Cryptography Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.00

This site Web Google

OpenSSL - Generating Self-Signed Certificates

Part:   1  2 

This chapter describes:

  • What is a certificate?
  • Generating Self-Signed Certificates
  • Viewing Components of Certificates

What is a Certificate?

Certificate: A digitally signed statement from the issuer saying that the public key of the subject has some specific value.

The above definition is copied from the JDK 1.3.1 documentation. It has a couple of important terms:

  • "signed statement" - The certificate must be signed by the issuer with a digital signature.
  • "issuer" - The person or organization who is issuing this certificate.
  • "public key" - The public key of a key pair selected by the subject.
  • "subject" - The person or organization who owns the public key.

X.509 Certificate - A certificate written in X.509 standard format. X.509 standard was introduction in 1988. It requires a certificate to have the following information:

  • Version - X.509 standard version number.
  • Serial Number - A sequence number given to each certificate.
  • Signature Algorithm Identifier - Name of the algorithm used to sign this certificate by the issuer
  • Issuer Name - Name of the issuer.
  • Validity Period - Period during which this certificate is valid.
  • Subject Name - Name of the owner of the public key.
  • Subject Public Key Information - The public key and its related information.

Generating Self-Signed Certificates

A self-signed certificate is a certificate that the "issuer" is the "subject" himself. In other words, a seft-signed certificate is a certificate where the "issuer" signs his own public key with his private key.

If you want to generate a self-signed certificate for yourself, here what you to need to do:

  • Enter your own name as the "subject".
  • Provide your public key.
  • Sign it with your private key.
  • Put everything in the X.509 format.

That sounds like a lot of work. But OpenSSL can do everything for you in one shot with the "req" command. Before we try the "req" command, we need to make sure that you have the "openssl.cnf" installed on your local system. If you don't, go find a copy on the Web. If you can not find it, send me an email. I will send you my copy. Here is how the "openssl.cnf" looks like: 

domain                  = some.com
dir                     = .

####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

certs           = $dir/ssl.crt          # Where the issued certs are
crl_dir         = $dir/ssl.crl          # Where the issued crl are k
database        = $dir/.index.txt       # database index file.
new_certs_dir   = $dir/.issued          # default place for new cert

...

(Continued on next part...)

Part:   1  2 

Dr. Herong Yang, updated in 2007
Cryptography Tutorials - Herong's Tutorial Notes - OpenSSL - Generating Self-Signed Certificates