Create Self-Signed Certificates and Keys with OpenSSL and convert to PEM

Creating the Certificate Authority’s Certificate and Keys

  1. Generate a private key for the CA:$ openssl genrsa 2048 > ca-key.pem
  2. Generate the X509 certificate for the CA:$ openssl req -new -x509 -nodes -days 365000 \ -key ca-key.pem \ -out ca-cert.pem

Creating the Server’s Certificate and Keys

  1. Generate the private key and certificate request:$ openssl req -newkey rsa:2048 -nodes -days 365000 \ -keyout server-key.pem \ -out server-req.pem
  2. Generate the X509 certificate for the server:$ openssl x509 -req -days 365000 -set_serial 01 \ -in server-req.pem \ -out server-cert.pem \ -CA ca-cert.pem \ -CAkey ca-key.pem

Creating the Client’s Certificate and Keys

  1. Generate the private key and certificate request:$ openssl req -newkey rsa:2048 -nodes -days 365000 \ -keyout client-key.pem \ -out client-req.pem
  2. Generate the X509 certificate for the client:$ openssl x509 -req -days 365000 -set_serial 01 \ -in client-req.pem \ -out client-cert.pem \ -CA ca-cert.pem \ -CAkey ca-key.pem

Verifying the Certificates

  1. Verify the server certificate:$ openssl verify -CAfile ca-cert.pem \ ca-cert.pem \ server-cert.pem
  2. Verify the client certificate:$ openssl verify -CAfile ca-cert.pem \ ca-cert.pem \ client-cert.pem

Convert to PEM

If the file is in binary:

For the server.crt, you would use

openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pem

For server.key, use openssl rsa in place of openssl x509.

The server.key is likely your private key, and the .crt file is the returned, signed, x509 certificate.

If this is for a Web server and you cannot specify loading a separate private and public key:

You may need to concatenate the two files. For this use:

cat server.crt server.key > server.includesprivatekey.pem

Leave a Reply

Your email address will not be published. Required fields are marked *

RELATED POST

How to automatically restart Linux services with Systemd

Getting your Linux deployments working reliably is of paramount concern for production applications. One way to guarantee that a service…

How to Install SFTPGo on Ubuntu 22.04

Setup UFW Firewall For security reasons, it is recommended to install and configure the UFW firewall in your system. First,…

Executing Bash Scripts at Startup in Ubuntu Linux

Creating a Bash script in Ubuntu To create a Bash script in Ubuntu, you can use any text editor of…

How To Clear PHP’s Opcache

PHP can be configured to store precompiled bytecode in shared memory, called Opcache. It prevents the loading and parsing of PHP…