Contents

Make your own SSL TLS X.509 Certificate Authority and Certificate generation script

We all know encryption is super important, and especially when data is traversing your network, but sometimes it can be a messy generating Self Signed certificates for all your applications and servers. Cert tracking and management is a pain and it just looks a bit, shit.

Enter OpenSSL, a nifty package that allows you to do pretty much anything SSL/TLS, including making and managing your own X.509 Certificate Authority!

Pretty cool right? You can essentially make your own DigiCert/Comodo/Let’s Encrypt! Your 93 step master plan to taking over the world starts here!

Let’s get started!

Wizard shit explained…

Great! But like, what, how does it work?

Good question, let’s talk about how X.509 certificates work and what we need to get started.

  • CA.key - These will be our CA’s key, used to sign domain certificates
  • CA.pem - Our CA’s root certificate. This will also be used to sign domain certificates. Your application may also use this to validate signed domain certificates.
  • Domain.key - This is the domain’s key, and will be used by the CA to generate a signed certificate.
  • Domain.csr - This is a fancy way of saying pls make me a signed certificate. It’s a file that contains details that OpenSSL needs to make our certificate. Stuff like our CA details, domain details and settings.
  • Domain.ext - A config file containing settings to be used when making out signed domain certificate.
  • Domain.crt - Our completed signed Certificate!

Generating an X.509 Certificate

1. Becoming a Certificate Authority

So first, we need to actually become a CA. This involves generating a CA root and private certificate that will be used to sign certificates used for your own sites and services.

We can do this with OpenSSL, using the commands below.

Generate a CA private key:

1
openssl genrsa -des3 -out CA.key 2048

To secure your CA’s private key, you’ll be asked to provide a password.

1
2
3
4
5
6
7
8

Generating RSA private key, 2048 bit long modulus
.................................................................+++
.....................................+++
e is 65537 (0x10001)
Enter pass phrase for CA.key:
Verifying - Enter pass phrase for CA.key:

Now that we have our private key, we can generate our CA’s root certificate. This is the certificate that other systems will use to validate certificates signed by our CA.

1
2
3

openssl req -x509 -new -nodes -key CA.key -sha256 -days 1825 -out CA.pem

You’ll be asked for your CA key password that you set previously and for some contact and location information for the certificate.

Note: It’s important to make the common name something you can recognise. This will help you to track certificates later on. Some applications may also used the common name to validate the certificate. We can add additional names later on when making signed certificates for our sites and services.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
Enter pass phrase for CA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:John Doe
Locality Name (eg, city) []: Manchester
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SecSudo
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:SecSudo.com
Email Address []:[email protected]

That’s it! Your now a CA! Now for the exciting bit…

2. Installing Root CA Certificates

Now that we have our CA private key and root certificate, can move onto step 4 of our world domination master plan by installing your root certificate on all the computers in the world!

But let’s just begin with our own systems for now.

Installing root certificates varies for system to system and software to software, so Google is a thing…

https://lmgtfy.com/?q=how+to+install+root+certificate&s=g

3. Generating Domain Keys

Now that our root certificate is installed on our systems, we can now make certificates for our applications.

Let’s generate a private key for our test site, freepizza.sedsudo.com

1
openssl genrsa -out freepizza.secsudo.com.key 2048

This is the initial key that will be used to generate a certificate signed by our CA.

4. Creating a CSR (Certificate signing request)

Next, create a certificate signing requests (CSR) for our freepizza.secsudo.com certificate.

1
openssl req -new -key freepizza.secsudo.com.key -out freepizza.secsudo.com.csr

Like before, you’ll be promoted for some certificate information, be sure to fill this in as best you can. Although, it’s not really that important. Apart from the common name, make sure that’s recognisable.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]: Manchester
Locality Name (eg, city) [] Manchester
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SecSudo
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:freepizza.secsudo.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Great, now we should have our .key file and .csr file for your domain. Let’s now generate a CA-signed certificate!

5. Generating a CA-signed Certificate for the domain

Now that we have a CSR, we can make a signed certificate. But first, let’s quickly make a config file that will be used during the generation process to set some extra stuff.

You can control lots of nifty things with config files. If you want to find out more, Google is a thing.

I tend to keep it simple and use the below. You can add additional common names to the certificate in the file as shown below. Domain names can be added with the “DNS” field and IP addresses with the “IP” field, as shown below

Make a file called something like ‘(domain).ext’ with the below contents modified to your needs.

1
2
3
4
5
6
7
8
9
AuthorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = freepizza.secsudo.com
DNS.2 = www.freepizza.secsudo.com
IP.1 = 149.255.59.14

Now that’s out of the way we can actually make the domain certificate. Double-check you have your CA.pem CA.key and password, domain.csr and your domain.ext. We can then use the below command to make our signed certificate.

1
2
openssl x509 -req -in freepizza.secsudo.com.csr -CA CA.pem -CA.key myCA.key -CAcreateserial
-out freepizza.secsudo.com.crt -days 1825 -sha256 -extfile freepizza.secsudo.com.ext

Whoo! We should now have a CA-signed certificate for our domain! We can use the domain.key, domain.crt and CA.pem (where needed) to install our certificate on our applications.

Viewing X.509 Certificates

Sometimes you may need to double-check a certificate to look for errors or a misconfiguration. The below command will spit the content of the certificate onto the terminal for yourself to review.

1
openssl x509 -in domain.crt -text -noout

Script… Everything!

Now, that’s a bit of an involved process, and would take up a whole 15 seconds of your life, 15 seconds! We can’t be having that.

So, I created the below bash script that can be used to make CA-signed certificates easily. Just create your CA.key and CA.pem root certificate as mentioned in the first steps, make a default domain.ext config file as per your chosen defaults and the script sill handle the rest!

https://github.com/32bitbradley/TLSCertGenerator

Conclusion

Creating custom CA signed X.509 TLS certificates is super easy and is a must to ensure secure communications between your systems.

Please feel free to leave your thoughts and recommendations below. 😊