This article was last reviewed for Debian 9 (Stretch).
Generating a self-signed public key certificate (Debian)
|Author:||Stefán Örvar Sigmundsson|
|Written in:||English (United Kingdom)|
A public key certificate is an electronic document used to prove ownership of a public key. Public-key cryptography (or asymmetric cryptography) is the main technique used to secure communication over the Internet. The primary protocols implementing such communication are Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL). The certificates are therefore commonly referred to as TLS/SSL certificates. This article will demonstrate how to generate a self-signed public key certificate on Debian or its derivatives such as Ubuntu and Linux Mint.
Self-signed public key certificates are intended for development and testing exclusively and not for production as they do not provide real assurance of the ownership of the public key. Client-side software such as web browsers will advise their users not to trust servers unless their public key certificates have been issued and certified by certificate authorities. Self-signed certificates do however enable the use of encryption and are therefore secure for communication.
The steps to generate a self-signed public key certificate are simple and short:
- A private key is generated.
- A certificate signing request is generated using the private key.
- A public key certificate is generated using the private key and certificate signing request.
A directory is created for organisational purposes to contain the generated files. The directory will be located in /etc/ssl/ according to convention. The directory will be named after the domain name to which its contents relate (in this case example.org):
root@computer:~# cd /etc/ssl/ root@computer:/etc/ssl# mkdir example.org/ root@computer:/etc/ssl# cd example.org/
The private key (certificate.key) is generated with a sufficiently long modulus (4,096 bits):
root@computer:/etc/ssl/example.org# openssl genrsa -out certificate.key 4096 Generating RSA private key, 4096 bit long modulus ...............................................++ ...............................................++ e is 65537 (0x10001)
Certificate signing request
The certificate signing request (certificate.csr) takes 5 required attributes (country name, state or province name, locality name, organization name, common name) and 2 optional attributes (organizational unit name, email address). The extra attributes at the end are entirely unnecessary when certificates are self-signed. Do not use non-ASCII characters for any of the attributes as they will not be displayed correctly:
root@computer:/etc/ssl/example.org# openssl req -new -key certificate.key -out certificate.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:IS State or Province Name (full name) [Some-State]:Capital Region Locality Name (eg, city) :Reykjavik Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Organisation Organizational Unit Name (eg, section) :Information Technology Department Common Name (e.g. server FQDN or YOUR name) :*.example.org Email Address :email@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
Note that the common name attribute was set to *.example.org. This is a wildcard character and will make the public key certificate a wildcard certificate. It means that the certificate will apply to example.org and all possible subdomains. Wildcard certificates eliminate the need to generate individual certificates for each subdomain with the associated financial cost.
Public key certificate
The public key certificate (certificate.crt) is generated using the certificate signing request (certificate.csr) and the private key (certificate.key):
root@computer:/etc/ssl/example.org# openssl x509 -req -days 365 -in certificate.csr -signkey certificate.key -out certificate.crt Signature ok subject=C = IS, ST = Capital Region, L = Reykjavik, O = Example Organisation, OU = Information Technology Department, CN = *.example.org, emailAddress = firstname.lastname@example.org Getting Private key
After the generation some information about the public key certificate is outputed by the program.
The private key file must be inaccessible to all but the root user as the security of any encrypted communication would be completely compromised should a third party gain access to it:
root@computer:/etc/ssl/example.org# chmod --recursive 770 .