Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Generates a self-signed x509 certificate using OpenSSL.
# A simple CMake script for building the application.
cmake_minimum_required(VERSION 2.8)
project(create-x509)
# Our only dependency is OpenSSL
find_package(OpenSSL REQUIRED)
include_directories(${OPENSSL_INCLUDE_DIR})
add_executable(create-x509 create-x509.cpp)
target_link_libraries(create-x509 ${OPENSSL_LIBRARIES})
install(TARGETS create-x509 RUNTIME DESTINATION bin)
#include <cstdio>
#include <iostream>
#include <openssl/pem.h>
#include <openssl/x509.h>
/* Generates a 2048-bit RSA key. */
EVP_PKEY * generate_key()
{
/* Allocate memory for the EVP_PKEY structure. */
EVP_PKEY * pkey = EVP_PKEY_new();
if(!pkey)
{
std::cerr << "Unable to create EVP_PKEY structure." << std::endl;
return NULL;
}
/* Generate the RSA key and assign it to pkey. */
RSA * rsa = RSA_generate_key(2048, RSA_F4, NULL, NULL);
if(!EVP_PKEY_assign_RSA(pkey, rsa))
{
std::cerr << "Unable to generate 2048-bit RSA key." << std::endl;
EVP_PKEY_free(pkey);
return NULL;
}
/* The key has been generated, return it. */
return pkey;
}
/* Generates a self-signed x509 certificate. */
X509 * generate_x509(EVP_PKEY * pkey)
{
/* Allocate memory for the X509 structure. */
X509 * x509 = X509_new();
if(!x509)
{
std::cerr << "Unable to create X509 structure." << std::endl;
return NULL;
}
/* Set the serial number. */
ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
/* This certificate is valid from now until exactly one year from now. */
X509_gmtime_adj(X509_get_notBefore(x509), 0);
X509_gmtime_adj(X509_get_notAfter(x509), 31536000L);
/* Set the public key for our certificate. */
X509_set_pubkey(x509, pkey);
/* We want to copy the subject name to the issuer name. */
X509_NAME * name = X509_get_subject_name(x509);
/* Set the country code and common name. */
X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (unsigned char *)"CA", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, (unsigned char *)"MyCompany", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char *)"localhost", -1, -1, 0);
/* Now set the issuer name. */
X509_set_issuer_name(x509, name);
/* Actually sign the certificate with our key. */
if(!X509_sign(x509, pkey, EVP_sha1()))
{
std::cerr << "Error signing certificate." << std::endl;
X509_free(x509);
return NULL;
}
return x509;
}
bool write_to_disk(EVP_PKEY * pkey, X509 * x509)
{
/* Open the PEM file for writing the key to disk. */
FILE * pkey_file = fopen("key.pem", "wb");
if(!pkey_file)
{
std::cerr << "Unable to open \"key.pem\" for writing." << std::endl;
return false;
}
/* Write the key to disk. */
bool ret = PEM_write_PrivateKey(pkey_file, pkey, NULL, NULL, 0, NULL, NULL);
fclose(pkey_file);
if(!ret)
{
std::cerr << "Unable to write private key to disk." << std::endl;
return false;
}
/* Open the PEM file for writing the certificate to disk. */
FILE * x509_file = fopen("cert.pem", "wb");
if(!x509_file)
{
std::cerr << "Unable to open \"cert.pem\" for writing." << std::endl;
return false;
}
/* Write the certificate to disk. */
ret = PEM_write_X509(x509_file, x509);
fclose(x509_file);
if(!ret)
{
std::cerr << "Unable to write certificate to disk." << std::endl;
return false;
}
return true;
}
int main(int argc, char ** argv)
{
/* Generate the key. */
std::cout << "Generating RSA key..." << std::endl;
EVP_PKEY * pkey = generate_key();
if(!pkey)
return 1;
/* Generate the certificate. */
std::cout << "Generating x509 certificate..." << std::endl;
X509 * x509 = generate_x509(pkey);
if(!x509)
{
EVP_PKEY_free(pkey);
return 1;
}
/* Write the private key and certificate out to disk. */
std::cout << "Writing key and certificate to disk..." << std::endl;
bool ret = write_to_disk(pkey, x509);
EVP_PKEY_free(pkey);
X509_free(x509);
if(ret)
{
std::cout << "Success!" << std::endl;
return 0;
}
else
return 1;
}
@beryl1990

This comment has been minimized.

Copy link

beryl1990 commented Apr 30, 2014

Hi I am new with openssl. I am confused why not use RSA_free() afterr EVP_PKEY_free()?

@unusual-aspect

This comment has been minimized.

Copy link

unusual-aspect commented Feb 17, 2015

@beryl1990
As EVP_PKEY_free will free also RSA pointer, and there no need to de-allocate RSA.

@mahdizadehms

This comment has been minimized.

Copy link

mahdizadehms commented Feb 25, 2015

Hi there,
Shouldn't we pack "public keys" into certificates?
I see here you generate a private key from RSA and make a certificate from it, but how do we generate a public key from that RSA?
I work on a system using c++ that client make private and public key and send public key to server and server generate a certificate for client and send it back to it.

@itaranto

This comment has been minimized.

Copy link

itaranto commented Apr 13, 2016

Hi, I'm also new to OpenSSL, does the EVP_PKEY type represents a public/private key pair?
As far as I understand from reading the docs, EVP_PKEY is used for storing private keys, but I see that your are using it for both purposes (i.e. in X509_set_pubkey and X509_sign).
Can you explain this a little bit?

@iammrtau

This comment has been minimized.

Copy link

iammrtau commented Feb 20, 2019

Certificate generated from this ends up with same private and public key, any ideas why?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.