Generate self-signed certificates

Creating a self-signed certificate for digital signature purposes using OpenSSL involves a few steps. Below is a step-by-step guide to generate a self-signed certificate:

Step 1: Install OpenSSL

Windows

https://www.firedaemon.com/download-firedaemon-openssl

Ubuntu

sudo apt-get install openssl

Step 2: Generate a private key

Generate a private key that will be used to create the certificate. The key length of 2048 bits is commonly used for security.

openssl genrsa -out private_key.pem 2048

Step 3: Create a configuration file with EKU for clientAuth and serverAuth

Create an OpenSSL configuration file (e.g., openssl.cnf) that includes the necessary Extended Key Usage extensions for both client and server authentication. This file will specify how the certificate should be generated.

Create a file named openssl.cnf with the following content:

[ req ]
default_bits       = 2048
default_keyfile    = CasewhereSigningCertificate_private_key.pem
distinguished_name = req_distinguished_name
x509_extensions    = v3_req
prompt             = no

[ req_distinguished_name ]
C  = DK
ST = Capital
L  = Virum
O  = Globeteam
OU = Casewhere
CN = CasewhereSigningCertificate

[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth

Update the C, ST, L, O, OU, and CN fields under [ req_distinguished_name ] to match your requirements.

Step 4: Generate a certificate signing request (CSR)

Use the private key and configuration file to create a CSR.

openssl req -new -key private_key.pem -out csr.pem -config openssl.cnf

Step 5: Generate the self-signed certificate

Finally, create a self-signed certificate that includes the specified EKU extensions for both clientAuth and serverAuth.

openssl x509 -req -days 365 -in csr.pem -signkey private_key.pem -out self_signed_cert.pem -extensions v3_req -extfile openssl.cnf

Step 6: Convert the certificate to PFX

openssl pkcs12 -export -out self_signed_certificate.pfx -inkey private_key.pem -in self_signed_cert.pem

Summary of files created

  • private_key.pem: Your private key.
  • csr.pem: Certificate Signing Request.
  • self_signed_cert.pem: Your self-signed certificate with clientAuth and serverAuth capabilities.
  • self_signed_certificate.pfx: The certificate in PFX format.

Now, you have a self-signed certificate that is valid for both client and server authentication and suitable for use in applications requiring mutual TLS (mTLS) or secure communications. Be sure to keep your private key (private_key.pem) secure.