Friday, October 25, 2013

Generating a SSL key + self-signed cert with openssl

Steps below for creating a PKI key + cert for your HTTPS implementation.  Linux command line is assumed.

Key

$ openssl genpkey -out key.pem -algorithm RSA -pkeyopt rsa_keygen_bits:2048

Output of this is a 2048-bit private key (key.pem).


Certificate

$ openssl req -new -x509 -key key.pem -out cert.pem -days 9999

This takes the private key generated in the step above (key.pem) and creates a self-signed PKI certificate (cert.pem).  I put a expiration date of 9999 days on it.


Note - You generally want to use a resolvable DNS entry for the Common Name (CN) field in your certificate.  Putting an IP address in that field will bring you troubles from RFC 2818

In some cases, the URI is specified as an IP address rather than a
   hostname. In this case, the iPAddress subjectAltName must be present
   in the certificate and must exactly match the IP in the URI.
 
Net, you have to add a subjectAltName (SAN) field to your certificate with that same IP address.  I can attest that the Java Runtime Environment and node.js enforce this RFC clause.  You can avoid the entire problem by using a host name.

No comments:

Post a Comment