You will learn in this tutorial
- to create a secure and a insecure serverkey needed for a Certificate Request with openssl
- to create a Certificate Request from a serverkey with openssl
- to create a selfsigned certificate from a Certificate Request with openssl
Prerequisits
- openssl
Create serverkeys
The first step in certificate creatation is to create serverkeys for a CR (Certificate Request) on your servermachine. That means, your will create a 2048 bit RSA server.key on your local servermachine and reques a cert for for this server on a CA (Certificate Authority) so that the CA can approve this request with a cert for this servermachine key.Every cert is signed to only one serverkey, except when you are using wildcard certificates
Normally you will use a common CA like Verisign, Commode or Geotrust. In our case we want to create a selfsigned certificate. In that case we are our own CA.
Clearly, thats only usefull, if we want to develop locally or internaly.
So let's create the server.key's
openssl genrsa -des3 -out server.key 2048
At next you will be asked for a passphrase. Type in a secure password with min length 5 letters, a specialchar and 1 digit
That's it. You will now find a file "server.key" in the current directory
Create a server.key for passwordless encryption.
The server.key you have cfreated will ask everytime for a pasword, if you use it. To prevent that, we will now create a further serer,key, which doens't need a password, because it's based on the password encrypted key, we have created before.
openssl rsa -in server.key -out server.key.insecure
This will save a new key "server.key.insecure"
Let's rename the key
To get rid of the insecure word in a serverkey, we simply rename them. :)
mv server.key server.key.secure
mv server.key.insecure server.key
Now we have created our passwordless server,key.
Create a CR for your server.key
Now we have to create our Certificate Request (CR) for our server.key. This can also be done by opensslopenssl req -new -key server.key -out server.csr
At next you will be asked for the server.key passphrase.
In the next prompts you will be asked for Detailinformations of your company.
We want to create a cert for local development under "https://nodejs.local".
So your FQDN is nodejs.local
Don`t forget to add nodejs.local to your local /etc/hosts
After you typed in your password,openssl will save a file "server.csr" in your current directory.
Now, you can send this CertRequest to your CertAuthority or you can self sign the certificate
Selfsign your certificate
For local development we do not want to spend 100 Bugs a year, So lets selfsign the cert. But you will never use that for stage or live / prod system, where your customers are logging them in.openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Great. Now we have a new certificate for our dev environment
You can use the generated "the server.crt" and "server.key" files in your application to en- and decrypt requests
It is a good idea to store the files in a central folder like /etc/ssl/certs and /etc/ssl/keys
At last you have to import this new cert in your browser.
Under Settings->Advanced->Certificates you can inport it under "Certificate Authorities"
Cheers !
Keine Kommentare:
Kommentar veröffentlichen