A trusted certificate will be one that we will buy from a trusted CA (certificate authority) such as www.verisign.com. However, for non-production applications we can make our own self-signed certificate. The reason we want an SSL Certificate is so that the packets that are transmitted between the server and clients over the Internet are encrypted. This way, if a hacker captures the traffic, the packets will be encrypted, and the hacker should not be able to decrypt the packets. If OpenSSL is not installed, install OpenSSL.
When creating a public/private key pair, we want to create three files:
- Public certificate file ( C:\Program Files\GnuWin32\share\certs\example.com.crt)
- Certificate Signing Request (CSR) file ( C:\Program Files\GnuWin32\share\misc\example.com.csr)
- Private key file ( C:\Program Files\GnuWin32\share\private\example.com.key)
Private key (aka Client certificate)
Using Command Line, change to the directory that contains the openssl.exe program:
cd "C:\program files\gnuwin32\bin\"
Display the current version of OpenSSL:
OpenSSL> version OpenSSL 0.9.8h 28 May 2008
Use this command to create a private key. This will create a file named example.com.key.
OpenSSL> genrsa -out C:\Program Files\GnuWin32\share\private\example.com.key 2048
Certificate Signing Request (CSR) file
Let's create the certificate signing request file. This will create a file named example.com.csr. The example.com.csr file is used to sign the example.com.crt (public key) file. Move the the /etc/pki/tls directory, and then create the CSR file. When using this command, issue the command as one long string. I just placed every option on a new line to make it easier to read and understand.
OpenSSL> req -new -key C:\Program Files\GnuWin32\share\misc\example.com.key -out example.com.csr
There will be a series of prompts.
|Country Name||US||United States|
|Organization Name||Acme Widgets||Company name|
|Organization Unit Name||Acem Widgets||Company name|
|Common Name||www.example.com||Domain name|
|Email Addressemail@example.com||Admin email|
It is important to ensure that mail or ftp or www and .com are used in the common name. When requesting an HTTPS page from a remote network, the certificate, private key, and ssl.conf must have www and .com.
Public certificate (aka Server certificate)
Use this command a self signed public key. The public key is signed using the CSR file.
OpenSSL> x509 -req -days 365 -in C:\Program Files\GnuWin32\share\misc\example.com.csr -signkey C:\Program Files\GnuWin32\share\misc\example.com.key -out C:\Program Files\GnuWin32\share\certs\example.com.crt