Skip to content

Instantly share code, notes, and snippets.

@princeppy

princeppy/0 openssl.md

Forked from jchandra74/openssl.MD
Last active September 11, 2022 10:21
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 6 You must be signed in to fork a gist
  • Save princeppy/d00bad66d9caac86d9b7d3ce9e35fc12 to your computer and use it in GitHub Desktop.
Save princeppy/d00bad66d9caac86d9b7d3ce9e35fc12 to your computer and use it in GitHub Desktop.
Download ZIP
HOWTO: Create Your Own Self-Signed Certificate with Subject Alternative Names Using OpenSSL in Ubuntu Bash for Window
Raw
0 openssl.md

Extensions

  • .pem => Privacy Enhancement Mail Certificate
  • .key extension => is a PEM file containing just the private-key
  • .pkcs|.pfx|.p12 => is a fully encrypted passworded container format that contains both pubkic and private certificate pairs
  • .cert|.cer|.crt => is a public .pem formatted file with diffrent extenssions for windows
  • *.private.pem = *.key.pem = *.key
  • *.public.pem = *.crt.pem = *.crt = *.cer.pem = *.cer
  • passworded(*.key + *.cer) = *.pkcs|*.pfx|*.p12
  • *.key.pem + *.crt.pem in one file => *.keycer.pem

Generate Self-Signed Certificate with subjectAltName

Start Script

SET "domainname=*.techiesonapps.net"

SET "domain=%domainname:**.=%"	
SET "crtname=%domainname:.=_%"	
SET "crtname=%crtname:**=star%"

SET dirc=\usr\d\%crtname%\

mkdir %dirc%

(
echo [req]
echo default_bits = 2048
echo prompt = no
echo default_md = sha256
echo x509_extensions = v3_req
echo distinguished_name = dn
echo:
echo [dn]
echo C = AE
echo ST = DUBAI
echo L = Dubai
echo O = TechiesOn
echo OU = IT
echo CN = %domainname%
echo:
echo [v3_req]
echo subjectAltName = @alt_names
echo:
echo [alt_names]
echo DNS.1=%domainname%
echo DNS.2=%domain%
echo DNS.3=localhost
) > %dirc%%crtname%.cnf

Run After 5 sec fo that certificate is created

openssl req ^
-new -x509 ^
-newkey rsa:2048 -sha256 ^
-nodes -days 3560 ^
-keyout %dirc%%crtname%.key ^
-out %dirc%%crtname%.crt ^
-config %dirc%%crtname%.cnf

Run After 5 sec fo that certificate is created

openssl pkcs12 ^
-name %crtname% ^
-inkey %dirc%%crtname%.key ^
-in %dirc%%crtname%.crt ^
-export -out %dirc%%crtname%.pfx ^
-password pass:Pa$$w0rd

End Script

Thanks to

  • Server / Primary Certificate = your_domain_com.crt
  • Intermediate Certificate = CA.crt
  • Root Certificate = /RootCA.crt

Convert .pem to .pfx

openssl pkcs12 ^
-inkey your_domain_local.key.pem ^
-in your_domain_local.crt ^
-export -out your_domain_local.pfx

Convert .pfx to .keycer.pem(s)

openssl pkcs12 ^
-in your_domain_local.pfx ^
-nodes -clcerts ^
-out your_domain_local.keycer.pem

Convert .pem to .crt

openssl x509 ^
-outform der ^
-in your_domain_local.keycer.pem ^
-out your_domain_local.crt

Convert binary .crt to .crt.pem

openssl x509 ^
-inform DER ^
-outform PEM ^
-in your_domain_local.crt ^
-out your_domain_local.crt.pem

Extract private key .key.pem from keycer.pem

openssl rsa ^
-in your_domain_local.privatepublic.pem ^
-text > your_domain_local.key.pem

Build server.pem from .crt.pem and key.pem (**1)

cat your_domain_local.crt.pem your_domain_local.key.pem > your_domain_local.keycer.pem

From Convert .pem to .crt and .key

  • Converting Using OpenSSL

    These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software.

    • Convert a DER file (.crt .cer .der) to PEM

      openssl x509 -inform der -in certificate.cer -out certificate.pem

    • Convert a PEM file to DER

      openssl x509 -outform der -in certificate.pem -out certificate.crt

      openssl x509 -outform der -in certificate.pem -out certificate.der

    • Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

      openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

      You can add -nocerts to only output the private key or add -nokeys to only output the certificates.

    • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

      openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

    • Convert PEM to CRT (.CRT file)

      openssl x509 -outform der -in certificate.pem -out certificate.crt

  • OpenSSL Convert PEM

    • Convert PEM to DER

      openssl x509 -outform der -in certificate.pem -out certificate.der

    • Convert PEM to P7B

      openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

    • Convert PEM to PFX

      openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

  • OpenSSL Convert DER

    • Convert DER to PEM

      openssl x509 -inform der -in certificate.cer -out certificate.pem

  • OpenSSL Convert P7B

    • Convert P7B to PEM

      openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

    • Convert P7B to PFX

      openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

      openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

  • OpenSSL Convert PFX

    • Convert PFX to PEM

      openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

more on the page...

From What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

From The Most Common OpenSSL Commands

  • General OpenSSL Commands

    These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.

    • Generate a new private key and Certificate Signing Request

      openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

    • Generate a self-signed certificate (see How to Create and Install an Apache Self Signed Certificate for more info)

      openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

    • Generate a certificate signing request (CSR) for an existing private key

      openssl req -out CSR.csr -key privateKey.key -new

    • Generate a certificate signing request based on an existing certificate

      openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key

    • Remove a passphrase from a private key

      openssl rsa -in privateKey.pem -out newPrivateKey.pem

  • Checking Using OpenSSL

    If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.

    • Check a Certificate Signing Request (CSR)

      openssl req -text -noout -verify -in CSR.csr

    • Check a private key

      openssl rsa -in privateKey.key -check

    • Check a certificate

      openssl x509 -in certificate.crt -text -noout

    • Check a PKCS#12 file (.pfx or .p12)

      openssl pkcs12 -info -in keyStore.p12

  • Debugging Using OpenSSL

    If you are receiving an error that the private doesn't match the certificate or that a certificate that you installed to a site is not trusted, try one of these commands. If you are trying to verify that an SSL certificate is installed correctly, be sure to check out the SSL Checker.

    • Check an MD5 hash of the public key to ensure that it matches with what is in a CSR or private key

      openssl x509 -noout -modulus -in certificate.crt | openssl md5

      openssl rsa -noout -modulus -in privateKey.key | openssl md5

      openssl req -noout -modulus -in CSR.csr | openssl md5

    • Check an SSL connection. All the certificates (including Intermediates) should be displayed

      openssl s_client -connect www.paypal.com:443

  • Converting Using OpenSSL

    These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. Use our SSL Converter to convert certificates without messing with OpenSSL.

    • Convert a DER file (.crt .cer .der) to PEM

      openssl x509 -inform der -in certificate.cer -out certificate.pem

    • Convert a PEM file to DER

      openssl x509 -outform der -in certificate.pem -out certificate.der

    • Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

      openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

      You can add -nocerts to only output the private key or add -nokeys to only output the certificates.`

    • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

      openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

From 9 OpenSSL Commands To Keep Handy

  1. Generating a New CSR and Key

    When generating (or regenerating) a SSL certificate, the first step is to create a new CSR (certificate signing request) with a new public/private key pair:

openssl req ^
-nodes -new ^
-newkey rsa:4096 ^
-out www.example.com.csr ^
-keyout www.example.com.key

  1. Generating a New CSR from Existing Key

    If the private key already exists, it can be used to generate a new CSR also:

    openssl req -nodes -new -key www.example.com.old.key -out www.example.com.new.csr

  2. Generating a New CSR from Existing CRT and Key

    If there is an existing certificate and an existing key, a new CSR with the same information (organizational information, FQDN, etc.) can be easily generated:

    openssl x509 -x509toreq -in www.example.com.old.crt -signkey www.example.com.key -out www.example.com.csr

  3. Generating a CSR with SANs

    SANs (subject alternative names) allow a single CRT to refer to multiple FQDNs. This differs from a wildcard certificate, which refers to all sub-domains of a given domain. The SANs can refer to wildly different domains, like www.example.com and www.example.net.

    Generating a CSR with SANs requires using a separate configuration file to list the SANs. The file contains the following default openssl template, plus an additional section for subjectAltNames:

#
# your_domain_local.cnf
#
[ req ]
distinguished_name  = req_distinguished_name
req_extensions = v3_req
 
[ req_distinguished_name ]
countryName     = Country Name (2 letter code)
countryName_default   = AU
countryName_min     = 2
countryName_max     = 2
 
stateOrProvinceName   = State or Province Name (full name)
stateOrProvinceName_default = Some-State
 
localityName      = Locality Name (eg, city)
 
0.organizationName    = Organization Name (eg, company)
0.organizationName_default  = Internet Widgits Pty Ltd
 
organizationalUnitName    = Organizational Unit Name (eg, section)
 
commonName      = Common Name (e.g. server FQDN or YOUR name)
commonName_max      = 64
 
emailAddress      = Email Address
emailAddress_max    = 64
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
 
[alt_names]
DNS.1 = www.example.net
DNS.2 = www.example.org

This file is then passed into the openssl command when generating the new CSR:

# Existing Key
openssl req ^
-x509 ^
-sha256 ^
-nodes ^
-days 365 ^
-config \usr\d\6\openssl6.conf ^
-in \usr\d\6\www.example.com.key ^
-out \usr\d\6\www.example.com.1.crt

or

# New Key
openssl req ^
-x509 ^
-sha256 ^
-nodes ^
-days 365 ^
-new -newkey rsa:4096 ^
-config \usr\d\6\openssl6.conf ^
-keyout \usr\d\6\www.example.com.3.key ^
-out \usr\d\6\www.example.com.3.crt

  1. Reading a CSR

    Sometimes, it’s helpful to examine an existing CSR to determine what information it contains (such as organizational information, FQDN, etc.):

    openssl req -text -noout -in www.example.com.csr

  2. Generate a Self-Signed Certificate from an Existing Private Key and CSR

    Use this method if you already have a private key and CSR, and you want to generate a self-signed certificate with them.

    This command creates a self-signed certificate (domain.crt) from an existing private key (domain.key) and (domain.csr):

    The -days 365 option specifies that the certificate will be valid for 365 days.

    openssl x509 -signkey domain.key -in domain.csr -req -days 365 -out domain.crt

  3. Reading a CRT

    After a CSR has been sent to the CA (certificate authority) to be digitally signed, a certificate is issued and returned. It is often helpful to examine a certificate to verify dates of validity, and match it with organizational information.

    openssl x509 -text -noout -in www.example.com.crt

  4. Verifying a CRT Matches a Private Key

    Updating the private keys and certificates on server can get confusing, especially if poorly named files for previous years exist. If the private key and certificate do not match, web servers usually fail to start, or will not start with SSL. This can lead to all sorts of bad things (like outages). Fortunately, it is easy to sanity check that a key and certificate are matched by comparing their moduli. (The modulus is a component shared between the public key in the CRT and the private key). If the modulus from the CRT and private key match, it is likely that the public and private key are paired.

    openssl rsa -noout -modulus -in www.example.com.key

    openssl x509 -noout -modulus -in www.example.com.crt

    The moduli can be visually compared, or can be compared programmatically:

#!/bin/bash
test `openssl rsa -noout -modulus -in $1.key` = \
 `openssl x509 -noout -modulus -in $1.crt`
if [ $? = 0 ]
	then echo "Match!"
else
	echo "Not a match!"
fi

  1. Fingerprinting a CRT

    It can be helpful to compare a certificate’s digital fingerprint with what it is expected to be (either from records, or published statements). For instance, if a new SSL certificate is added to a server, a client might receive a message about an unrecognized or untrusted certificate, along with the certificate’s fingerprint. The user can independently verify the validity of the certificate by comparing the provided fingerprint with the known fingerprint (which should be determined and published beforehand).

    openssl x509 -fingerprint -noout -in www.example.com.crt

    The digest algorithm for the fingerprint can be specified as well:

    openssl x509 -noout -fingerprint -in www.example.com.crt -md5

    openssl x509 -noout -fingerprint -in www.example.com.crt -sha1

  2. Making it Automated

    It is possible to add all necessary information for a CSR to a configuration file so that it can be read in by openssl instead of using prompts. The following is an example of a file that contains all the necessary information to generate a new CSR:

[ req ]
prompt = no
default_bits = 2048
default_keyfile = www.example.com.key
encrypt_key = no
distinguished_name = req_distinguished_name
 
string_mask = utf8only
 
req_extensions = v3_req
 
[ req_distinguished_name ]
O=Internet Widgits Pty Ltd
L=Grand Rapids
ST=Michigan
C=US
CN=www.example.com
 
[ v3_req ]
 
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

> Now, a new CSR can be created with: openssl req -new -config <filename of config file> -out <filename of csr>

openssl req -new -config openssl.conf -out www.example.com.csr

From OpenSSL Essentials: Working with SSL Certificates, Private Keys and CSRs

From Howto: Make Your Own Cert With OpenSSL on Windows

From Generating a self-signed cert with openssl that works in Chrome 58

From How to modify the friendly name attribute in a SSL certifcate

From OpenSSL Quick Reference Guide

From How to get .pem file from .key and .crt files?

Raw
1 openssl.MD

HOWTO: Create Your Own Self-Signed Certificate with Subject Alternative Names Using OpenSSL in Ubuntu Bash for Window

********

1 Prepare Cmder Environemnt

Cmder is a software package created out of pure frustration over the absence of nice console emulators on Windows. It is based on amazing software, and spiced up with the Monokai color scheme and a custom prompt layout, looking sexy from the start. Portable console emulator for Windows : download, unblock and extract the zip package to c:\tools\cmder

Keyboard shortcuts

Tab manipulation

`Ctrl + ``` : Global Summon from taskbar
`Win + Alt + p` : Preferences (Or right click on title bar)
`Ctrl + t` : New tab dialog (maybe you want to open cmd as admin?)
`Ctrl + w` : Close tab
`Shift + Alt` + number : Fast new tab:
    1. CMD
    2. PowerShell
`Alt + Enter` : Fullscreen

Shell

`Ctrl + Alt + u` : Traverse up in directory structure (lovely feature!)
`End, Home, Ctrl` : Traverse text as usual on Windows
`Ctrl + r` : History search
`Shift + mouse` : Select and copy text from buffer
`Right click / Ctrl + Shift + v` : Paste text

2 Prepare OpenSSL

  • execute c:\tools\cmder\Cmder.exe
  • execute following cmd
mkdir cert2
cd cert2
openssl

********

Overview

My main development workstation is a Windows 10 machine, so we'll approach this from that viewpoint.

Recently, Google Chrome started giving me a warning when I open a site that uses https and self-signed certificate on my local development machine due to some SSL certificate issues like the one below:

Self-Signed SSL Issue in Chrome

or one that is described in this forum post which I originally got.

I made my self-signed certificate using MAKECERT utility previously. Apparently, this tool does not support creating self-signed SSL certificate with Subject Alternative Name (SAN). If anyone knows different, please let me know.

So, after doing some searches, it seems that OpenSSL is the best solution for this.

If you are trying to use OpenSSL on Windows like me, you will probably be scratching your head on where to start. Build from the repository? Ouch. That's what they called yak shaving. I just want to quickly create my own damn self-signed certificate, not build a factory that can do that. Sure, there is binary installation available here, but after getting it installed and trying to figure out how to make it run nicely with PowerShell, I gave up.

Luckily, Windows 10 now has the ability to run Ubuntu Bash and after playing around with it, this seems to be the best way forward when using openssl.

Setup Ubuntu on Windows 10

To set it up, follow the instruction here.

Install OpenSSL

To install openssl run the following command from the bash shell:

sudo apt-get install openssl

Once installed, you are ready to create your own self-signed certificate.

Creating Self-Signed Certificate

I am using this OpenSSL Ubuntu article as the base, but there are some modifications along the way, so I'll just explain the way I did it here. If you need further information, please visit that article.

The original article is using SHA1 but we really need to move to something else that is stronger like SHA256. If you are using SHA1 as suggested, you will be getting the Your connection is not private page in Chrome.

Creating Your Working Environment

We will use your user profile root directory (~/ which points to /home/jchandra in my case) to do this work. If you use anything else, you might need to customize the caconfig.cnf and localhost.cnf content below.

To create your environment, run the following in bash:

cd ~/ && mkdir myCA && mkdir -p myCA/signedcerts && mkdir myCA/private && cd myCA

This will create the following directories under your user profile root folder:

Directory Contents
~/myCA contains CA certificate, certificates database, generated certificates, keys, and requests
~/myCA/signedcerts contains copies of each signed certificate
~/myCA/private contains the private key

Create the Certificate Database

To create the database, enter the following in bash:

echo '01' > serial && touch index.txt

Create Certificate Authority Configuration File

Create caconfig.cnf using vim or nano or whatever Linux text-editor of your choice.

To create it using vim, do the following:

    vim ~/myCA/caconfig.cnf

To create it using nano do the following:

    nano ~/myCA/caconfig.cnf

The content should be like so:

# My sample caconfig.cnf file.
#
# Default configuration to use when one is not provided on the command line.
#
[ ca ]
default_ca = local_ca
#
#
# Default location of directories and files needed to generate certificates.
#
[ local_ca ]
dir = /home/jchandra/myCA
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/signedcerts
private_key = $dir/private/cakey.pem
serial = $dir/serial
#
#
# Default expiration and encryption policies for certificates
#
default_crl_days = 365
default_days = 1825
# sha1 is no longer recommended, we will be using sha256
default_md = sha256
#
policy = local_ca_policy
x509_extensions = local_ca_extensions
#
#
# Copy extensions specified in the certificate request
#
copy_extensions = copy
#
#
# Default policy to use when generating server certificates. 
# The following fields must be defined in the server certificate.
#
# DO NOT CHANGE "supplied" BELOW TO ANYTHING ELSE.
# It is the correct content.
#
[ local_ca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = supplied
#
#
# x509 extensions to use when generating server certificates
#
[ local_ca_extensions ]
basicConstraints = CA:false
#
#
# The default root certificate generation policy
#
[ req ]
default_bits = 2048
default_keyfile = /home/jchandra/myCA/private/cakey.pem
#
# sha1 is no longer recommended, we will be using sha256
default_md = sha256
#
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
#
#
# Root Certificate Authority distinguished name
#
# DO CHANGE THE CONTENT OF THESE FIELDS TO MATCH
# YOUR OWN SETTINGS!
#
[ root_ca_distinguished_name ]
commonName = InvoiceSmashDev Root Certificate Authority
stateOrProvinceName = NSW
countryName = AU
emailAddress = support.team@blahblahblah.com
organizationName = Coupa InvoiceSmash
organizationalUnitName = Development
#
[ root_ca_extensions ]
basicConstraints = CA:true

Caveats for caconfig.cnf:

  1. In [ local_ca ] section, make sure you replace <username> with your Ubuntu username that you created when you setup Ubuntu on Windows 10. Mine for example is dir = /home/jchandra/myCA. NOTE: DO NOT USE ~/myCA. It does not work..
    Similarly, change the default_keyfile setting in [ req ] section to be the same.
  2. Leave the [ local_ca_policy ] section alone. commonName = supplied, etc. are correct and not to be overwritten.
  3. In [ root_ca_distinguished_name ] section, replace all values to your own settings.

Creating Your Test Certificate Authority

  1. Run the following command so openssl will pick the settings automatically:
export OPENSSL_CONF=~/myCA/caconfig.cnf
  1. Generate the Certificate Authority (CA) certificate:
openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825
  1. Enter and retype the password you wish to use to import/export the certificate.
    NOTE: Remember this password, you will need it throughout this walk-through.

Once you are done you should have the following files:

File Content
~/myCA/cacert.pem CA public certificate
~/myCA/private/cakey.pem CA private key

In Windows, we will be using .crt file instead, so create one using the following command:

openssl x509 -in cacert.pem -out cacert.crt

Creating Your Self-Signed Certificate with Subject Alternative Name (SAN)

Now that you have your CA, you can create the actual self-signed SSL certificate.

But first, we need to create the configuration file for it. So again, use vim or nano, etc. to create the file. In this example, I will call mine localhost.cnf since that's the server that I am going to be using to test my development code. You can call it whatever you want. Just make sure you use the right filename in the export command later on.

Below is the content of ~/myCA/localhost.cnf:

#
# localhost.cnf
#

[ req ]
prompt = no
distinguished_name = server_distinguished_name
req_extensions = v3_req

[ server_distinguished_name ]
commonName = localhost
stateOrProvinceName = NSW
countryName = AU
emailAddress = invoicesmashteam@coupa.com
organizationName = Coupa InvoiceSmash
organizationalUnitName = Development

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]
DNS.0 = localhost
DNS.1 = invoicesmash.local

Caveats for localhost.conf

  1. Change the values in [ server_distinguished_name ] section to match your own settings.
  2. In [ alt_names ] section, change the value for DNS.0 and DNS.1 to whatever you need. In my case, I test my web application using https://localhost:44300, therefore the correct value for me is DNS.0 = localhost. I am not sure what to do with DNS.1 so, I just changed it to DNS.1 = invoicesmash.local. If so happen that I have a host entry in my hosts file that matches this (mapped to IP Address 127.0.0.1), it should still work.

Once you created the configuration file, you need to export it:

export OPENSSL_CONF=~/myCA/localhost.cnf

Now generate the certificate and key:

openssl req -newkey rsa:2048 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM

Again, provide the password that you previously entered and wait for the command complete.

Next, run the following to create the unencrypted key file:

openssl rsa < tempkey.pem > server_key.pem

Again, provide the password that you previously entered and wait for the command to be completed.

Now switch back the export to caconfig.cnf so we can sign the new certificate request with the CA:

export OPENSSL_CONF=~/myCA/caconfig.cnf

And sign it:

openssl ca -in tempreq.pem -out server_crt.pem

Again, provide the password that you previously entered and wait for the command to be completed and just type in Y whenever it asks you for [y/n].

Now you should have your self-signed certificate and the key.

File Content
~/myCA/server_crt.pem Self signed SSL certificate
~/myCA/server_key.pem Self signed SSL certificate private key

Converting the .pem files to .pfx for usage by Windows

In Windows, we mostly use .pfx and .crt files. Therefore, we need to convert the .pem file to .pfx. We'll use cat to combine server_key.pem and server_crt.pem into a file called hold.pem. Then we will do the conversion using openssl pkcs12 command as shown below. You can use whatever text you want to describe your new .pfx file in the -name parameter.

cat server_key.pem server_crt.pem > hold.pem
openssl pkcs12 -export -out localhost.pfx -in hold.pem -name "InvoiceSmash Dev Self-Signed SSL Certificate"

Again, provide the password that you previously entered and wait for the command to be completed.

Now you should have the following files that we will use in the next section.

File Content
~/myCA/localhost.pfx Self signed SSL certificate in PKCS#12 format
~/myCA/cacert.crt CA certificate used to signed the self-signed certificate

Copy the PFX and CA Certificate to a Windows location and Install the CA & PFX into Windows

Copying PFX and CA from Ubuntu bash to Windows Side

It seems it is forbidden to touch the Linux Subsystem from Windows side, but you can touch Windows side from Linux side, so that's what we are going to do.

To copy the files from inside Ubuntu, you need to know where you want to copy the files to on Windows side. For example, if I want to copy the files to C:\certificates folder, I'd do something like cp {localhost.pfx,cacert.crt} /mnt/c/certificates.

See this faq if you want to know more about this.

Install the new CA and self-signed certificates

To install the CA and self-signed certificates, all you need to do is double-click the file from where you copied them into.

Once clicked, just follow the Install Certificate steps and you should be good.

For the CA Certificate (`cacert.crt), make sure you install it to Local Machine, Trusted Root Certification Authorities.

For the self-signed certificate (localhost.pfx), install it to Local Machine, enter the password as previously, and store it in Personal.

That's it. Now you can configure your application to use the new certificate. In my situation, I just need to configure the Azure Cloud Service project to use that certificate as pointed by this document. I do not know your workflow, so it might be different.

References

Raw
2 openssl.cnf
dir = certificates
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 36500
default_md = sha256
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
commonName = supplied
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = priv.pem
default_md = sha256
distinguished_name = req_distinguished_name
req_extensions = v3_req
encyrpt_key = no
[ req_distinguished_name ]
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment