I have posted before about creating self-signed client certificates with makecert utility. Today I’d like to describe step by step how we can do it with OpenSSL.
Client certificates are essential for mutual SSL authentication. During development and testing, I usually need self-signed ones for simplicity.
First, we need to create a Root CA certificate which will be used for creating the Server and Client certificates.
To make it simple, I’ve added the passwords to the commands (with the value “changeme”)!
openssl genrsa -aes256 -passout pass:changeme -out ca.pass.key 4096This command creates an encrypted RSA private key for CA Root.
openssl rsa -passin pass:changeme -in ca.pass.key -out ca.keyThis command extracts RSA private key.
openssl req -new -x509 -days 365 -key ca.key -out ca.crtThis command creates the root certificate with the key. For this request, I supplied some dummy information for the fields Country Name, State or Province Name, Locality Name (eg, city) [Default City], Organization Name (eg, company) [Default Company Ltd], Organizational Unit Name (eg, section), Email Address.
For the Common Name (eg, your name or your server’s hostname) field we should specify a distinguishable name (like “TestRootCA”).
Second, we can use this CA certificate to create a server certificate that can be used for the SSL connection:
openssl genrsa -aes256 -passout pass:changeme -out server.pass.key 4096This command creates an encrypted RSA private key for Server.
openssl rsa -passin pass:changeme -in server.pass.key -out server.keyThis command extracts RSA private key.
openssl req -new -key server.key -out server.csrThis command creates a certificate creation request. For the Common Name, I specified a distinguishable name (like “TestServer”).
openssl x509 -CAcreateserial -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -out server.crt
