Generating Self-Signed Certificates

This section provides a tutorial example on how to generate a self-signed certificate for yourself with the OpenSSL command line tool.

A self-signed certificate is a certificate that the "issuer" is the "subject" himself. In other word, a self-signed certificate is a certificate where the "issuer" signs his own public key with his private key.

If you want to generate a self-signed certificate for yourself, here what you to need to do:

That sounds like a lot of work. But OpenSSL can do everything for you in one shot with the "req" command. Before we try the "req" command, we need to make sure that you have the "openssl.cnf" installed on your local system. If you don't, go find a copy on the Web. If you can not find it, send me an email. I will send you my copy. Here is how the "openssl.cnf" looks like:

domain                  = some.com
dir                     = .

####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

certs           = $dir/ssl.crt          # Where the issued certs are
crl_dir         = $dir/ssl.crl          # Where the issued crl are k
database        = $dir/.index.txt       # database index file.
new_certs_dir   = $dir/.issued          # default place for new cert

...

Here is the command to generated a self-signed certificate based on a RSA key pair file, herong_rsa_des.key, generated previously:

herong> openssl req -new -key herong_rsa_des.key -x509 -out herong.crt \
   -config openssl.cnf

Enter pass phrase for herong_rsa_des.key:
You are about to be asked to enter information that will be 
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished 
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:CN
State or Province Name (full name) []:PN
Locality Name (eg, city) []:LN
Organization Name (eg, company) []:ON
Organizational Unit Name (eg, section) []:UN
Common Name (eg, YOUR name) []:Herong Yang
Email Address []:.

herong> more herong.crt
-----BEGIN CERTIFICATE-----
MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL
MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC
VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx
NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD
TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu
ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j
V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj
gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA
FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE
CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS
BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju
Wm7DCfrPNGVwFWUQOmsPue9rZBgO
-----END CERTIFICATE-----

Note that:

Table of Contents

 About This Book

 Cryptography Terminology

 Cryptography Basic Concepts

 Introduction to AES (Advanced Encryption Standard)

 Introduction to DES Algorithm

 DES Algorithm - Illustrated with Java Programs

 DES Algorithm Java Implementation

 DES Algorithm - Java Implementation in JDK JCE

 DES Encryption Operation Modes

 DES in Stream Cipher Modes

 PHP Implementation of DES - mcrypt

 Blowfish - 8-Byte Block Cipher

 Secret Key Generation and Management

 Cipher - Secret Key Encryption and Decryption

 Introduction of RSA Algorithm

 RSA Implementation using java.math.BigInteger Class

 Introduction of DSA (Digital Signature Algorithm)

 Java Default Implementation of DSA

 Private key and Public Key Pair Generation

 PKCS#8/X.509 Private/Public Encoding Standards

 Cipher - Public Key Encryption and Decryption

 MD5 Mesasge Digest Algorithm

 SHA1 Mesasge Digest Algorithm

 OpenSSL Introduction and Installation

 OpenSSL Generating and Managing RSA Keys

OpenSSL Managing Certificates

 What Is a Certificate?

Generating Self-Signed Certificates

 Viewing Components of Certificates

 OpenSSL Generating and Signing CSR

 OpenSSL Validating Certificate Path

 "keytool" and "keystore" from JDK

 "OpenSSL" Signing CSR Generated by "keytool"

 Migrating Keys from "keystore" to "OpenSSL" Key Files

 Certificate X.509 Standard and DER/PEM Formats

 Migrating Keys from "OpenSSL" Key Files to "keystore"

 Using Certificates in IE

 Using Certificates in Google Chrome

 Using Certificates in Firefox

 Archived Tutorials

 References

 Full Version in PDF/EPUB