Jump to content
#FlattenTheCurve ×
dil_bert

How to create a self-signed certificate with OpenSSL?

Recommended Posts

 hello dear experts at phpfreaks i hope you are well and everything goes all right  

 

today i have a question regarding the creation of a SSL-Certificate.  

note: i am fairly new to the process of generating a SSL-certificate ....: Is it possible to do self signed certification a website without domain name? 
to shed a light i have gathered some information: i have read some documentations and sumarize it here - trying to find out the information that helps me to answer  the question. 

 i have gathered some infos here at: https://www.openssl.org/ and at stackoverflow - see below 

OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
 It is also a general-purpose cryptography library. For more information about the team and community around the project, or to start making your own contributions, start with the community page. To get the latest news, download the source, and so on, please see the sidebar or the buttons at the top of every page. OpenSSL is licensed under an Apache-style license, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.

Quote


Legalities Please remember that export/import and/or use of strong cryptography software, providing cryptography hooks, or even just communicating technical details about cryptography software is illegal in some parts of the world. 
So when you import this package to your country, re-distribute it from there or even just email technical suggestions or even source patches to the authors or other people you are strongly advised to pay close attention 
to any laws or regulations which apply to you. The authors of OpenSSL are not liable for any violations you make here. So be careful, it is your responsibility. ssl certificate without domain name

the downloads: https://www.openssl.org/source/
The master sources are maintained in our git repository, which is accessible over the network and cloned on GitHub, at https://github.com/openssl/openssl. Bugs and pull patches (issues and pull requests) should be filed on the GitHub repo. Please familiarize yourself with the license. The table below lists the latest releases for every branch. (For an explanation of the numbering, see our release strategy.) All releases can be found at /source/old. A list of mirror sites can be found here. Note: The latest stable version is the 1.1.1 series.


The question is:
Is it possible to do self signed certification a website without domain name? I have read that we can do this with the servicelet'sencrypt.org: it seems so that it does not issue certificate for having no domain name.
i have heard about various options and methods: 

a. - getting a certificate from LetsEncrypt that would be trusted by most of the browsers that are out there: 
preliminaries:  we need a domain that resolves to our server. 
- LetsEncrypt does not issue certs for IP-addresses nor for custom dev-domains like .local. and the like. 

secondly: We - of course are also able to create and sign a certificate ourself, for every domain name we want, or even for IP addresses. The domain name can be anything, and doesn't necessarily be the one we use to access the site. 

In this case i guess that the webserver won't mind here.

But that said i can imagine that our browser will display a whole bunch of warnings and will throw lots of errors, though (CN mismatch and things alike, non-trusted signature and other things more), but if we just skip/ignore those kind of warnings and messages then subesquently we can access the site via HTTPS.

the creation process: How to create a self-signed certificate with OpenSSL

i am on Linux and i guess that we can do this on console: It's fairly easy to create a self-signed certificate on linux. If we are on Linux we just use the openssl req command. 
It can be tricky to create one that can be consumed by the largest selection of clients that aree browsers and command line tools too. The many browsers out there have their own set of requirements, therfore it may be a bit difficult - some browsers are more restrictive than the IETF. The requirements used by browsers are documented at the CA/Browser Forums (see references below). The restrictions arise in two key areas:  (1) trust anchors, and (2) DNS names.

so the creation-process can have the following steps - according this documentation taken from here: ttps://www.ibm.com/support/knowledgecenter/SSMNED_5.0.0/com.ibm.apic.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html

 

Procedure To generate a self-signed SSL certificate using the OpenSSL, complete the following steps:


Write down the Common Name (CN) for your SSL Certificate. The CN is the fully qualified name for the system that uses the certificate. If you are using Dynamic DNS, your CN should have a wild-card, for example: *.api.com. Otherwise, use the hostname or IP address set in your Gateway Cluster (for example. 192.16.183.131 or dp1.acme.com).
Run the following OpenSSL command to generate your private key and public certificate. Answer the questions and enter the Common Name when prompted.
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pemCopy

Review the created certificate:

openssl x509 -text -noout -in certificate.pemCopy

Combine your key and certificate in a PKCS#12 (P12) bundle:

 openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12Copy

Validate your P2 file.

openssl pkcs12 -in certificate.p12 -noout -info

Here are the options described in more detail, from the documentation at https://www.openssl.org/docs/manmaster/man1/req.html
note: the documentation is actually much more detailed than the following notes; I just summarized it here: 

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days XXX
req

PKCS#10 certificate request and certificate generating utility.

-x509

this option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA.

-newkey arg

this option creates a new certificate request and a new private key. The argument takes one of several forms. rsa:nbits, where nbits is the number of bits, generates an RSA key nbits in size.

-keyout filename

this gives back the filename to write the newly created private key to.

-out filename

This specifies the output filename to write to or standard output by default.

-days n

when the -x509 option is being used this specifies the number of days to certify the certificate for. The default is 30 days.

-nodes

if this option is specified then if a private key is created it will not be encrypted.


The documentation from the documentation at https://www.openssl.org/docs/manmaster/man1/req.html
is actually more detailed than the above; I just summarized it here.


As of 2020, the following command serves all our needs, including SAN:
cf https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl/10176685#10176685

 
 

In OpenSSL ≥ 1.1.1, this can be shortened to:


openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout example.key -out example.crt -subj "/CN=example.com" \
  -addext "subjectAltName=DNS:example.com,DNS:example.net,IP:10.0.0.1"


 

It creates a certificate that is:

valid for the domains

example.com 


and

example.net

(SAN),
also valid for the IP address 10.0.0.1 (SAN),
relatively strong (as of 2020) and
valid for 3650 days (~10 years).

It creates the following files:

Private key: example.key
Certificate: example.crt

All information is provided at the command line. There is no interactive input that annoys you. There are no config files you have to mess around with. All necessary steps are executed by a single OpenSSL invocation: from private key generation up to the self-signed certificate.

Remark #1: Crypto parameters

Since the certificate is self-signed and needs to be accepted by users manually, it doesn't make sense to use a short expiration or weak cryptography.

In the future, you might want to use more than 4096 bits for the RSA key and a hash algorithm stronger than sha256, but as of 2020 these are sane values. They are sufficiently strong while being supported by all modern browsers.

Remark #2: Parameter "-nodes"

Theoretically we could leave out the -nodes parameter (which means "no DES encryption"), in which case example.key would be encrypted with a password. However, this is almost never useful for a server installation, because you would either have to store the password on the server as well, or you'd have to enter it manually on each reboot.

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout example.key -out example.crt -extensions san -config \
  <(echo "[req]"; 
    echo distinguished_name=req; 
    echo "[san]"; 
    echo subjectAltName=DNS:example.com,DNS:example.net,IP:10.0.0.1
    ) \
  -subj "/CN=example.com"
 

 

the question is: Is it possible to do self signed certification a website without domain name? 
I have read that we can do this with the servicelet'sencrypt.org: it seems so that it does not issue certificate for having no domain name. i have heard about various options and methods that i have described above. 


look forward to hear from you 

regards

... taken from here: https://www.ibm.com/support/knowledgecenter/SSMNED_5.0.0/com.ibm.apic.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html

Edited by dil_bert

Share this post


Link to post
Share on other sites

You can generate a self-signed cert just for the webserver if you want, but every browser will warn you about it (though they'll allow you to continue anyways).

Let's Encrypt is for a publicly accessible website with a proper domain name and DNS setup.

Share this post


Link to post
Share on other sites
5 minutes ago, requinix said:

You can generate a self-signed cert just for the webserver if you want, but every browser will warn you about it (though they'll allow you to continue anyways).

Let's Encrypt is for a publicly accessible website with a proper domain name and DNS setup.

+1 for Let's Encrypt.  Much better solution and a *real* cert that browser's recognize and accept.

Share this post


Link to post
Share on other sites

Reminder: these forums use Let's Encrypt certs. They last for 3+ months and we have a cronjob that automatically renews when needed. A free cert that I never have to worry about expiring and renewing by myself is amazing.

  • Great Answer 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.