How to create RootCA/Server/User Certificates using OpenSSL

Document ID : KB000045298
Last Modified Date : 14/02/2018
Show Technical Document Details

Summary:

In this document, we will discuss how to create a self signed RootCA, Server & User Certificates using OpenSSL tool either standalone or the one bundled with Apache.

Pre-requisites:

  • OpenSSL

Environment:

This test was performed on Windows , but the same instructions are also applicable on Unix.

Instructions:

Step 1.  Create following three folder under OpenSSL/bin folder.

    • private
    • public
    • client

Step 2. Create Certificate Authority

1. Create an RSA private key as follows:
> openssl genrsa -des3 -out private/ca.key 1024

The "genrsa" command generates an RSA private key.
-des3 : This option encrypts the private key with Triple DES cipher.
-out : The output file name.
"1024"? : gives the size of the private key to be generated.
The user is prompted to specify a passphrase or password. The ca.key is placed in
the private folder.

e.g.

C:\Apache22\bin>openssl genrsa -des3 -out private/ca.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
......................++++++
........++++++
e is 65537 (0x10001)
Enter pass phrase for private/ca.key:
Verifying - Enter pass phrase for private/ca.key:

C:\Apache22\bin>

2. Create an X.509 certificate and sign using a private key as follows:
> openssl req -new -x509 -key private/ca.key -out public/ca.crt -days 3600

The "req"? command primarily creates and processes certificate
requests in PKCS#10 format.
-new : This option generates a new certificate request.
-key : This specifies the file to read the private key from.
-out : This specifies the output filename to write to or standard
output by default.

The user is prompted to enter details such as country name and organization. The
Common Name or CN and the identify of the user must be unique. The "ca.crt" CA
certificate is created.

e.g.

C:\Apache22\bin>openssl req -new -x509 -key private/ca.key -out public/ca.crt -days 3600
Enter pass phrase for private/ca.key:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:NSW
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CA
Organizational Unit Name (eg, section) []:Support
Common Name (e.g. server FQDN or YOUR name) []:RootCA
Email Address []:rootca@ca.com

C:\Apache22\bin>

Step 3. Create Server Certificate

1. Create an RSA private key for server as follows:
> openssl genrsa -des3 -out private/server.key 1024

e.g.

C:\Apache22\bin>openssl genrsa -des3 -out private/server.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
..................++++++
..++++++
e is 65537 (0x10001)
Enter pass phrase for private/server.key:
Verifying - Enter pass phrase for private/server.key:

C:\Apache22\bin>

2. Create the Certificate Signing Request ,
> openssl req -new -key private/server.key -out server.csr
e.g.

C:\Apache22\bin>openssl req -new -key private/server.key -out server.csr
Enter pass phrase for private/server.key:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:NSW
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Oracle
Organizational Unit Name (eg, section) []:Dev
Common Name (e.g. server FQDN or YOUR name) []:iis-01.ca.com
Email Address []:iis-01@ca.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:test
An optional company name []:test

C:\Apache22\bin>

3. Sign the certificate with the CA's private key,
> openssl x509 -req -days 360 -in server.csr -CA public/ca.crt -CAkey private/ca.key -CAcreateserial -out public/server.crt

e.g.

C:\Apache22\bin>openssl x509 -req -days 360 -in server.csr -CA public/ca.crt -CAkey private/ca.key -CAcreateserial -out public/server.crt
Loading 'screen' into random state - done
Signature ok
subject=/C=AU/ST=NSW/L=Sydney/O=Oracle/OU=Dev/CN=iis-01.ca.com/emailAddress=iis-01@ca.com
Getting CA Private Key
Enter pass phrase for private/ca.key:

Step 4. Create User Certificate

1. Create a client private key and generate a request as follows:
> openssl req -new -newkey rsa:1024 -nodes -out client/client.req -keyout client/client.key

e.g.

C:\Apache22\bin>openssl req -new -newkey rsa:1024 -nodes -out client/client.req -keyout client/client.key
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
..................................................................++++++
..++++++
writing new private key to 'client/client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:NSW
Locality Name (eg, city) []:Melbourne
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CA
Organizational Unit Name (eg, section) []:Support
Common Name (e.g. server FQDN or YOUR name) []:Ujwol
Email Address []:shruj01@ca.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:test
An optional company name []:test

C:\Apache22\bin>

2. Create an X.509 certificate and sign it using CA as follows:

> openssl x509 -CA public/ca.crt -CAkey private/ca.key -CAserial public/ca.srl -req -in client/client.req -out client/client.pem -days 100
The output is a .pem file that is converted to the pkcs12 format.

e.g.

C:\Apache22\bin>openssl x509 -CA public/ca.crt -CAkey private/ca.key -CAserial public/ca.srl -req -in client/client.req -out client/client.pem -days 100
Loading 'screen' into random state - done
Signature ok
subject=/C=AU/ST=NSW/L=Melbourne/O=CA/OU=Support/CN=Ujwol/emailAddress=shruj01@ca.com
Getting CA Private Key
Enter pass phrase for private/ca.key:

C:\Apache22\bin>

3. Convert the .pem file to the pkcs12 format as follows:
> openssl pkcs12 -export -clcerts -in client/client.pem -inkey client/client.key -out client/client.p12 -name Ujwol

The pkcs12 command creates and parses PKCS#12 files (sometimes referred to as PFX files).
-export: Specifies that a PKCS#12 file is created and not parsed.
-in: Specifies the filename from which the certificates and private keys are read. Specifies the standard input, by default.
-inkey: Specifies the file from which the private key is read.
-out: Specifies the filename of the file in to which certificates and private keys are written.
-name: Specifies the ``friendly name'' of the certificate and private key. This name is typically displayed in list boxes by the software that imports the file.The client.p12 is the client certificate in the pkcs12 format. It stores the private key and public key of the client.


e.g.

C:\Apache22\bin>openssl pkcs12 -export -clcerts -in client/client.pem -inkey client/client.key -out client/client.p12 -name Ujwol
Loading 'screen' into random state - done
Enter Export Password:
Verifying - Enter Export Password:

C:\Apache22\bin>

Step 5. Export PKCS12 to PFX (Optional)

Sometime, you might also need to export PKCS12 to PFX format. For this you can use following :

openssl pkcs12 -export -out public/rootCA.pfx -inkey private/ca.key -in public/ca.crt

e.g.

C:\Apache22\bin>openssl pkcs12 -export -out public/rootCA.pfx -inkey private/ca.key -in public/ca.crt
Loading 'screen' into random state - done
Enter pass phrase for private/ca.key:
Enter Export Password:
Verifying - Enter Export Password:

C:\Apache22\bin>

C:\Apache22\bin>openssl pkcs12 -export -out public/server.pfx -inkey private/server.key -in public/server.crt
Loading 'screen' into random state - done
Enter pass phrase for private/server.key:
Enter Export Password:
Verifying - Enter Export Password:

C:\Apache22\bin>

 

Additional Information:

N/A