Optional: Creating a server certificate and private key
This section describes the optional case of creating your own test server certificate and private key. However, it is strongly recommended that you use a server certificate issued by a well-known certificate authority. If you use a server certificate and private key issued by a well-known certificate authority, you can skip this section.
About this task
To create the server certificate and private key, complete the following steps:
Procedure
-
Generate a private key:
openssl genrsa -des3 -out myCA.key 2048 -
Generate a root certificate. For convenience, identify the certificate as the
root certificate in the Common Name field:
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pemEnter pass phrase for myCA.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Massachusetts Locality Name (eg, city) []:Waltham Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company Name Organizational Unit Name (eg, section) []:MFA Common Name (e.g. server FQDN or YOUR name) []:MFA Root Certificate Email Address []:user@company.com -
Create a private key:
openssl genrsa -out test-server.key 2048 -
Create a certificate signing request (CSR). For convenience, identify the
certificate as the server certificate in the Common Name
field:
openssl req -new -key test-server.key -out test-server.csrYou are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Massachusetts Locality Name (eg, city) []:Waltham Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company Name Organizational Unit Name (eg, section) []:MFA Common Name (e.g. server FQDN or YOUR name) []:your_server_fqdn Email Address []:user@company.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: -
Use an editor to create an extension file for the server certificate. Ensure
that you specify subject alternate names that cover all names that a user might
enter in the browser to access the server.
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = fully-qualified-host-name DNS.2 = short-name DNS.3 = IP address -
Create the server certificate using the CSR, the CA private key, the CA
certificate, and the extension file:
openssl x509 -req -in test-server.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out test-server.pem -days 1825 -sha256 -extfile test-server.extSignature ok subject=/C=US/ST=Massachusetts/L=Waltham/O=Company/OU=MFA/CN=fqdn/ emailAddress=user@company.com Getting CA Private Key Enter pass phrase for myCA.key: -
Display the server certificate. Note that it is issued by the CA root, with the
subject alternate names from the extension file.
openssl x509 -in test-server.pem -textCertificate: Data: Version: 3 (0x2) Serial Number: 78:a9:b6:28:a5:46:2e:db:0e:89:7e:06:09:81:ba:76:0f:c0:a0:ba Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, ST = Massachusetts, L = Waltham, O = Company Name, OU = MFA, CN = MFA Root Cer tificate, emailAddress = user@company.com Validity Not Before: Nov 21 20:14:04 2023 GMT Not After : Nov 19 20:14:04 2028 GMT Subject: C = US, ST = Massachusetts, L = Waltham, O = Company Name, OU = MFA, CN =your_server_fqdn, emailAddress = user@company.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:de:8d:26:50:36:95:bd:eb:ae:3d:be:9f:c0:27: 9d:ea:b9:11:06:d8:d2:c9:37:e2:7d:31:92:af:fc: ee:e3:c8:51:94:25:23:e7:3f:8a:19:f9:ca:02:09: 8a:97:34:78:62:d9:6c:e0:82:5c:3e:8f:f2:db:b3: 9c:43:e9:0b:69:bc:f2:ee:5b:1f:e8:0e:0b:49:40: e4:07:3f:d0:36:12:bf:ab:a0:d9:9f:bb:4d:11:6c: c9:55:55:4d:f7:b3:d3:df:79:42:3f:71:09:20:93: aa:6b:48:75:f0:dc:fe:29:a3:d5:96:cc:2f:0f:bb: 55:eb:50:2d:3d:63:63:5b:7f:5f:ae:65:72:4e:91: 76:dc:f8:7a:24:90:e0:31:da:11:71:2c:c7:a7:4b: bf:b4:10:a4:62:d6:01:86:a3:d9:59:92:33:87:08: e2:dc:01:1e:a5:41:e2:e4:07:d1:82:ec:5c:fe:d3: d7:fa:98:89:5e:ec:c8:f0:8d:10:4c:31:f7:48:98: b1:d6:f2:ed:98:81:ca:20:27:67:3f:6a:5d:03:fd: 6e:97:b1:f1:d5:aa:8e:6f:7e:a3:f1:82:50:47:3c: e9:45:07:84:17:dd:23:50:41:d1:05:b8:dd:d8:e2: 66:24:4f:3b:10:2f:5b:b2:58:e4:97:de:3f:77:5f: 73:3f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:30:E0:10:B3:12:BD:94:F7:27:D5:7D:41:63:40:50:F5:20:94:BD:7C X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Subject Alternative Name: DNS:your_server_fqdn, DNS:server_short_name, DNS:your_server_ip Signature Algorithm: sha256WithRSAEncryption 6a:ba:a2:59:07:6f:b2:fa:f9:27:d6:02:0e:53:36:e8:7b:5e: fb:c5:7d:fe:ae:32:df:12:2f:3c:db:96:25:96:b0:d3:fd:c1: 4b:d7:9f:d2:93:8a:02:67:25:7b:d7:83:84:d3:ce:2f:34:8c: 9c:97:22:a2:49:7a:48:82:65:b7:ec:46:c3:77:1d:86:3b:b6: a3:0f:4e:4c:e6:f3:4e:3d:18:b5:ec:52:14:d1:76:01:c1:5a: 94:8b:e2:23:a9:8f:a9:eb:82:94:8d:ac:ac:d1:bd:bc:be:18: 2e:53:43:69:31:e1:87:1d:bc:97:9a:8c:b6:ee:7e:ef:bf:37: 4b:8b:2a:ad:80:d8:e8:ad:e3:21:dc:55:1b:18:e7:31:8d:cb: c8:b4:83:51:7a:73:c0:09:69:0f:89:c5:b6:b3:a4:d5:5c:38: 49:18:14:ca:7e:53:04:92:dc:2a:9e:27:1a:a9:28:44:9f:32: f6:47:75:b9:ca:06:97:86:2f:db:5a:77:d1:f7:d9:3a:15:92: 09:13:d2:2e:69:2b:a2:2f:89:43:5a:c5:02:dc:46:a7:05:70: d9:b9:7b:c8:17:f1:bd:3f:c8:95:3e:6c:8e:92:f9:fb:b0:8c: 4c:12:c9:20:99:2f:90:f4:ff:ba:be:64:52:2b:56:57:9c:4d: 14:76:47:57 -----BEGIN CERTIFICATE----- MIIESjCCAzKgAwIBAgIUeKm2KKVGLtsOiX4GCYG6dg/AoLowDQYJKoZIhvcNAQEL BQAwgaAxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRAwDgYD VQQHDAdXYWx0aGFtMRgwFgYDVQQKDA9Sb2NrZXQgU29mdHdhcmUxDDAKBgNVBAsM A01GQTEdMBsGA1UEAwwUTUZBIFJvb3QgQ2VydGlmaWNhdGUxIDAeBgkqhkiG9w0B CQEWEWttY2Rvbm91Z2hAcnMuY29tMB4XDTIzMTEyMTIwMTQwNFoXDTI4MTExOTIw MTQwNFowgaUxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRAw DgYDVQQHDAdXYWx0aGFtMRswGQYDVQQKDBJSb2NrZXQgRH9/U29mdHdhcmUxDDAK BgNVBAsMA01GQTEgMB4GA1UEAwwXcnMxMy5yb2NrZXRzb2Z0d2FyZS5jb20xHzAd BgkqhkiG9w0BCQEWEGttY2Rvbm9naEBycy5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDejSZQNpW96649vp/AJ53quREG2NLJN+J9MZKv/O7jyFGU JSPnP4oZ+coCCYqXNHhi2Wzgglw+j/Lbs5xD6QtpvPLuWx/oDgtJQOQHP9A2Er+r oNmfu00RbMlVVU33s9PfeUI/cQkgk6prSHXw3P4po9WWzC8Pu1XrUC09Y2Nbf1+u ZXJOkXbc+HokkOAx2hFxLMenS7+0EKRi1gGGo9lZkjOHCOLcAR6lQeLkB9GC7Fz+ 09f6mIle7MjwjRBMMfdImLHW8u2YgcogJ2c/al0D/W6XsfHVqo5vfqPxglBHPOlF B4QX3SNQQdEFuN3Y4mYkTzsQL1uyWOSX3j93X3M/AgMBAAGjdTBzMB8GA1UdIwQY MBaAFDDgELMSvZT3J9V9QWNAUPUglL18MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgTw MDgGA1UdEQQxMC+CF3JzMTMucm9ja2V0c29mdHdhcmUuY29tggRyczEzgg4xOTIu MTY4LjU1LjExMzANBgkqhkiG9w0BAQsFAAOCAQEAarqiWQdvsvr5J9YCDlM26Hte +8V9/q4y3xIvPNuWJZaw0/3BS9ef0pOKAmcle9eDhNPOLzSMnJciokl6SIJlt+xG w3cdhju2ow9OTObzTj0YtexSFNF2AcFalIviI6mPqeuClI2srNG9vL4YLlNDaTHh hx28l5qMtu5+7783S4sqrYDY6K3jIdxVGxjnMY3LyLSDUXpzwAlpD4nFtrOk1Vw4 SRgUyn5TBJLcKp4nGqkoRJ8y9kd1ucoGl4Yv21p30ffZOhWSCRPSLmkroi+JQ1rF AtxGpwVw2bl7yBfxvT/IlT5sjpL5+7CMTBLJIJkvkPT/ur5kUitWV5xNFHZHVw== -----END CERTIFICATE----- - Copy the server certificate (test-server.pem) to server.crt and the private key (test-server.key) to server.key.