Generate a self-signed server and client certificates with OpenSSL

This is the definitive guide to create secure certificates, for both servers and clients, using OpenSSL.

Procedure

On Windows, it is recommended to use Chocolatey to install OpenSSL and its dependencies. The command line is simply choco install openssl.

Root Certification authority (CA)

  1. Generate the Root CA Private Key using the following command line:openssl ecparam -name prime256v1 -genkey -noout -out ca.key. Every certificate must have a corresponding private key.
  2. Generate the Root CA Certificate (Certificate Authority) using the following command line: openssl req -new -x509 -sha256 -key ca.key -out ca.crt.
  3. Enter the information about the CA (the certificate will be generated in the ca.crt file):
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:CA
    Locality Name (eg, city) []:Toontown
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Acme inc.
    Organizational Unit Name (eg, section) []:Security
    Common Name (e.g. server FQDN or your name) []:acme.com
    Email Address []:security@acme.com
    
  4. Install the certificate.

Note that the certificate must be installed on the server and on all of the clients to validate the legitimacy of issued certificates. Some browsers also have particularities which are described in the topic.

Server certificate

These steps are usually performed on each server or device for which you intend to request a certificate. Install OpenSSL if it is not present. The alternative is to securely deploy the private key to the destination server at the same time as the certificate. It is recommended to use this last approach only if you must adhere to scripted deployments to follow CloudOps/DevOps practices.

  1. Generate the Server Certificate Private Key using the following command line: openssl ecparam -name prime256v1 -genkey -noout -out server.key (256bit private key in the server.key file). Every certificate must have a corresponding private key.
  2. Generate the server Certificate Signing Request (CSR) using the following command line: openssl req -new -sha256 -key server.key -out server.csr. This request will later be processed on the Root CA server.
  3. Enter the information about the server certificate (the exact FQDN that is used by the server must be specified). For Example:
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:CA
    Locality Name (eg, city) []:Toontown
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Acme inc.
    Organizational Unit Name (eg, section) []:Security
    Common Name (e.g. server FQDN or your name) []:vault.acme.com
    Email Address []:security@acme.com
    
  4. Enter a password into the prompt, using a password manager as well as a strong password generator is essential.
  5. Transfer the server.csr file to the Root CA.
  6. Process the request by following the instructions below.
  7. Deploy the certificate.

Client certificate

Follow the same procedure as for the Server certificate, but you must adapt two attributes of the information you enter to your needs, namely the Common Name and the Email Address.

Common Name (e.g. server FQDN or your name) []:John Doe
Email Address []:JohnDoe@acme.com

Process a Certificate Signing Request (CSR) on the Root Certificate Authority (CA)

Process the CSR by generating a certificate.

Generate it using the following command line, where the server.csr has been generated on the server: openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1000 -sha256

This results in the certificate being generated in the server.crt file. You must deploy it to the server where you generated the CSR.