So now we go hunting for a SSL certificate. The workflow for getting a certificate is straight forward –
- Create a Certificate Signing Request (CSR) & Private Key
- Send to a Certifying Authority
- CA issues the certificate based on the csr
There are many ways to generate the CSR but my favourite way is to use the OpenSSL library. I have been using it on and off since 2006(?) but I always struggle with the commands when I return to it. So thought for my own sake I should document what I usually do.
I prefer to work on windows and therefore like to get the prebuilt binaries from one of the sources mentioned here – https://wiki.openssl.org/index.php/Binaries
For linux, the openssl should already be part of the distribution.
When you
launch openSSL it looks for a openssl.cnf file – this is the master
configuration file for openSSL. It is quite something to understand but this
page explains it nicely – https://www.phildev.net/ssl/opensslconf.html
This file is not part of the binaries and needs to be created. A sample file is attached for reference. More can be found online.
The path to the cnf file needs to be defined for your windows environment.
SET OPENSSL_CONF=z:\<path to openssl>\openssl.cnf
Once the environment is ready we can begin creating the CSR. For this i like to create a config file to avoid having to type out the details on the commandline.
[req] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C = <2 letter country code> ST = <state> L = <location> O = <org> OU = <org unit> CN = <common name> [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = <at least the CN>
The config file is straight forward, we have defined that the CSR should use 2048 bit encryption and the sha256 hash algorithm.
The [dn] section defines the certificate properties. The [req_ext] section contains the extensions like SAN. SAN should always be defined (refer my related post for details).
Once the config file has been defined, we can generate the CSR and the key file using the following single command –
openssl req -new -sha256 -nodes -out <csr name>.csr -newkey rsa:2048 -keyout <key file name>.key -config <path to config file>.cfg
…and that’s all folks!!
Recent Comments