days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here. | |
| newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate. The rsa:2048 portion tells it to make an RSA key that is 2048 bits long. | |
| keyout: This line tells OpenSSL where to place the generated private key file that we are creating. | |
| out: This tells OpenSSL where to place the certificate that we are creating. | |
| The most important line is the one that requests the Common Name. We need to enter the domain name that we want to be associated with our server. We can enter the public IP address instead if we do not have a domain name. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment