How to Generate Local SSL Certificates Using Your Own Certificate Authority

By XaHertz  |  August 15, 2024  |  Last Updated : November 6, 2024

In an increasingly digital world, securing web traffic is essential. For developers and IT professionals, generating local SSL certificates is a crucial step in ensuring that internal applications and development environments are safeguarded against potential threats. While using trusted Certificate Authorities (CAs) for public-facing websites is the norm, creating your own certificate authority can be highly beneficial for internal use.

This guide will walk you through the process of generating local SSL certificates using your own certificate authority, providing you with the tools and knowledge to enhance your security protocols efficiently. Whether you're setting up a test environment or need secure communication within your local network, this step-by-step approach will make the process straightforward and accessible.

Requirements

Before you begin generating certificates, it's essential to have the necessary tools and environment set up. Below are the key requirements you'll need:

  1. OpenSSL: Ensure you have the latest version of OpenSSL installed on your system. OpenSSL is a powerful tool that facilitates the creation and management of SSL/TLS certificates. It’s available for various platforms, including Linux, macOS, and Windows. You can download and install OpenSSL from the official website or through your system’s package manager. For instance, on Ubuntu, you can install it using the following command:

    sudo apt install openssl
  2. Basic Command Line Knowledge: Familiarity with the command line is necessary, as you’ll be running OpenSSL commands to generate your certificates.

  3. An Empty Working Directory: You'll need an empty folder somewhere on your drive. This will be your working directory where you will store the certificates, keys, and configuration files. This helps in keeping the process structured and manageable.

With these requirements in place, you’ll be ready to start generating certificates using your own certificate authority.

Step 1: Setting Up Your Local Certificate Authority (CA)

The first step in creating local SSL certificates is to establish your own local CA. This CA will be used to sign the SSL certificates for your local servers. First create an empty folder, this will be your working directory. Then open a terminal into that folder and execute the following command. This command will generate the private key and certificate for our Root Certificate Authority (CA):

openssl req -new -nodes -x509 -sha256 -days 4383 \
    -newkey rsa:4096 -keyout XaHertz-Root-CA.key -out XaHertz-Root-CA.crt \
    -subj "/C=IN/ST=Maharashtra/L=Mumbai/O=XaHertz/OU=Root CA/CN=XaHertz Root CA/emailAddress=rootcrt@xahertz.local"

Explanation:

  • req -new -nodes -x509: Initiates a new certificate signing request (CSR) and immediately signs it to create a self-signed certificate.
  • -sha256: Ensures that the certificate uses SHA-256, a strong cryptographic hash function.
  • -days 4383: Specifies that the certificate will be valid for approximately 12 years. You can change this according to your needs.
  • -newkey rsa:4096: Generates a new 4096-bit RSA private key.
  • -keyout XaHertz-Root-CA.key: Specifies the output file for the private key. You can name it however you like.
  • -out XaHertz-Root-CA.crt: Specifies the output file for the root CA certificate. It does not need to match with the private key's name.
  • -subj: Provides the distinguished name (DN) information, including country, state, location, organization, organizational unit, common name, and email.

Step 2: Creating a Certificate Signing Request (CSR) for the Server

Once the root CA is ready, the next step is to create a certificate signing request for the server that needs an SSL certificate. The following command will generate the server private key and CSR:

openssl req -new -nodes -sha256 \
    -newkey rsa:4096 -keyout XaHertz-File-Server.key -out XaHertz-File-Server.csr \
    -subj "/C=IN/ST=Maharashtra/L=Mumbai/O=XaHertz/OU=File Server/CN=fs.xahertz.local/emailAddress=admin@xahertz.local"

Explanation:

  • -new -nodes -sha256: Initiates a new CSR without encrypting the private key and uses SHA-256 for the hash.
  • -newkey rsa:4096: Generates a new 4096-bit RSA private key for the server.
  • -keyout XaHertz-File-Server.key: Specifies the output file for the server’s private key. You can name it however you like according to your needs.
  • -out XaHertz-File-Server.csr: Specifies the output file for the CSR. It also does not need to match with the private key's name.
  • -subj: Provides the DN information for the server, such as the country, state, location, organization, organizational unit, common name, and email.

Step 3: Signing the Server Certificate with the Local CA

The final step involves signing the server's CSR using the root CA's private key and certificate to issue the SSL certificate. The extensions file (v3.ext) must be created first before executing the OpenSSL command. The extensions file is used add custom extensions like Subject Alternative Name (SAN) to the generated certificate. The extensions file can be created as shown below and should be placed in the same working directory:

authorityKeyIdentifier = keyid, issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:fs.xahertz.local, DNS:*.fs.xahertz.local

Now, execute the following command to create and sign the server's certificate using the root CA's private key and certificate:

openssl x509 -req -sha256 -days 2922 \
    -CA XaHertz-Root-CA.crt -CAkey XaHertz-Root-CA.key -CAcreateserial \
    -in XaHertz-File-Server.csr -out XaHertz-File-Server.crt -extfile v3.ext

Explanation:

  • x509 -req -sha256: Processes the CSR to create an X.509 certificate using SHA-256.
  • -days 2922: Specifies that the server certificate will be valid for 8 years. You can change this according to your need, but it must be less than the root CA's validity.
  • -CA XaHertz-Root-CA.crt: Points to the root CA certificate.
  • -CAkey XaHertz-Root-CA.key: Points to the root CA private key.
  • -CAcreateserial: Automatically generates a serial number for the certificate.
  • -in XaHertz-File-Server.csr: Specifies the CSR to be signed.
  • -out XaHertz-File-Server.crt: Specifies the output file for the signed server certificate.
  • -extfile v3.ext: Specifies the extension file (v3.ext).

Final Considerations

After completing these steps, you will have successfully created a local root CA and used it to issue a local SSL certificate for your server. This certificate can now be installed on your server, and the root CA certificate can be distributed to client machines to establish trust.

Important Notes:

  • Security: Always ensure that the root CA private key is securely stored and never shared.
  • Distribution: The root CA certificate must be installed on all client devices that will interact with the server to avoid trust warnings.
  • Renewal: Plan to renew or reissue certificates before they expire to maintain secure communications.

Conclusion

Establishing a secure environment for your internal applications is critical, and generating local SSL certificates using your own certificate authority is an effective way to achieve this. By following the steps outlined in this guide, you've not only enhanced the security of your development and testing environments but also gained valuable knowledge on managing SSL certificates.

This approach offers flexibility, control, and peace of mind, ensuring that your internal communications remain protected. As you continue to develop and secure your applications, having the ability to generate and manage SSL certificates locally will be an invaluable asset.


Last updated on November 6, 2024