Cryptography Tutorials - Herong's Tutorial Examples - v5.42, by Herong Yang
Generating Self-Signed Certificates
This section provides a tutorial example on how to generate a self-signed certificate for yourself with the OpenSSL command line tool.
A self-signed certificate is a certificate that the "issuer" is the "subject" himself. In other word, a self-signed certificate is a certificate where the "issuer" signs his own public key with his private key.
If you want to generate a self-signed certificate for yourself, here what you to need to do:
That sounds like a lot of work. But OpenSSL can do everything for you in one shot with the "req" command. Before we try the "req" command, we need to make sure that you have the "openssl.cnf" installed on your local system. If you don't, go find a copy on the Web. If you can not find it, send me an email. I will send you my copy. Here is how the "openssl.cnf" looks like:
domain = some.com dir = . #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] certs = $dir/ssl.crt # Where the issued certs are crl_dir = $dir/ssl.crl # Where the issued crl are k database = $dir/.index.txt # database index file. new_certs_dir = $dir/.issued # default place for new cert ...
Here is the command to generated a self-signed certificate based on a RSA key pair file, herong_rsa_des.key, generated previously:
herong> openssl req -new -key herong_rsa_des.key -x509 -out herong.crt \ -config openssl.cnf Enter pass phrase for herong_rsa_des.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:CN State or Province Name (full name) []:PN Locality Name (eg, city) []:LN Organization Name (eg, company) []:ON Organizational Unit Name (eg, section) []:UN Common Name (eg, YOUR name) []:Herong Yang Email Address []:. herong> more herong.crt -----BEGIN CERTIFICATE----- MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju Wm7DCfrPNGVwFWUQOmsPue9rZBgO -----END CERTIFICATE-----
Note that:
Table of Contents
Introduction to AES (Advanced Encryption Standard)
DES Algorithm - Illustrated with Java Programs
DES Algorithm Java Implementation
DES Algorithm - Java Implementation in JDK JCE
DES Encryption Operation Modes
PHP Implementation of DES - mcrypt
Blowfish - 8-Byte Block Cipher
Secret Key Generation and Management
Cipher - Secret Key Encryption and Decryption
RSA Implementation using java.math.BigInteger Class
Introduction of DSA (Digital Signature Algorithm)
Java Default Implementation of DSA
Private key and Public Key Pair Generation
PKCS#8/X.509 Private/Public Encoding Standards
Cipher - Public Key Encryption and Decryption
OpenSSL Introduction and Installation
OpenSSL Generating and Managing RSA Keys
►OpenSSL Managing Certificates
►Generating Self-Signed Certificates
Viewing Components of Certificates
OpenSSL Generating and Signing CSR
OpenSSL Validating Certificate Path
"keytool" and "keystore" from JDK
"OpenSSL" Signing CSR Generated by "keytool"
Migrating Keys from "keystore" to "OpenSSL" Key Files
Certificate X.509 Standard and DER/PEM Formats
Migrating Keys from "OpenSSL" Key Files to "keystore"