Tips & Tricks
Mathieu Morrissette

Hello everyone! As a certified OSCP security specialist here at Devolutions, I have the privilege of testing the security of our code, and our solutions to ensure that you have the most secure experience when using our products. Besides that, I also work with developers to write safer code, I keep up with trends at security conferences and during breaks, I like to play the Star Wars pinball machines in the break room. As a huge Star Wars fan, the office here at Devolutions makes me feel right at home.

Generate certificates openssl secure servers

Secure your servers: generate self-signed certificates with OpenSSL

For testing purposes, it is necessary to generate secure self-signed server and client certificates. However, I have found that many tutorials available on the web are complicated, and they do not cover certificates that use safe algorithms. And so, since “necessity is the mother of invention”, I decided to create a simple tutorial and share it with all of you!

Why OpenSSL?

I choose to use OpenSSL because it is available on all platforms (Linux, macOS, Windows) which means this tutorial can be followed on any platforms.

About the Steps

While there are many steps in this process, please do not worry. My goal is to make this as simple as possible for you, and so I have broken every action down into a single step. This way, everything should be clear, and my hope is that you won’t waste time or get frustrated along the way. There is one requirement before starting all of this, you’ll need to have OpenSSL. Ok, ready? Let’s get started!

Step 1 - Certificate Authority

Step 1.1 - Generate the Certificate Authority (CA) Private Key

Every certificate must have a corresponding private key. Generate this using the following command line:

openssl ecparam -name prime256v1 -genkey -noout -out ca.key

This will create a 256-bit private key over an elliptic curve, which is the industry standard. We know that Curve25519 is considered safer than this NIST P-256 curve but it is only standardized in TLS 1.3 which is not yet widely supported.

Step 1.2 - Generate the Certificate Authority Certificate

The CA generates and issues certificates. Here is a link to additional resources if you wish to learn more about this.

Generate the Root CA certificate using the following command line:

openssl req -new -x509 -sha256 -key ca.key -out ca.crt

You will be prompted to provide some information about the CA. Here is what the request looks like:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:QC
Locality Name (eg, city) []:Lavaltrie
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Devolutions inc.
Organizational Unit Name (eg, section) []:Security
Common Name (e.g. server FQDN or YOUR name) []:devolutions.net
Email Address []:security@devolutions.net

Your CA certificate is now created. Keep its private key in a safe place.

On windows this certificate (ca.crt) is usually installed in the following store on both the server and client :

Local Computer\Trusted Root Certification Authorities

The certificate must be installed so that the server and client(s) can validate the legitimacy of the certificates issued by it.

Step 2: Generate your server certificate

This step may be repeated for each server you need.

Step 2.1 - Generate the server certificate private key

Like the CA certificate use the following command line:

openssl ecparam -name prime256v1 -genkey -noout -out server.key

This will create a file name server.key

Step 2.2 - Generate the server certificate signing request

A signing request must be created to generate a certificate with the CA.

openssl req -new -sha256 -key server.key -out server.csr

For maximum security, we strongly recommend that the signing request should only be generated on the server where the certificate will be installed. The server private key should never leave the server!

In addition, you will be prompted to create a password. Make sure to use a long, strong, and unique password. Here is an example (do not use this one!):

^x^GT+HEy]h9C@8>ZBrb%P>{

Step 2.3 - Generate the server certificate

(optional) You can create a file named server-extensions.txt if you want to provide specific extensions for your certificate.

In this tutorial I will provide server authentication key usage (oid : 1.3.6.1.5.5.7.3.1):

server-extensions.txt content:

extendedKeyUsage=serverAuth

Usually this is used for TLS/SSL client authentication.

If you don’t want to specify certificate extensions you can ommit the step above.

You can then generate the certificate with the following command line (if you ommited the step above remove the -extfile server-extensions.txt argument :

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1000 -sha256 -extfile server-extensions.txt

Step 2.4 - Generate server certificate pfx

If you want to combine the private key and public key together and have a single pfx file you can use the following command:

openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt

I will use the following export password as an example O NOT USE THIS ONE)

^x^GT+HEy]h9C@8>ZBrb%P>{ 

On a Windows server this certificate (server.pfx) is usually installed in the following store:

Local Computer\Personal

Step 3: Generate your client(s) certificate(s)

Step 3.1 - Generate the client certificate private key

Use the following command line to create the client certificate private key:

openssl ecparam -name prime256v1 -genkey -noout -out client1.key

This will create a file named client1.key.

Step 3.2 - Generate the client certificate signing request

You need to create a signing request to generate a certificate with the CA. Use the following command line:

openssl req -new -sha256 -key client1.key -out client1.csr

For maximum security, we strongly recommend that the certificate signing request should only be generated on the client where the certificate will be installed. The client private key should never leave the client!

Next, you will be prompted to submit information about the client certificate. You can enter the same information as the CA certificate, except for the last two entries: Common Name and Email Address. These should be the name and email of an individual and not your company. For example:

Common Name (e.g. server FQDN or YOUR name) []:John Doe
Email Address []:JohnDoe@devolutions.net

You will also be asked to set a password on the certificate signing request. Once again, make sure that you choose a strong and safe password. Here is an example (do not use this one!):

^x^GT+HEy]h9C@8>ZBrb%P>{

Step 3.3 - Generate the client certificate

(optional) You can create a file named client-extensions.txt if you want to provide specific extensions for your certificate.

In this tutorial I will provide client authentication key usage (oid : 1.3.6.1.5.5.7.3.2) :

client-extensions.txt content:

extendedKeyUsage=clientAuth

You can then generate the certificate with the following command line (if you ommited the step above remove the extfile client-extensions.txtargument:

openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client1.crt -days 1000 -sha256 -extfile client-extensions.txt

Step 3.4 - Generate client certificate pfx

If you want to combine the private key and public key together and have a single pfx file you can use the following command:

openssl pkcs12 -export -out client1.pfx -inkey client1.key -in client1.crt

I will use the following export password as an example: ^GT+HEy]h9C@8>ZBrb%P>{

On a Windows client this certificate (client1.pfx) is usually installed in the following store:

Current User\Personal

We strongly recommend to generate a single certificate for each clients as this would allow to quickly identify the affected client in case of an issue. Moreover, for maximum security the client private key should remain on the client and never be copied on another host.

I hope that you’ve found this tutorial simple and helpful. If you have any questions or comments, please post your feedback below!

Related Posts

Read more Tips & Tricks posts