Generating Digital Certificates using OpenSSL


- Generating a self-signed certificate

Generate a private key.
openssl genrsa | openssl pkcs8 -topk8 -nocrypt -out rsa.pri

Generate self signed certificate.
openssl req -x509 -key rsa.pri -sha256 -days 365 -out test.cer

Viewing a certificate.
openssl x509 -in test.cer -noout -text

Generating RSA private key and certificate all in one go.
openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 365 -out test.cer


- Generating ECDSA private key and a certificate in one go.

Generate ECDSA private key.
openssl ecparam -name secp384r1 -noout -genkey -out ec.pri

Generate self-signed certificate.
openssl req -x509 -key ec.pri -days 365 -sha256 -subj '/CN=Test' -out test.cer

View certificate.
openssl x509 -in test.cer -noout -text


- Adding subject to a certificate.

openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 365 -out test.cer -subj '/CN=Test'

openssl req -x509 -newkey rsa:2048 -keyout rsa.pri -sha256 -nodes -days 365 -out test.cer -subj '/CN=Test/O=Acme Inc./OU=Cyber Security/C=IN'

openssl req -x509 -newkey rsa:2048 -keyout rsa.pri -sha256 -nodes -days 365 -out test.cer -subj '/CN=Test/O=Acme Inc./OU=Cyber Security/C=IN/emailAddress=pki@acme-inc.com'


https://www.openssl.org/docs/man3.0/man5/x509v3_config.html

- Adding Certificate Extensions.


Basic Constraints.
openssl req -x509 -newkey rsa:2048 -keyout rsa.pri -sha256 -nodes -days 365 -out test.cer -subj '/CN=Test/O=Acme Inc./OU=Cyber Security/C=IN/ST=UP/emailAddress=pki@acme-inc.com' -addext "basicConstraints=critical, CA:false, pathlen:1"

Subject Alternate names.
openssl req -x509 -newkey rsa:2048 -keyout rsa.pri -sha256 -nodes -days 365 -out test.cer -subj '/CN=Test/O=Acme Inc./OU=Cyber Security/C=IN/ST=UP/emailAddress=pki@acme-inc.com' -addext "basicConstraints=critical, CA:false" -addext "subjectAltName = DNS:acme-inc.com,IP:127.0.0.1"

Key Usages.
openssl req -x509 -newkey rsa:2048 -keyout rsa.pri -sha256 -nodes -days 365 -out test.cer -subj '/CN=Test/O=Acme Inc./OU=Cyber Security/C=IN/ST=UP/emailAddress=pki@acme-inc.com' -addext "keyUsage = critical,digitalSignature,keyEncipherment,keyAgreement,cRLSign"

Extended KeyUsage.
openssl req -x509 -newkey rsa:2048 -keyout rsa.pri -sha256 -nodes -days 365 -out test.cer -subj '/CN=Test/O=Acme Inc./OU=Cyber Security/C=IN/ST=UP/emailAddress=pki@acme-inc.com' -addext "extendedKeyUsage = codeSigning, serverAuth, clientAuth"


- Using configuration files for generating certificates.

Sample configuration file.
	[req]
	distinguished_name = dname
	x509_extensions = cert_ext
	prompt = no

	# DNAME RELATED INFORMATION.
	[ dname ]
	commonName = cyberhashira.com
	countryName = XY
	stateOrProvinceName = Some State
	localityName = Some City
	organizationName = Cyber Hashira
	organizationalUnitName = Cyber Security
	emailAddress = pki@cyberhashira.com

	# CERTIFICATE EXTENSIONS
	[ cert_ext ]
	basicConstraints = CA:FALSE
	keyUsage = digitalSignature, nonRepudiation
	extendedKeyUsage = codeSigning
	crlDistributionPoints=URI:http://myCA/ca.crl
	subjectAltName = @sans
	subjectKeyIdentifier=hash
	authorityKeyIdentifier=keyid,issuer
	authorityInfoAccess = OCSP;URI:http://ocsp.myCA/
	authorityInfoAccess = caIssuers;URI:http://myCA/ca.cer
	certificatePolicies= 1.2.4.5.6.7

	# SUBJECT ALTERNATE NAME.
	[sans]
	IP.1 = 127.0.0.1
	DNS.1 = blog.cyberhashira.com
	DNS.2 = video.cyberhashira.com
This command would use a configuration file to read detailed information about a certificate you want to generate.
openssl req -x509 -config my.cnf -nodes -keyout rsa.pri -out test.cer


- Generating Signed certificates.

>> To generate a signed certificate, we need a certificate authority that will sign a certificate request. So our first step would be to generate CA keys and certificates. For that we'll use a configuration file containing information about the CA as follows - 
	[req]
	distinguished_name = dname
	x509_extensions = cert_ext
	prompt = no

	[ dname ]
	CN = RootCA
	C = XY
	ST = Some State
	L = Some City
	O = Cyber Hashira
	OU = Cyber Security
	emailAddress = pki@cyberhashira.com

	[ cert_ext ]
	basicConstraints = CA:TRUE, pathlen:0
	keyUsage = keyCertSign, cRLSign
	subjectKeyIdentifier=hash
>> We'll now use this configuration file to setup a Root CA.
openssl req -x509 -config root.cnf -nodes -keyout root.pri -out root.cer

>> Now we'll use our CA keys to sign a certificate request. For this example, we'll sign a webserver certificate and use the following configuration file.
	[req]
	distinguished_name = dname
	req_extensions = req_ext
	prompt = no

	[ dname ]
	CN = CyberHashira.com
	C = XY
	ST = Some State
	L = Some City
	O = Cyber Hashira
	OU = Cyber Security
	emailAddress = pki@cyberhashira.com

	[ req_ext ]
	basicConstraints = CA:FALSE
	keyUsage = digitalSignature, nonRepudiation
	extendedKeyUsage = serverAuth, clientAuth
	subjectKeyIdentifier=hash
	subjectAltName = @sans
	certificatePolicies= 1.2.4.5.6.7
	authorityInfoAccess = OCSP;URI:http://ocsp.myCA/
	authorityInfoAccess = caIssuers;URI:http://myCA/ca.cer

	[sans]
	DNS.1 = blog.cyberhashira.com
	DNS.2 = video.cyberhashira.com

We'll first generate a certificate request.
openssl req -new -config cyberHashira.cnf -nodes -keyout cyberHashira.pri -out cyberHashira.csr

You can examine the generated certificate request using the command below -
openssl req -in cyberhashira.csr -noout -text

Now we'll sign the certificate request for a webserver using our CA.
openssl x509 -req -days 730 -in cyberHashira.csr -CA root.cer -CAkey root.pri -CAcreateserial -out cyberHashira.cer

openssl x509 -req -days 730 -in cyberHashira.csr -CA root.cer -CAkey root.pri -CAcreateserial -out cyberHashira.cer -extensions req_ext -extfile cyberHashira.cnf


- Useful links

https://www.openssl.org/docs/man3.0/man1/openssl-req.html
https://www.openssl.org/docs/man3.0/man5/x509v3_config.html