Portal
Forum
Devolutions Force
Hub Business
Hub Personal
Devolutions Send
Devolutions Academy
RDM
Workspace
Launcher
For testing purposes, it is necessary to generate secure self-signed server and client certificates. However, I have found that many tutorials available on the web are complicated, and they do not cover certificates that use safe algorithms. And so, since “necessity is the mother of invention”, I decided to create a simple tutorial and share it with all of you!
Why OpenSSL?
I choose to use OpenSSL because it is available on all platforms (Linux, macOS, Windows) which means this tutorial can be followed on any platforms.
About the Steps
While there are many steps in this process, please do not worry. My goal is to make this as simple as possible for you, and so I have broken every action down into a single step. This way, everything should be clear, and my hope is that you won’t waste time or get frustrated along the way. There is one requirement before starting all of this, you’ll need to have OpenSSL. Ok, ready? Let’s get started!
Step 1 - Certificate Authority
Step 1.1 - Generate the Certificate Authority (CA) Private Key
Every certificate must have a corresponding private key. Generate this using the following command line:
openssl ecparam -name prime256v1 -genkey -noout -out ca.key
This will create a 256-bit private key over an elliptic curve, which is the industry standard. We know that Curve25519 is considered safer than this NIST P-256 curve but it is only standardized in TLS 1.3 which is not yet widely supported.
Step 1.2 - Generate the Certificate Authority Certificate
The CA generates and issues certificates. Here is a link to additional resources if you wish to learn more about this.
Generate the Root CA certificate using the following command line:
openssl req -new -x509 -sha256 -key ca.key -out ca.crt
You will be prompted to provide some information about the CA. Here is what the request looks like:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:QC
Locality Name (eg, city) []:Lavaltrie
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Devolutions inc.
Organizational Unit Name (eg, section) []:Security
Common Name (e.g. server FQDN or YOUR name) []:devolutions.net
Email Address []:security@devolutions.net
Your CA certificate is now created. Keep its private key in a safe place.
On windows this certificate (ca.crt) is usually installed in the following store on both the server and client :
Local Computer\Trusted Root Certification Authorities
The certificate must be installed so that the server and client(s) can validate the legitimacy of the certificates issued by it.
Step 2: Generate your server certificate
This step may be repeated for each server you need.
Step 2.1 - Generate the server certificate private key
Like the CA certificate use the following command line:
openssl ecparam -name prime256v1 -genkey -noout -out server.key
This will create a file name server.key
Step 2.2 - Generate the server certificate signing request
A signing request must be created to generate a certificate with the CA.
openssl req -new -sha256 -key server.key -out server.csr
For maximum security, we strongly recommend that the signing request should only be generated on the server where the certificate will be installed. The server private key should never leave the server!
In addition, you will be prompted to create a password. Make sure to use a long, strong, and unique password. Here is an example (do not use this one!):
^x^GT+HEy]h9C@8>ZBrb%P>{
Step 2.3 - Generate the server certificate
(optional) You can create a file named server-extensions.txt if you want to provide specific extensions for your certificate.
In this tutorial I will provide server authentication key usage (oid : 1.3.6.1.5.5.7.3.1):
server-extensions.txt content:
extendedKeyUsage=serverAuth
Usually this is used for TLS/SSL client authentication.
If you don’t want to specify certificate extensions you can ommit the step above.
You can then generate the certificate with the following command line (if you ommited the step above remove the -extfile server-extensions.txt argument :
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1000 -sha256 -extfile server-extensions.txt
Step 2.4 - Generate server certificate pfx
If you want to combine the private key and public key together and have a single pfx file you can use the following command:
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt
I will use the following export password as an example O NOT USE THIS ONE)
^x^GT+HEy]h9C@8>ZBrb%P>{
On a Windows server this certificate (server.pfx) is usually installed in the following store:
Local Computer\Personal
Step 3: Generate your client(s) certificate(s)
Step 3.1 - Generate the client certificate private key
Use the following command line to create the client certificate private key:
openssl ecparam -name prime256v1 -genkey -noout -out client1.key
This will create a file named client1.key.
Step 3.2 - Generate the client certificate signing request
You need to create a signing request to generate a certificate with the CA. Use the following command line:
openssl req -new -sha256 -key client1.key -out client1.csr
For maximum security, we strongly recommend that the certificate signing request should only be generated on the client where the certificate will be installed. The client private key should never leave the client!
Next, you will be prompted to submit information about the client certificate. You can enter the same information as the CA certificate, except for the last two entries: Common Name and Email Address. These should be the name and email of an individual and not your company. For example:
Common Name (e.g. server FQDN or YOUR name) []:John Doe
Email Address []:JohnDoe@devolutions.net
You will also be asked to set a password on the certificate signing request. Once again, make sure that you choose a strong and safe password. Here is an example (do not use this one!):
^x^GT+HEy]h9C@8>ZBrb%P>{
Step 3.3 - Generate the client certificate
(optional) You can create a file named client-extensions.txt if you want to provide specific extensions for your certificate.
In this tutorial I will provide client authentication key usage (oid : 1.3.6.1.5.5.7.3.2) :
client-extensions.txt content:
extendedKeyUsage=clientAuth
You can then generate the certificate with the following command line (if you ommited the step above remove the extfile client-extensions.txtargument:
openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client1.crt -days 1000 -sha256 -extfile client-extensions.txt
Step 3.4 - Generate client certificate pfx
If you want to combine the private key and public key together and have a single pfx file you can use the following command:
openssl pkcs12 -export -out client1.pfx -inkey client1.key -in client1.crt
I will use the following export password as an example: ^GT+HEy]h9C@8>ZBrb%P>{
On a Windows client this certificate (client1.pfx) is usually installed in the following store:
Current User\Personal
We strongly recommend to generate a single certificate for each clients as this would allow to quickly identify the affected client in case of an issue. Moreover, for maximum security the client private key should remain on the client and never be copied on another host.
I hope that you’ve found this tutorial simple and helpful. If you have any questions or comments, please post your feedback below!
