Skip to content

Instantly share code, notes, and snippets.

@adyrcz

adyrcz/selfsignedcertificate.md

Last active February 5, 2020 14:53
Show Gist options
  • Save adyrcz/599c3bbdbe9fde6ba9ced512bca86719 to your computer and use it in GitHub Desktop.
Save adyrcz/599c3bbdbe9fde6ba9ced512bca86719 to your computer and use it in GitHub Desktop.
Download ZIP
Self Signed Certificate
Raw
selfsignedcertificate.md

Self Signed Certificate

Create private key

openssl genrsa -out MyRootCA.key 2048
Generating RSA private key, 2048 bit long modulus
................+++
...............................+++
e is 65537 (0x10001)

Create the CA and enter the Organization details

openssl req -x509 -new -key MyRootCA.key -sha256 -out MyRootCA.pem

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Example Walk through

For the server and admin certificates, create keys, a certificate signing request (CSR) and a certificate signed by the CA. In the below example, I walk through the commands for one server — "node1”.

openssl genrsa -out node1-pkcs12.key 2048

IMPORTANT: Convert these to PKCS#5 v1.5 to work correctly with the JDK. Output from this command will be used in all the config files.

openssl pkcs8 -v1 "PBE-SHA1-3DES" -in "node1-pkcs12.key" -topk8 -out "node1.key" -nocrypt

Create the CSR and enter the organization and server details:

openssl req -new -key node1.key -out node1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter '.', the field will
be left blank.
----
Country Name (2 letter code) [AU]:DK
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:CityName
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Corp
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:node1.x.example.com
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:

Use the CSR to generate the signed Certificate:

openssl x509 -req -in node1.csr -CA MyRootCA.pem -CAkey MyRootCA.key -CAcreateserial -out node1.pem -sha256
Signature ok
subject=/C=DK/L=Copenhagen/O=Organization Corp/CN=node1.x.example.com
Getting CA Private Key
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment