Generate CA-Signed SSL Certificate with Own CA
2 min readMar 8, 2024
This exercise is performed on Ubuntu Linux 22.04
We want to generate a private key and certifcate for use in https application written in nodeJS.
- Generate a private key
openssl genrsa -out domain.keyThis command generates a RSA private key. The default key size is 2048 bits.
2. Generate a certificate signing request (CSR)
openssl req -key domain.key -new -out domain.csrWe generate a CSR from the newly generated private key. The CSR is used for signing certificate in later stages.
3. Create a CA self signed Root CA
openssl req -x509 -sha256 -days 1825 -newkey rsa:2048 -keyout rootCA.key -out rootCA.crtWe create a self signed root CA cert.
Then, we add the CA cert to the trusted root certificates.
sudo apt install -y ca-certificatessudo cp rootCA.crt /usr/local/share/ca-certificatessudo update-ca-certificates4. Sign the CSR with root CA
First, we add a config file named domain.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
subjectAltName = @alt_names
[alt_names]
DNS.1 = domainThen, sign the CSR (domain.csr) with root CA cert and its private key.
openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in domain.csr -out domain.crt -days 365 -CAcreateserial -extfile domain.ext6. View the certificate
openssl x509 -text -noout -in domain.crtThe output
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
35:9c:31:3d:02:7d:74:b7:b7:bd:1d:07:fd:93:53:3d:cd:3f:0b:42
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = xxx.yyy.com
Validity
Not Before: Mar 8 05:55:46 2024 GMT
Not After : Mar 8 05:55:46 2025 GMT
Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = xxx.yyy.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ce:c2:43:a9:5c:72:10:69:04:b6:5f:1b:65:2b:
dc:73:78:e5:19:31:fc:24:96:05:53:8c:37:a0:3e:
ab:bc:8b:25:de:e7:20:fc:88:e1:f5:68:09:f8:52:
d8:3d:37:eb:eb:63:61:83:6e:53:ce:53:6b:2a:50:
cc:60:2f:b3:20:6b:aa:76:2a:91:ed:e8:d5:cf:fa:
f2:76:ea:0a:09:71:2a:8b:49:74:25:8d:15:1c:72:
b3:b1:44:06:7e:b7:3a:15:1c:92:15:a0:8a:f3:f2:
c5:89:cb:d0:be:e2:b5:ca:f2:2e:e1:a7:07:cd:f8:
60:34:b1:4c:29:aa:54:67:3d:4a:75:8a:a8:d2:ab:
76:d5:59:b0:47:e5:7e:8a:30:36:64:e4:e7:1c:b9:
38:84:3e:c1:0a:ca:a2:3b:5a:96:ce:9a:b8:2e:25:
8d:a3:8e:f2:44:41:3d:f2:b6:46:e4:07:b2:f1:5b:
2f:51:95:ab:1a:61:8e:f9:29:63:de:90:9e:84:00:
0c:74:69:9f:f6:d3:6b:a7:cc:e7:5d:f4:3e:31:26:
39:18:fa:ab:fd:72:32:1a:b0:1c:fe:c4:e1:3d:df:
eb:93:ac:52:95:9a:fa:7b:60:2a:66:0f:92:b7:b2:
9c:48:0f:71:6c:84:3d:67:bb:98:7b:af:03:a0:76:
b8:2f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
50:62:11:7F:21:41:89:0F:34:23:C0:0A:A9:5A:A4:FA:54:57:A0:D1
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
DNS:xxx.yyy.com
X509v3 Subject Key Identifier:
AD:AF:90:AC:AA:E9:19:E3:52:FF:02:95:04:84:D2:C2:40:BF:F9:3B
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
6c:df:c0:6a:2d:f0:88:9c:08:68:5f:8a:0d:7a:b2:be:c2:e2:
22:53:b3:a1:e4:ac:a9:19:be:9c:a2:f2:6a:ef:dc:e8:0b:44:
15:90:f3:24:74:49:11:fe:4e:fd:9f:4d:a9:7f:35:4d:47:00:
4d:af:7e:db:f0:1f:78:b1:1f:b9:20:64:ca:d1:e9:de:78:6b:
1c:e0:86:c3:e3:56:3a:a9:27:79:c5:5f:e4:83:c4:e4:03:57:
63:67:9c:9a:9c:f3:e2:4b:74:53:94:2a:78:08:97:d0:66:9a:
b5:c3:ff:5f:21:38:70:b3:6e:93:38:09:f5:50:8a:32:e1:6f:
3d:4b:e7:39:56:88:0a:ac:a6:e7:7f:6e:cc:b0:5c:c4:45:5c:
17:3a:ab:de:51:9c:6c:c7:c4:52:1b:03:31:c0:05:10:37:ec:
94:5e:23:e6:b0:c7:0a:2c:51:42:c7:1b:38:5e:50:77:11:be:
57:f0:0e:5e:1b:7e:a1:9b:49:5b:1b:a8:a9:3f:d1:ed:11:00:
f3:af:0a:ea:9b:7f:30:74:f2:d6:4e:38:95:2c:70:62:94:9c:
8d:71:f5:17:bb:6d:f9:ee:15:cf:a1:74:23:65:b4:e2:e0:dd:
02:23:7c:6b:4b:7b:7b:75:c2:68:e2:13:fe:d1:d8:54:90:21:
bb:51:9f:17In nodeJs code, add the following:
const options = {
key: fs.readFileSync('domain.key'),
cert: fs.readFileSync('domain.crt')
};
const server = https.createServer(
options,
app
).listen(port, function () {
console.log(`server running on port ${port}`);
});The end.