Guide: Issue Self-signed TLS Certificates for Enhanced Security
Issue a Self-signed CA Certificate
To issue a self-signed CA certificate on Ubuntu, you can follow these steps:
1. Generate a private key for the CA:
openssl genrsa -des3 -out ca.key 4096
This command will create a new 4096-bit RSA key pair with 3DES encryption for the private key. You will be prompted to enter a passphrase to protect the key.
2. Generate a self-signed certificate for the CA:
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
This command will generate a self-signed X.509 certificate valid for 10 years using the private key generated in step 1. You will be prompted to enter some information about the CA, such as the common name and organization.
3. Copy the CA certificate and key to the appropriate locations:
sudo cp ca.crt /usr/local/share/ca-certificates/
sudo cp ca.key /usr/local/share/ca-certificates/private/
This command will copy the CA certificate to the system-wide trusted certificate store and the private key to a secure location only accessible by the root user.
4. Update the system's trusted certificate store:
sudo update-ca-certificates
This command will update the system's trusted certificate store with the newly installed CA certificate.
Your self-signed CA cerficate is now ready to be used to issue and sign other certificates for your own purposes.
Issue certificates
To issue a .cer and .key file from the self-signed CA, you can follow these steps:
1. Generate a private key for the server:
openssl genrsa -out server.key 2048
This command will generate a new 2048-bit RSA key pair for the server.
2. Create a Certificate Signing Request (CSR) for the server:
openssl req -new -key server.key -out server.csr
This command will create a CSR for the server using the private key generated in step 1. You will be prompted to enter some information about the server, such as the common name and organization.
3. Sign the CSR with the self-signed CA:
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
This command will sign the CSR with the self-signed CA certificate and generate a new server certificate valid for 1 year. The -CA
option specifies the path to the CA certificate, -CAkey
specifies the path to the CA private key, and -CAcreateserial
creates a unique serial number for the new server certificate.
4. Convert the server certificate and key to .cer and .key files:
openssl x509 -inform PEM -in server.crt -outform DER -out server.cer
openssl rsa -inform PEM -in server.key -outform DER -out server.key
These commands will convert the server certificate and key from PEM format to DER format and save them as .cer and .key files, respectively.
You now have a server certificate server.cer
and key server.key
issued and signed by your self-signed CA.