Generating Self-Signed SSL Certificates

Creating Private Key

To create a private RSA key using the OpenSSL package to be used by the mod_ssl module of Apache HTTP serve, use the following command:

$ openssl genrsa -out asgserver01.key 1024

The above command generates a 1024 bit long RSA private key and stores the private key file in the asgserver01.key file.

As SSL is a PKI based encryption system, it requires a private key to reside on the server. The generated RSA private key asgserver01.key file is a digital file used to decrypt messages sent to the Apache HTTP server. This file has a public component that will be distributed (via a digital certificate file) to allow clients to encrypt messages before sending them to the server.

Generating Certificate Signing Request (CSR)

A Certificate Signing Request (CSR) is a digital file that contains the server's public key and the server's identity. Normally this file is sent to a Certifying Authority (CA) so that it can be converted into a real digital certificate. A digital certificate contains the server's RSA public key, it's name (or identity), the name of the CA, and it is digitally signed by your CA. The clients that know the CA can verify the signature on that digital certificate, thereby obtaining the server's RSA public key. This enables the clients to send messages that only a server can decrypt.

To generate a certificate signing request (CSR) for a previously generated private key file, use the following command:

$ openssl req -new -key asgserver01.key -out asgserver01.csr

This command retrieves the public key from the asgserver01.key key file and prompts the user to gather information to construct a Distinguished Name for your server's identity. Follow the prompts to enter the relevant information which will be incorporated into your certificate request including a Distinguished Name or a DN. Also enter a password that is used to encrypt the CSR.

Note: For a widely used production deployment when you want that the certificate is automatically accepted by all major client implementations, you will send the CSR file to an officially established Certificate Authority.

For testing purposes, you can sign your own public key which will be perfectly usable certificate.

To generate a self signed certificate for the previously generated certificate signing request (CSR) signed with the generated private key file, use the following command:

$ openssl x509 -in asgserver01.csr -out tibasg.crt -req -signkey asgserver01.key -days 365