Skip to content

Generating a self signed certificate

Jump to bottom
Deepak Narayana Rao edited this page Oct 11, 2017 · 1 revision

Pre-requisites

This document assumes the following pre-requisites:

  • Operating System: Ubuntu 16.04

Instructions for generating a self-signed certificate

  1. Generate a root key.

    openssl genrsa -out "root-ca.key" 4096

  2. Generate a CSR using the root key. Note: Please edit the subject information (like Country, State, etc) in the below command before running it.

    openssl req \
       -new -key "root-ca.key" \
       -out "root-ca.csr" -sha256 \
       -subj '/C=IN/ST=KA/L=Bengaluru/O=Sunbird/CN=Sunbird Example CA'

  3. Configure the root CA. Edit a new file called root-ca.cnf and paste the following contents into it. This constrains the root CA to only be able to sign leaf certificates and not intermediate CAs.

    [root_ca]
basicConstraints = critical,CA:TRUE,pathlen:1
keyUsage = critical, nonRepudiation, cRLSign, keyCertSign
subjectKeyIdentifier=hash

  4. Sign the certificate.

    openssl x509 -req  -days 3650  -in "root-ca.csr" \
            -signkey "root-ca.key" -sha256 -out "root-ca.crt" \
            -extfile "root-ca.cnf" -extensions \
            root_ca

  5. Generate the site key.

    openssl genrsa -out "site.key" 4096

  6. Generate the site certificate and sign it with the site key.

    openssl req -new -key "site.key" -out "site.csr" -sha256 \
      -subj '/C=US/ST=CA/L=San Francisco/O=Docker/CN=localhost'

  7. Configure the site certificate. Edit a new file called site.cnf and paste the following contents into it. This constrains the site certificate so that it can only be used to authenticate a server and can’t be used to sign certificates.

    [server]
authorityKeyIdentifier=keyid,issuer
basicConstraints = critical,CA:FALSE
extendedKeyUsage=serverAuth
keyUsage = critical, digitalSignature, keyEncipherment
subjectAltName = DNS:localhost, IP:127.0.0.1
subjectKeyIdentifier=hash

  8. Sign the site certificate.

    openssl x509 -req -days 750 -in "site.csr" -sha256 \
-CA "root-ca.crt" -CAkey "root-ca.key"  -CAcreateserial \
-out "site.crt" -extfile "site.cnf" -extensions server

  9. The site.csr and site.cnf files are not needed by the sunbird proxy service, but you will need them if you want to generate a new site certificate. Protect the root-ca.key file.

  10. Sunbird proxy service will need site.key and site.crt.

Clone this wiki locally