Creating selfsigned certificates

SSL

Secured Socket Layer (SSL) uses an asymmetric cryptography, also known as public key cryptography to encrypt traffic. Asymmetric cryptography is made up of a public and private key. These keys are mathematically linked in a way that data encrypted by a public key can only be deciphered by the linked private-public key (vice versa).

SSL protects HTTP data transferred between the client (browser) and server. Browsers have the ability to inherently encrypt outgoing data and decrypt incoming data of servers.

Certificates

The combination of the public and private key make up a certificate. A certificate is a special file containing either a public key (public only key) or both public and private key (public/private key).

Certificates can be either be self-signed or signed. Certificates that are self-signed certificate are not trusted by a Certificate Authority (CA). Signed certificates are special files whereby a CA will verify the authenticity of the certificate file. Websites that use SSL for secure HTTP communication use certificates. A difference between a self-signed certificate and a CA-signed certificate is that web browsers have built-in ability to verify signed certificates. Websites that use self-signed certificates will present a security warning.

Example of two certificates. Left, public key only. Right public/private key certificate

Creating self-signed a certificate

This example uses openSSL.exe

Step 1: Generate a RSA Private Key.

To create a certificate or a certificate request we need to create a private RSA key.

  • Download openssl.exe
  • Navigate to the C:…\openssl-0.9.8k_X64\bin
openssl genrsa -out sweetrecipes.pem 2048

Step 2: Generate a CSR (Certificate Signing Request)

To create a certificate, we need to start with a certificate request. Note that this is also what a CA uses to generate a signed certificate.

openssl req -new -x509 -key sweetrecipes.pem -out sweetrecipes.cer -days 3650 -config C:_LocalHosting\OpenSsl\openssl.cnf

Step 3: Generate a PKCS#12 file

openssl pkcs12 -export -out sweetrecipes.pfx -inkey sweetrecipes.pem -in sweetrecipes.cer

Another way to generate public/private key using openssl.exe and a public key certificate (without private key):

openssl genrsa -des3 -out taskboard.key 2048
openssl req -new -key taskboard.key -out taskboard.csr -config ..\openssl.cnf
openssl x509 -req -days 3650 -in taskboard.csr -signkey taskboard.key -out taskboard.crt
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in taskboard.crt -inkey taskboard.key -out taskboard.pfx -name taskboard.pfx

Output of all the files from openssl.exe:

Output of all the files from openssl.exe