SSL – Create your own self-signed certificate key pair

In this blog, we will be learning one or two things about the SSL (Secure Socket Layer).

You are here, so I assume that I don’t need to explain you about the differences about the HTTP and the HTTPS protocols in the web.

While HTTP is straight forward, the security level of the protocol is near to none.

The data sent through this protocol is not encrypted thus any person thats monitoring your web traffic may get hold of the data that you send through the web i.e. Credit Card numbers, Passwords, and other valuable and private informations (the man-in-the-middle-attack). This is where HTTPS comes in. The HTTPS inserts a security layer (TSL/SSL) during the interchange of the data between the server and the client.

So the HTTPS works basically by showing and validating certificates. These certificates are generally issued by a known Certificate Authority (CA) vendors. Our browsers have these CA’s installed in then thus during any HTTPS connection the browser and the server communicate by encrypting the data packets that gets exchanged.

Since getting a certificate from a reputed CA will cost you actual money, you can still create your our self-signed certificates. The process is really simple and all it takes is couple of minutes.

For this you need to have Java version 1.6 and above installed in your system. Also you need to have openssl installed.

If you are working on a linux machine, then probably you have all of those things already.

So lets get started.

Create you own certificate and key pair

Go to the terminal and type the following:

$ openssl req -newkey rsa:2048 -nodes -keyout your_key_name.key -x509 -days 365 -out your_cert_name.crt

In the above command, the -x509 option tells req to create a self-signed certificate named your_cert_name.crt and create a private key named your_key_name.key for that certificate. The -days 365 option specifies that the certificate will be valid for 365 days.

This will create two files namely your_key_name.key and your_cert_name.crt, which is the key certificate pair.

Now we still need to put these into a single PKCS#12 formatted file if we want a proper SSL communication. The PKCS#12 file (.p12) file will store the certificate in its certificate chain and the key into its key chain. In this way you can have multiple certificates and multiple keys in a single .p12 file.

Import the .key and the .crt file into .p12 file

To import the key and certificate file into the PKCS12 file format,

$ sudo openssl pkcs12 -export -out cert_key_pair.p12 -inkey yout_key_name.key -in your_cert_name.crt

This will import the key file and your cert file into the cert_key_pair.p12 and create the .p12 file if it doesn’t exist.

Finally you have 3 files ready. The .crt file certificate (public key) that you send out to your clients, the .key  key file (private key) and a .p12 file that you install in your server, to send out and verify the public key passed to the server from the clients.

References:

OpenSSL Essentials

Leave a Reply

Your email address will not be published. Required fields are marked *