This is the definitive guide to create secure certificates, for both servers and clients, using OpenSSL.
Procedure
On Windows, it is recommended to use Chocolatey to install OpenSSL and its dependencies. The command line is simply choco install openssl.
- Create the Root Certification Authority (CA)
- Generate a Certificate Signing Request (CSR) – Server
- Generate a Certificate Signing Request (CSR) – Client
- Process a Certificate Signing Request (CSR) on the Root Certificate Authority (CA)
Root Certification authority (CA)
- Generate the Root CA Private Key using the following command line:
openssl ecparam -name prime256v1 -genkey -noout -out ca.key. Every certificate must have a corresponding private key. - Generate the Root CA Certificate (Certificate Authority) using the following command line:
openssl req -new -x509 -sha256 -key ca.key -out ca.crt. - Enter the information about the CA (the certificate will be generated in the ca.crt file):
Country Name (2 letter code) [AU]:USState or Province Name (full name) [Some-State]:CALocality Name (eg, city) []:ToontownOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Acme inc.Organizational Unit Name (eg, section) []:SecurityCommon Name (e.g. server FQDN or your name) []:acme.comEmail Address []:security@acme.com - Install the certificate.
Note that the certificate must be installed on the server and on all of the clients to validate the legitimacy of issued certificates. Some browsers also have particularities which are described in the topic.
Server certificate
These steps are usually performed on each server or device for which you intend to request a certificate. Install OpenSSL if it is not present. The alternative is to securely deploy the private key to the destination server at the same time as the certificate. It is recommended to use this last approach only if you must adhere to scripted deployments to follow CloudOps/DevOps practices.
- Generate the Server Certificate Private Key using the following command line:
openssl ecparam -name prime256v1 -genkey -noout -out server.key(256bit private key in the server.key file). Every certificate must have a corresponding private key. - Generate the server Certificate Signing Request (CSR) using the following command line:
openssl req -new -sha256 -key server.key -out server.csr. This request will later be processed on the Root CA server. - Enter the information about the server certificate (the exact FQDN that is used by the server must be specified). For Example:
Country Name (2 letter code) [AU]:USState or Province Name (full name) [Some-State]:CALocality Name (eg, city) []:ToontownOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Acme inc.Organizational Unit Name (eg, section) []:SecurityCommon Name (e.g. server FQDN or your name) []:vault.acme.comEmail Address []:security@acme.com - Enter a password into the prompt, using a password manager as well as a strong password generator is essential.
- Transfer the server.csr file to the Root CA.
- Process the request by following the instructions below.
- Deploy the certificate.
Client certificate
Follow the same procedure as for the Server certificate, but you must adapt two attributes of the information you enter to your needs, namely the Common Name and the Email Address.
Common Name (e.g. server FQDN or your name) []:John DoeEmail Address []:JohnDoe@acme.comProcess a Certificate Signing Request (CSR) on the Root Certificate Authority (CA)
Process the CSR by generating a certificate.
Generate it using the following command line, where the server.csr has been generated on the server:openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1000 -sha256
This results in the certificate being generated in the server.crt file. You must deploy it to the server where you generated the CSR.
