LINUXMAKER, OpenSource, Tutorials

Zertifikate mit OpenSSL erstellen

Use OpenSSL to create an X.509 certificate for different applications

To set up a server service on the Internet that offers encrypted SSL or TLS connections (e.g., HTTPS, POP3S, IMAPS, LDAPS, SMTP with TLS) requires a server certificate. This must first be signed by a Certification Authority (CA).

It is not free to have official server certificate, which is signed by an official body. Here annual fees of several hundred euros are due.

On the other hand, you can set up your own CA under Linux and create or sign certificates yourself. This is a process of a few minutes, which should be presented here.

The only difference to a certificate signed by a fee-based entity is that the client (email agent, browser, etc.) will issue a warning that it does not know the CA. The user must then confirm once and can still accept the certificate.

Installation of OpenSSL

We definitely need the package openssl for the certificate creation, that can be installed with

aptitude -y install openssl

Create the certificates

Create directories

mkdir /etc/ssl-cacert/
mkdir /etc/ssl-cacert/apache/
mkdir /etc/ssl-cacert/lighttpd/
mkdir /etc/ssl-cacert/mail/
mkdir /etc/ssl-cacert/proftpd/
mkdir /etc/ssl-cacert/ldap/

Create OpenSSL Config

If you have multiple certificates to create, it makes sense to put the data that always stays the same in a file and then call it with the -config path option.

vi /etc/ssl/openssl.cnf RANDFILE               = $ENV::HOME/.rnd

[ req ]
default_bits = 2048
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password =

[ req_distinguished_name ]
C = DE
O =
CN = DOMAIN.TLD <- Very important
emailAddress = webmaster@DOMAIN.TLD

[ req_attributes ]
challengePassword =
no input

Generate the private key

First, a "private key" is generated. The SSL certificate is valid only with this exact key. If the private key is lost, then the certificate becomes unusable because it requires this private key for decryption. Also, the private key can not be generated from the certificate or otherwise restored. Ergo you should put the private key in a secure place as a backup.

The private key can also be additionally protected with a password, but this means that you can not start the web server without entering this password in SSL mode.

The key length should be 2048 or 4096 bits.


# openssl genrsa -out /etc/ssl/certs/apache_server.key 4096

Here as an alternative, if you prefer an encrypted private key and the overhead of the Apache server:

# openssl genrsa -des3 -out /etc/ssl/certs/apache_server.key 4096

Create Certificate Signing Request (CSR)

The CSR contains the company information, domain name, e-mail address, etc. This file is sent to the certification authority to obtain the certificate (CRT). Alternatively, one can also generate a self-signed CRT from the CSR.

Important is the specification of the encryption - here SHA256 must be used. The default of SHA1 has become too uncertain.

The desired domain name is specified in the field "Common Name (eg, server FQDN)". Otherwise, the SSL certificate no longer works in the Apache server because the server can not arrange the certificate to the URL.

State and city details are usually required to create an official certificate. Fields that are not needed can be entered by entering a "." or skipped by RETURN. In addition, the duration of the certificate can be set with.

# openssl req -new -days 365 -key server.key -out server.csr -sha256

Console Edition:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Baden-Wuerttemberg
Locality Name (eg, city) []:Stuttgart
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT-LINUXMAKER ANDREAS GUENTHER
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.

Check the Certificate Signing Request (CSR)

The following command can be used to check whether the information in the CSR is all correct.

# openssl req -noout -text -in

Console Edition:

Certificate Request:
        Version: 0 (0x0)
        Subject: C=DE, ST=Baden-Wuerttemberg, L=Stuttgart, O=IT-LINUXMAKER Andreas Guenther,
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

Create a self-signed certificate

For websites or HTML platforms that focus on encryption rather than public presence, it is sufficient to sign the certificate yourself with the following command. Here a certificate for 1 year is generated.

# openssl x509 -req -days 365 -in -signkey server.key -out Signature ok
subject=/C=DE/ST=Baden-Wuerttemberg/L=Stuttgart/O=IT-LINUXMAKER Andreas Guenther/
Getting Private key

This is rather annoying for public websites because the web browsers do not know the signature. Therefore, they display the warning such as "This connection is not trusted", "There is a problem with the security certificate of the website" or "Security Note: The security certificate was issued by a company ...". This can be avoided with Let's Encrypt.