How to create a self-signed certificate with OpenSSL?

Problems with the Linux version of XAMPP, questions, comments, and anything related.

How to create a self-signed certificate with OpenSSL?

Postby unleash_it » 26. February 2020 18:03

hello dear Apachefriends,


i am fairly new to the process of generating a SSL-certificate ....: Is it possible to do self signed certification a website without domain name?
to shed a light i have gathered some information: i have read some documentations and sumarize it here - trying to find out the information that helps me to answer the question.

i have gathered some infos here at: https://www.openssl.org/ and at stackoverflow - see below

OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
It is also a general-purpose cryptography library. For more information about the team and community around the project, or to start making your own contributions, start with the community page. To get the latest news, download the source, and so on, please see the sidebar or the buttons at the top of every page. OpenSSL is licensed under an Apache-style license, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.

Legalities Please remember that export/import and/or use of strong cryptography software, providing cryptography hooks, or even just communicating technical details about cryptography software is illegal in some parts of the world.
So when you import this package to your country, re-distribute it from there or even just email technical suggestions or even source patches to the authors or other people you are strongly advised to pay close attention
to any laws or regulations which apply to you. The authors of OpenSSL are not liable for any violations you make here. So be careful, it is your responsibility. ssl certificate without domain name

the downloads: https://www.openssl.org/source/
The master sources are maintained in our git repository, which is accessible over the network and cloned on GitHub, at https://github.com/openssl/openssl. Bugs and pull patches (issues and pull requests) should be filed on the GitHub repo. Please familiarize yourself with the license. The table below lists the latest releases for every branch. (For an explanation of the numbering, see our release strategy.) All releases can be found at /source/old. A list of mirror sites can be found here. Note: The latest stable version is the 1.1.1 series.



The question is:
Is it possible to do self signed certification a website without domain name? I have read that we can do this with the servicelet'sencrypt.org: it seems so that it does not issue certificate for having no domain name.
i have heard about various options and methods:

a. - getting a certificate from LetsEncrypt that would be trusted by most of the browsers that are out there:
preliminaries: we need a domain that resolves to our server.
- LetsEncrypt does not issue certs for IP-addresses nor for custom dev-domains like .local. and the like.

secondly: We - of course are also able to create and sign a certificate ourself, for every domain name we want, or even for IP addresses. The domain name can be anything, and doesn't necessarily be the one we use to access the site.

In this case i guess that the webserver won't mind here.

But that said i can imagine that our browser will display a whole bunch of warnings and will throw lots of errors, though (CN mismatch and things alike, non-trusted signature and other things more), but if we just skip/ignore those kind of warnings and messages then subesquently we can access the site via HTTPS.

the creation process: How to create a self-signed certificate with OpenSSL

i am on Linux and i guess that we can do this on console: It's fairly easy to create a self-signed certificate on linux. If we are on Linux we just use the openssl req command.
It can be tricky to create one that can be consumed by the largest selection of clients that aree browsers and command line tools too. The many browsers out there have their own set of requirements, therfore it may be a bit difficult - some browsers are more restrictive than the IETF. The requirements used by browsers are documented at the CA/Browser Forums (see references below). The restrictions arise in two key areas: (1) trust anchors, and (2) DNS names.

so the creation-process can have the following steps - according this documentation taken from here: ttps://www.ibm.com/support/knowledgecen ... enSSL.html

Procedure To generate a self-signed SSL certificate using the OpenSSL, complete the following steps:
Write down the Common Name (CN) for your SSL Certificate. The CN is the fully qualified name for the system that uses the certificate. If you are using Dynamic DNS, your CN should have a wild-card, for example: *.api.com. Otherwise, use the hostname or IP address set in your Gateway Cluster (for example. 192.16.183.131 or dp1.acme.com).
Run the following OpenSSL command to generate your private key and public certificate. Answer the questions and enter the Common Name when prompted.

Code: Select all
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pemCopy


Review the created certificate:

Code: Select all
openssl x509 -text -noout -in certificate.pemCopy


Combine your key and certificate in a PKCS#12 (P12) bundle:
Code: Select all
 openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12Copy


Validate your P2 file.
Code: Select all
openssl pkcs12 -in certificate.p12 -noout -info


... taken from here: https://www.ibm.com/support/knowledgece ... enSSL.html

Here are the options described in more detail, from the documentation at https://www.openssl.org/docs/manmaster/man1/req.html
note: the documentation is actually much more detailed than the following notes; I just summarized it here:

Code: Select all
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days XXX


Code: Select all
req


PKCS#10 certificate request and certificate generating utility.

Code: Select all
-x509


this option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root CA.

Code: Select all
-newkey arg


this option creates a new certificate request and a new private key. The argument takes one of several forms. rsa:nbits, where nbits is the number of bits, generates an RSA key nbits in size.

Code: Select all
-keyout filename


this gives back the filename to write the newly created private key to.

Code: Select all
-out filename


This specifies the output filename to write to or standard output by default.

Code: Select all
-days n


when the -x509 option is being used this specifies the number of days to certify the certificate for. The default is 30 days.

Code: Select all
-nodes


if this option is specified then if a private key is created it will not be encrypted.


The documentation from the documentation at https://www.openssl.org/docs/manmaster/man1/req.html
is actually more detailed than the above; I just summarized it here.


As of 2020, the following command serves all our needs, including SAN:
cf https://stackoverflow.com/questions/101 ... 5#10176685

Code: Select all
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout example.key -out example.crt -extensions san -config \
  <(echo "[req]";
    echo distinguished_name=req;
    echo "[san]";
    echo subjectAltName=DNS:example.com,DNS:example.net,IP:10.0.0.1
    ) \
  -subj "/CN=example.com"


In OpenSSL ≥ 1.1.1, this can be shortened to:

Code: Select all
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout example.key -out example.crt -subj "/CN=example.com" \
  -addext "subjectAltName=DNS:example.com,DNS:example.net,IP:10.0.0.1"


It creates a certificate that is

valid for the domains
Code: Select all
example.com

and
Code: Select all
example.net
(SAN),
also valid for the IP address 10.0.0.1 (SAN),
relatively strong (as of 2020) and
valid for 3650 days (~10 years).

It creates the following files:

Private key: example.key
Certificate: example.crt
[/code]

All information is provided at the command line. There is no interactive input that annoys you. There are no config files you have to mess around with. All necessary steps are executed by a single OpenSSL invocation: from private key generation up to the self-signed certificate.

Remark #1: Crypto parameters

Since the certificate is self-signed and needs to be accepted by users manually, it doesn't make sense to use a short expiration or weak cryptography.

In the future, you might want to use more than 4096 bits for the RSA key and a hash algorithm stronger than sha256, but as of 2020 these are sane values. They are sufficiently strong while being supported by all modern browsers.

Remark #2: Parameter "-nodes"

Theoretically we could leave out the -nodes parameter (which means "no DES encryption"), in which case example.key would be encrypted with a password. However, this is almost never useful for a server installation, because you would either have to store the password on the server as well, or you'd have to enter it manually on each reboot.



the question is: Is it possible to do self signed certification a website without domain name?
I have read that we can do this with the servicelet'sencrypt.org: it seems so that it does not issue certificate for having no domain name. i have heard about various options and methods that i have described above.


look forward to hear from you

regards
for Wordpress-development :: super toolkits a. http://wpgear.org/ :: and b. github.com/miziomon/awesome-wordpress
:: Awesome WordPress: A curated list of amazingly awesome WordPress resources, themes, plugins and shiny things.
User avatar
unleash_it
 
Posts: 174
Joined: 10. December 2011 18:32
Operating System: linux opensuse 12.1

Return to XAMPP for Linux

Who is online

Users browsing this forum: No registered users and 4 guests