Monday, November 23, 2015

Long-term self-signed certs

While I'm a big proponent of using an enterprise-class certificate authority—either based on internal offline root/online issuing or public CAs—there are some instances when using a self-signed cert fits the bill. Unfortunately, most of the tools for creating a self-signed cert have defaults that result in less-than-stellar results: the digest algorithm is sha1, the cert is likely to have a 1024-bit key, and the extensions that define the cert for server and/or client authentication are missing.

With a ton of references discoverable on The Interwebz, I spent a couple of hours trying to figure out how to generate a self-signed with the following characteristics:

  • 2048-bit key
  • sha256 digest
  • 10-year certificate life (because, duh, I don't want to do this every year)
  • Accepted Use: server auth, client auth
It took pulling pieces from several different resources, documented herein:

Required Software

OpenSSL (command-line software)
Text editor (to create the config file for the cert)


  1. Create a text file that specifies the "innards" of the cert:
    default_bits = 2048
    encrypt_key = no
    distinguished_name = req_dn
    prompt = no

    [ req_dn ]
    CN={replace with server fqdn}
    OU={replace with department}
    O={replace with company name}
    L={replace with city name}
    ST={replace with state name}
    C={replace with 2-letter country code}

    [ exts ]
    extendedKeyUsage = serverAuth,clientAuth
  2. Run the following openssl command (all one line) to create the new private key & certificate:
    openssl req -x509 -config {replace with name of config file created above} -extensions "exts" -sha256 -nodes -days 3652 -newkey rsa:2048 -keyout host.rsa -out host.cer
  3. Run the following openssl command to bundle the key & cert together in a bundle that can be imported into Windows:
    openssl pkcs12 -export -out host.pfx -inkey host.rsa -in host.cer

What's happening

The text file sets up a number of configuration items that you'd either be unable to specify at all (the extensions) or would have to manually input during creation (the distinguished name details).

The request in the second step creates a 2048-bit private key (host.rsa) and a self-signed certificate (host.cer) with a 10-year lifetime (3652 days) with the necessary usage flags and SHA256 digest.

1 comment: