How to Create self-signed certificates use OpenSSL

Create, Sign and Manage Certificate using OpenSSL

OpenSSL is a versatile command line tool that can be used for a variety of cryptographic tasks related to Public Key Infrastructure (PKI) and HTTPS (HTTP over TLS).

This tutorial shows how to use OpenSSL for certificates used for asymmetric encryption in beta and test tasks used for internal or development environments. The associated CSR Certificate Signing Request certificates are not worthwhile for testing purposes issued by a Trusted CA certificate issuer. For this purpose, in an example, the generation of a private key with certificate issuance and its signing.

Open Secure Socket Layer protocol

Create a self-signed certificate

openssl genrsa -out priv.key 4096
openssl req -new -nodes -sha256 -key priv.key -out cert.csr
openssl x509 -req -sha256 -days 3650 -in cert.csr -signkey priv.key -out cert.crt

In this example, a private key with a length of 4096 bits is generated, which is valid for 10 years, the X509 Distinguished Key Identifiers are defined, with the encryption of the SHA256 algorithm, finally the certificate is self-signed.

openssl genrsa -out priv.key 4096
Generating RSA private key, 4096 bit long modulus
................................++
..................................++
e is 65537 (0x010001)
PS C:temp> openssl req -new -nodes -sha256 -key priv.key -out cert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:ZRH
Locality Name (eg, city) []:ZURICH
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cyber Lab Ltd.
Organizational Unit Name (eg, section) []:D evOps Root CA Cert Authority
Common Name (e.g. server FQDN or YOUR name) []:cyber.foo.org
Email Address []:support@cyber.foo.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234
An optional company name []:1234

The self-signed certificate generated in this way is used for cryptographic encryption for HTTPS / TLS server and client, code signing, IP End Point Security (SSL-VPN) or for S/MIME e-mail.

The certificate cert.crt is then imported into the certificate store, this to Trusted Root Certification Authorities and to The Own Certificates.

Certificates snap-in
Figure: Certificates snap-in

OpenSSL – Open Secure Socket Layer protocol is standard on most Linux distributions, the Windows binaries are available on sourceforge.

XCA – X Certificate Key Management

If you are not familiar with the OpenSSL command line tool, you can use the X Certificate – xca tool, which offers all options in a GUI.

X Certificate and Key Management is an interface for managing asymmetric keys such as RSA or DSA. It is intended for the creation and signing of certificates. The cryptographic operations use the OpenSSL library.

Features

  • Start own PKI and create all kinds of certificates, requests or CRLs
  • Import and export in any format like PEM, DER, PKCS#7, PKCS#12
  • Use them for your IPsec, OpenVPN, HTTPs or any other certificate based setup
  • Manage your Smart-Cards via PKCS#11 interface
  • Export certificates and requests to an OpenSSL config file
  • Create Subject- and/or Extension- templates to ease issuing similar certs
  • Convert existing certificates or requests to templates
  • Get the broad support of x509v3 extensions as flexible as OpenSSL but user friendlier
  • Adapt the Columns to have your important information at a glance

Download at sourceforge

X-Certificate-Key-management
Figure: X Certificate and Key management

Before keys and certificates can be generated, a database must <Ctrl+N> be created.<Ctrl+N> After generating a private key, a new certificate can be generated. The private keys should be kept password protected. If a private key becomes available for unauthorized ones, the certificate is no longer secure and must be replaced.

Verify key and certificate

Check and output private key

openssl rsa -check -in priv.key

View Certificate

openssl x509 -noout -text -in cert.crt

Certificate Signing Request Check and output

openssl req -text -noout -verify -in cert.csr

Verification of the private key, the CSR and the certificate for authenticity.

openssl rsa -noout -modulus -in priv.key | openssl md5
openssl x509 -noout -modulus -in cert.crt | openssl md5
openssl req -noout -modulus -in cert.csr | openssl md5

If the output of each command is identical, there is a very high probability that the certificate and CSR are related to the private key.

Conclusion

OpenSSL is the versatile Swiss Army Knife that can be used for a variety of cryptographic tasks for asymmetric encryption, from generating a private key with certificate issuance and signing, to verifying authenticity with testing of connectivity.

PowerShell Loop Hands-On

Arrays and loops are often used including when working with PowerShell scripts.

In the following example, 4 array values are created, these are called again by means of the ID.

An array is created with the following command:
PS C:\>
$array = "sandwich", "salad","beer","espresso")
Write Host $array[0,1,2,3]
Output values with For-Loop Array:

The length of the array, or the number of stored values, is read out with $array.length. The variable ($i) serves as a counter to count when to exit the loop. A start value is assigned to the counter ($i=0).The start value should increase by 1 each time the loop passes ($i++) until the final value is reached. The final value is the length of the array ($array.length). When checking the final value, there is a condition: as long as $i is less than the number of values ($i -lt $array.length).

PowershellFor loop
for ($i=0; $i -lt $array.length; $i++)
  Write Host $array[$i] 
}

The For loop: for ($i=0; $i -lt $array.length; $i++)
Start value $i=0: The variable $i starts with a value of 0
is $i smaller (-lt) $i -lt $array.length condition: the For loop is executed as long as this condition is met: as long as the variable $i is less than $array.length, so as long as $i is less than 4. The action at the loop pass: $i++ means to increase the value of the variable $i by 1, with each pass of the loop $i increases by 1: 0 .. 1 .. 2 .. 3 …

while loop
$i=0
while ($i -lt $array.length)
  Write Host $array[$i] 
  $i++
}

Example with starting value $i defined before the loop ($i=0)
while ($i -lt $array.length)
Within while is the condition for the loop pass, which loop wid does not leave as long as it is fulfilled:
$i -lt $array.length … as long as $i is smaller $array.length
The variable $i is incremented by 1 within the loop: $i++

Endless Loop

while can be used for an infinite loop as follows: with break, the infinite loop can be exited again. The following example goes through the loop until break is executed, this happens when $i is no longer less than 10:

$i=0
while ($true)
  $i++
  write-host $i
  if ($i -ge 10)
}
do loop
$i=0
doo
  Write Host $array[$i] 
  $i++
• while ($i -lt $array.length)
Foreach
foreach ($i in $array)
  Write Host $i 
}

foreach ($i in $array) call all values of the array ($array). The variable $i contains the currently read value for each pass.

Operator

-eq is equal
-ne is not the same
-gt is greater than
-ge is greater or equal
-lt is smaller than
-le is less or equa