💡 Big News! 🧙 AI Wizard - Instant Page Insights is Here : Explore Smarter, Friendlier Solutions Just for You →
security
Openssl Cert Gen

Comprehensive Guide for SSL Certificate Workflow

This guide provides a detailed step-by-step explanation for creating, validating, and using SSL certificates, including generating a Certificate Signing Request (CSR), verifying certificates, and creating a keystore. Additionally, it includes the steps performed by the Certificate Authority (CA) for signing the CSR and creating root and intermediate certificates.

Overview

SSL certificates are essential for secure communication between applications, ensuring encryption and authentication. This document outlines the process to:

  1. Generate a private key and CSR.
  2. Share the CSR with a Certificate Authority (CA) for signing.
  3. Validate the signed certificate.
  4. Create a keystore for authentication.
  5. Understand the steps performed by the CA to sign the CSR.

Steps to Execute at the Client Side

1. Generate a Private Key

A private key is essential for creating a CSR and for encryption purposes.

Command:

openssl genrsa -aes128 -out example.key 2048

Explanation:

  • genrsa: Generates an RSA private key.
  • -aes128: Encrypts the private key with AES-128 encryption.
  • -out example.key: Saves the private key to a file named example.key.
  • 2048: Specifies the key length (2048 bits is a secure standard).

Notes:

  • The command will prompt you for a password. This password protects your private key.
  • Store the key file and password securely.

2. Generate a Certificate Signing Request (CSR)

A CSR is a file you share with the CA to request an SSL certificate.

Command:

openssl req -new -key example.key -out example.csr

Explanation:

  • req -new: Creates a new CSR.
  • -key example.key: Uses the private key file created earlier.
  • -out example.csr: Saves the CSR to a file named example.csr.

Prompted Details:

  • Country Name (e.g., US)
  • State or Province Name (e.g., California)
  • Locality Name (City)
  • Organization Name (e.g., Example Ltd.)
  • Common Name (Your domain name, e.g., example.com)
  • Email Address

Output:

  • The example.csr file is created and must be shared with the CA.

3. Verify Signed Certificate Matches the Private Key

After the CA signs your CSR, you receive a signed certificate. Validate that it matches your private key.

Commands:

openssl x509 -noout -modulus -in example.crt | openssl md5
openssl rsa -noout -modulus -in example.key | openssl md5
openssl req -noout -modulus -in example.csr | openssl md5

Explanation:

  • x509: Refers to the signed certificate file.
  • rsa: Refers to the private key file.
  • req: Refers to the CSR file.
  • modulus: Extracts a unique identifier from the files.
  • md5: Hashes the modulus to ensure they match.

Validation:

  • If the outputs of all three commands match, the certificate matches the private key.

4. Validate the Signed Certificate

Check the details of the signed certificate.

Command:

openssl x509 -in signed-cert.crt -text -noout

Explanation:

  • x509: Refers to the signed certificate file.
  • -text: Displays the certificate details in a readable format.
  • -noout: Suppresses raw certificate data.

Output:

  • The command displays details such as:
    • Validity period (start and end date).
    • Issuer (CA details).
    • Subject (Your organization details).
    • Public key information.

5. Create a PKCS#12 Keystore

A PKCS#12 keystore bundles the private key, signed certificate, and intermediate/root certificates into a single file for secure authentication.

Command:

openssl pkcs12 -export -out example.p12 -inkey example.key -in signed-cert.crt -name ExampleAlias -certfile RootCert.crt -certfile IntermediateCert.crt

Explanation:

  • -export: Creates a PKCS#12 file.
  • -out example.p12: Specifies the output keystore file.
  • -inkey example.key: Includes the private key.
  • -in signed-cert.crt: Includes the signed certificate.
  • -name ExampleAlias: Sets an alias name for the keystore.
  • -certfile: Adds the root and intermediate certificates provided by the CA.

Prompted Details:

  1. Enter the passphrase for the private key (set during key generation).
  2. Set an export password to protect the PKCS#12 file.
  3. Confirm the export password.

Output:

  • The example.p12 file is created and can be used for authentication.

Steps Executed by the Certificate Authority (CA)

1. Create Root Certificate

The CA generates a root certificate to serve as the foundation of trust.

Command:

openssl genrsa -out ca-root.key 4096
openssl req -x509 -new -nodes -key ca-root.key -sha256 -days 3650 -out ca-root.crt

Explanation:

  • genrsa: Generates a private key for the root certificate.
  • req -x509: Creates a self-signed root certificate.
  • -sha256: Uses the SHA-256 hashing algorithm.
  • -days 3650: Specifies the validity period (10 years).
  • -out ca-root.crt: Saves the root certificate to a file.

2. Create Intermediate Certificate

The CA generates an intermediate certificate to sign client certificates.

Commands:

openssl genrsa -out intermediate.key 4096
openssl req -new -key intermediate.key -out intermediate.csr
openssl x509 -req -in intermediate.csr -CA ca-root.crt -CAkey ca-root.key -CAcreateserial -out intermediate.crt -days 1825 -sha256

Explanation:

  • genrsa: Generates a private key for the intermediate certificate.
  • req -new: Creates a CSR for the intermediate certificate.
  • x509 -req: Signs the intermediate CSR using the root certificate.
  • -CAcreateserial: Generates a serial number for the certificate.
  • -days 1825: Specifies the validity period (5 years).

3. Sign Client CSR

The CA signs the client’s CSR to issue a signed certificate.

Command:

openssl x509 -req -in example.csr -CA intermediate.crt -CAkey intermediate.key -CAcreateserial -out example.crt -days 365 -sha256

Explanation:

  • -req: Processes the client’s CSR.
  • -CA: Specifies the intermediate certificate to sign the CSR.
  • -CAkey: Uses the intermediate certificate’s private key.
  • -out example.crt: Saves the signed certificate to a file.
  • -days 365: Specifies the validity period (1 year).

4. Provide Root and Intermediate Certificates

The CA provides the following files to the client:

  • ca-root.crt: The root certificate.
  • intermediate.crt: The intermediate certificate.

Key Concepts

What is a CSR?

A CSR is a file used to request a digital certificate from a CA. It includes:

  • Your public key.
  • Information about your organization and domain.

What is a Signed Certificate?

A signed certificate is issued by a CA after verifying your CSR. It is used to:

  • Prove your identity.
  • Enable encrypted communication.

What is a PKCS#12 Keystore?

A PKCS#12 file is a password-protected container format that holds your private key, certificate, and CA chain. It is used for authentication and secure communication.

Best Practices

  1. Secure Private Keys: Store private keys in a secure location and never share them.
  2. Validate Certificates: Always ensure the signed certificate matches the private key.
  3. Backup Keystore Files: Keep backups of your .p12 files and associated passwords in a secure location.
  4. Use Strong Passwords: Protect all sensitive files with strong, unique passwords.

This document serves as a comprehensive guide for SSL certificate-related tasks, ensuring secure communication and authentication for your applications.

N MapSys Scan
🧙 AI Wizard - Instant Page Insights

Click the button below to analyze this page.
Get an AI-generated summary and key insights in seconds.
Powered by Perplexity AI!