Using OpenSSL to Generate Self-Signed Certificates
All server and client certificates usually need to be applied for from a certificate authority (CA) to ensure that they can be trusted by different operating systems and browsers. CA typically charges a certain certificate fee. If you currently need an HTTPS certificate just for testing or for internal use in an enterprise, you can also issue a self-signed certificate using OpenSSL. Refer to the following steps:
Step 1: Generating a Root Certificate
1. Create a root certificate private key with the following command, which will generate a 2048-bit private key and save it to a .key file.
openssl genrsa -out root.key 2048
2. Generate a Certificate Signing Request (CSR) file based on the root certificate private key.
openssl req -new -key root.key -out root.csr
During the generation of a CSR file, you need to provide information such as the organization name and common name, which can be filled in based on the actual usage.
3. Run the following command to create a root certificate.
openssl x509 -req -in root.csr -out root.crt -signkey root.key -CAcreateserial -days 3650
You will get a root certificate, server.crt, with a validity period of 10 years. You can use this root certificate to issue the required server and client certificates later.
Step 2: Issuing a Certificate
Taking issuing a server certificate as an example, you can start issuing your own certificates using the root certificate generated in Step 1:
1. Generate a private key for the server certificate.
openssl genrsa -out server.key 2048
2. Generate a CSR file based on the server certificate private key.
openssl req -new -out server.csr -key server.key
During the generation of a CSR file, similar to that for the root certificate, you need to provide information such as the organization name and common name, which can be filled in based on the actual usage.
3. Generate a server public key certificate.
openssl x509 -req -in server.csr -out server.crt -signkey server.key -CA root.crt -CAkey root.key -CAcreateserial -days 3650
Through the above three steps, you will obtain self-signed server certificates, server.crt, and server.key, with a validity period of 10 years. You can repeat these steps to continue generating other required server or client certificates using the same root certificate.