Creating Self Signed Certificate

openssl_self_signed.md

Updated OpenSSL Cheat Sheet for Self-Signed Certificates

Create Self-Signed Certificates with OpenSSL

Root CA

Create Root CA Key (With Strong Encryption)

Use the -aes256 flag to ensure a strong passphrase protects the key:

openssl genpkey -algorithm RSA -out root.key -aes256 -pkeyopt rsa_keygen_bits:4096

Create Root CA Certificate

Generate a self-signed Root CA certificate, valid for 10 years:

openssl req -new -x509 -sha256 -days 3650 -key root.key -extensions v3_ca -out root.crt

Intermediate CA

Create Intermediate CA Key

openssl genpkey -algorithm RSA -out ca.key -aes256 -pkeyopt rsa_keygen_bits:4096

Create Intermediate CA Request

openssl req -new -key ca.key -out ca.csr

Sign Intermediate CA Request with Root CA

Use an extension file (v3_intermediate_ca.ext) for proper CA settings:

openssl x509 -req -in ca.csr -CA root.crt -CAkey root.key -CAcreateserial -extfile v3_intermediate_ca.ext -days 3650 -sha256 -out ca.crt

Create CA Chain File

Combine the Intermediate CA and Root CA certificates:

cat ca.crt root.crt > ca_chain.crt

Server Certificates

Create Server Certificate Key

openssl genpkey -algorithm RSA -out server.key -aes256 -pkeyopt rsa_keygen_bits:4096

Create Server Certificate Request

Ensure the request includes a Subject Alternative Name (SAN):

openssl req -new -key server.key -out server.csr -config openssl.cnf

Sign Server Certificate with Intermediate CA

Use an extension file (v3_server_cert.ext) for SAN and proper key usage:

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile v3_server_cert.ext -days 730 -sha256 -out server.crt

Generate Diffie-Hellman Parameters

For secure key exchange:

openssl dhparam -out dhparam.pem 4096

Client Certificates

Create Client Certificate Key

openssl genpkey -algorithm RSA -out client.key -aes256 -pkeyopt rsa_keygen_bits:4096

Create Client Certificate Request

openssl req -new -key client.key -out client.csr -config openssl.cnf

Sign Client Certificate

Use a custom extension file (v3_client_cert.ext):

openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile v3_client_cert.ext -days 730 -sha256 -out client.crt

Convert Client Certificate to PKCS12 Format

openssl pkcs12 -export -certfile ca_chain.crt -in client.crt -inkey client.key -out client.p12

---

Verify Certificates

Verify Certificate Against CA

openssl verify -verbose -CAfile ca_chain.crt server.crt

Verify Certificate Matches Private Key

openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5

Check SSL Protocol Support

Test specific protocols:

openssl s_client -connect HOST:443 -tls1_3

Check SSL Cipher Support

Test specific ciphers:

openssl s_client -connect HOST:443 -cipher ${cipher}

Test SNI (Server Name Indication)

openssl s_client -connect HOST:443 -servername ${sni_host}

Check Client Certificate

openssl s_client -connect HOST:443 -cert client.crt -key client.key -state -debug

---

Example Configuration Files

v3_intermediate_ca.ext

basicConstraints = CA:TRUE, pathlen:0
keyUsage = keyCertSign, cRLSign
authorityKeyIdentifier = keyid:always,issuer:always
subjectKeyIdentifier = hash

v3_server_cert.ext

basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = example.com
DNS.2 = *.example.com

v3_client_cert.ext

basicConstraints = CA:FALSE
keyUsage = digitalSignature
extendedKeyUsage = clientAuth

openssl.cnf

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
req_extensions = v3_req
default_md = sha256
prompt = no

[req_distinguished_name]
C = US
ST = New York
L = New York
O = Example Organization
OU = IT Department
CN = example.com

[v3_ca]
basicConstraints = CA:TRUE
keyUsage = keyCertSign, cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = example.com
DNS.2 = *.example.com

---

Recommendations

1. Always use SHA-256 or higher for hashing.
2. Protect private keys with strong passphrases.
3. Use a 4096-bit key length for RSA or prefer modern elliptic curve algorithms (e.g., ECDSA with prime256v1).
4. Keep OpenSSL updated to the latest stable version.
5. Disable weak protocols and ciphers (e.g., SSL 2.0, SSL 3.0, MD5).

For further details, refer to the OpenSSL Documentation.