Generates a self-signed x509 certificate using OpenSSL.

CMakeLists.txt

# A simple CMake script for building the application.
cmake_minimum_required(VERSION 2.8)
project(create-x509)

# Our only dependency is OpenSSL
find_package(OpenSSL REQUIRED)

include_directories(${OPENSSL_INCLUDE_DIR})

add_executable(create-x509 create-x509.cpp)
target_link_libraries(create-x509 ${OPENSSL_LIBRARIES})

install(TARGETS create-x509 RUNTIME DESTINATION bin)

create-x509.cpp

#include <cstdio>
#include <iostream>

#include <openssl/pem.h>
#include <openssl/x509.h>

/* Generates a 2048-bit RSA key. */
EVP_PKEY * generate_key()
{
    /* Allocate memory for the EVP_PKEY structure. */
    EVP_PKEY * pkey = EVP_PKEY_new();
    if(!pkey)
    {
        std::cerr << "Unable to create EVP_PKEY structure." << std::endl;
        return NULL;
    }
    
    /* Generate the RSA key and assign it to pkey. */
    RSA * rsa = RSA_generate_key(2048, RSA_F4, NULL, NULL);
    if(!EVP_PKEY_assign_RSA(pkey, rsa))
    {
        std::cerr << "Unable to generate 2048-bit RSA key." << std::endl;
        EVP_PKEY_free(pkey);
        return NULL;
    }
    
    /* The key has been generated, return it. */
    return pkey;
}

/* Generates a self-signed x509 certificate. */
X509 * generate_x509(EVP_PKEY * pkey)
{
    /* Allocate memory for the X509 structure. */
    X509 * x509 = X509_new();
    if(!x509)
    {
        std::cerr << "Unable to create X509 structure." << std::endl;
        return NULL;
    }
    
    /* Set the serial number. */
    ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
    
    /* This certificate is valid from now until exactly one year from now. */
    X509_gmtime_adj(X509_get_notBefore(x509), 0);
    X509_gmtime_adj(X509_get_notAfter(x509), 31536000L);
    
    /* Set the public key for our certificate. */
    X509_set_pubkey(x509, pkey);
    
    /* We want to copy the subject name to the issuer name. */
    X509_NAME * name = X509_get_subject_name(x509);
    
    /* Set the country code and common name. */
    X509_NAME_add_entry_by_txt(name, "C",  MBSTRING_ASC, (unsigned char *)"CA",        -1, -1, 0);
    X509_NAME_add_entry_by_txt(name, "O",  MBSTRING_ASC, (unsigned char *)"MyCompany", -1, -1, 0);
    X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char *)"localhost", -1, -1, 0);
    
    /* Now set the issuer name. */
    X509_set_issuer_name(x509, name);
    
    /* Actually sign the certificate with our key. */
    if(!X509_sign(x509, pkey, EVP_sha1()))
    {
        std::cerr << "Error signing certificate." << std::endl;
        X509_free(x509);
        return NULL;
    }
    
    return x509;
}

bool write_to_disk(EVP_PKEY * pkey, X509 * x509)
{
    /* Open the PEM file for writing the key to disk. */
    FILE * pkey_file = fopen("key.pem", "wb");
    if(!pkey_file)
    {
        std::cerr << "Unable to open \"key.pem\" for writing." << std::endl;
        return false;
    }
    
    /* Write the key to disk. */
    bool ret = PEM_write_PrivateKey(pkey_file, pkey, NULL, NULL, 0, NULL, NULL);
    fclose(pkey_file);
    
    if(!ret)
    {
        std::cerr << "Unable to write private key to disk." << std::endl;
        return false;
    }
    
    /* Open the PEM file for writing the certificate to disk. */
    FILE * x509_file = fopen("cert.pem", "wb");
    if(!x509_file)
    {
        std::cerr << "Unable to open \"cert.pem\" for writing." << std::endl;
        return false;
    }
    
    /* Write the certificate to disk. */
    ret = PEM_write_X509(x509_file, x509);
    fclose(x509_file);
    
    if(!ret)
    {
        std::cerr << "Unable to write certificate to disk." << std::endl;
        return false;
    }
    
    return true;
}

int main(int argc, char ** argv)
{
    /* Generate the key. */
    std::cout << "Generating RSA key..." << std::endl;
    
    EVP_PKEY * pkey = generate_key();
    if(!pkey)
        return 1;
    
    /* Generate the certificate. */
    std::cout << "Generating x509 certificate..." << std::endl;
    
    X509 * x509 = generate_x509(pkey);
    if(!x509)
    {
        EVP_PKEY_free(pkey);
        return 1;
    }
    
    /* Write the private key and certificate out to disk. */
    std::cout << "Writing key and certificate to disk..." << std::endl;
    
    bool ret = write_to_disk(pkey, x509);
    EVP_PKEY_free(pkey);
    X509_free(x509);
    
    if(ret)
    {
        std::cout << "Success!" << std::endl;
        return 0;
    }
    else
        return 1;
}

LICENSE.txt

The MIT License (MIT)

Copyright (c) 2022 Nathan Osman

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Hi I am new with openssl. I am confused why not use RSA_free() afterr EVP_PKEY_free()?

@beryl1990
As EVP_PKEY_free will free also RSA pointer, and there no need to de-allocate RSA.

Hi there,
Shouldn't we pack "public keys" into certificates?
I see here you generate a private key from RSA and make a certificate from it, but how do we generate a public key from that RSA?
I work on a system using c++ that client make private and public key and send public key to server and server generate a certificate for client and send it back to it.

Hi, I'm also new to OpenSSL, does the EVP_PKEY type represents a public/private key pair?
As far as I understand from reading the docs, EVP_PKEY is used for storing private keys, but I see that your are using it for both purposes (i.e. in X509_set_pubkey and X509_sign).
Can you explain this a little bit?

Certificate generated from this ends up with same private and public key, any ideas why?

I'm trying to manage software licenses using certificates. This code is very useful and prevents mistakes. I would like more help if possible. From South Korea.

Hi, I'm also new to OpenSSL, does the EVP_PKEY type represents a public/private key pair?
As far as I understand from reading the docs, EVP_PKEY is used for storing private keys, but I see that your are using it for both purposes (i.e. in X509_set_pubkey and X509_sign).
Can you explain this a little bit?

For future comers, EVP_PKEY doesn't simply store a private key and return it as it is, in fact it can store a pair of keys, public key or private key, and the internals are handled by repective ENGINE, read the description part of https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_new.html
I guess for the X509_set_pubkey that ENGINE (etc) is called to return the public and since it knows this is RSA, and storing private key (we can get public key from private key here), and calculate and return public key.

Great job. Thank you nathan-osman. You are life savior.

Hi there, I'd like to use some of this code in a project.
Have you posted this code under a particular license? Thanks.

@avivbeeri I just added LICENSE.txt to clarify the license 🙂

I have a similar sample code to create a CSR with SecP256r1 key. The header of signature part is:

    req->sig_alg = X509_ALGOR_dup(req->req_info->pubkey->algor);
    X509_ALGOR_set_md(req->sig_alg, (EVP_MD *)EVP_ecdsa());
    i2d_X509_REQ(req, &csrInfo);

Then I will generate the signature myself and append to the req object:

    unsignCsrData = [NSData dataWithBytes:csrInfo length:sizeof(csrInfo)];
    
    ecSignature = // generating signature internally
    
    signature->data = (unsigned char *)[ecSignature bytes];
    signature->length = (int)[ecSignature length];
    
    req->signature = signature;

My problem is in the header part, it will write ecdsa with SHA1:

170  11:   SEQUENCE {
172   7:     OBJECT IDENTIFIER ecdsaWithSHA1 (1 2 840 10045 4 1)
181   0:     NULL
       :     }

Do you know how to change the value of the header to ecdsa with SHA2? I can't find any document from OpenSSL about that.
Thank you!

Hi, I'm also new to OpenSSL, does the EVP_PKEY type represents a public/private key pair?
As far as I understand from reading the docs, EVP_PKEY is used for storing private keys, but I see that your are using it for both purposes (i.e. in X509_set_pubkey and X509_sign).
Can you explain this a little bit?

For future comers, EVP_PKEY doesn't simply store a private key and return it as it is, in fact it can store a pair of keys, public key or private key, and the internals are handled by repective ENGINE, read the description part of https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_new.html I guess for the X509_set_pubkey that ENGINE (etc) is called to return the public and since it knows this is RSA, and storing private key (we can get public key from private key here), and calculate and return public key.

I'm trying to generate a self signed certificates using a private key stored in pkcs11 engine, can you elabortae how did you solve this issue ?

if the private key is srored in an engine e.g pkcs11 for example :

EVP_PKEY * pkey = ENGINE_load_private_key(eng, "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=09abc2fa100c0143;token=token1;object=ecc-key1;type=private?pin-value=12345", NULL, NULL);
X509_set_pubkey(x509, pkey) //will crash