Self-signed certificate? Why not CA-signed certificate?

Very often we need certificates, mostly for using SSL/TLS in HTTP, FTP, etc. The fastest and cheapest way is the self-signed certificate. It is generated in just a few steps.

However, they don't have to be "self" signed. We can also generate a CA (certification authority) and use it to issue the certificates, e.g. they will be signed by our CA.

This give us the possibility to trust all our certificates by just trusting the CA.

This post shows how to do it with openssl.

Some configuration first

It is much easier if you do some configuration for openssl, if not done so already. The configuration is placed in /etc/ssl/openssl.cnf:

Set the default algorithm to sha1:

set default_md = sha1

Remove these default values:

stateOrProvinceName_default     =
organizationName_default        = 

In case you are planning to create multiple certificates, you can also configure the common values as defaults to spare some time later.

Generate the CA's key and certificate

$ openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................................................................................................................................................+++++
..............................................................................................................................+++++

$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:DE
State or Province Name (full name) []:Baden-W├╝rttemberg
Locality Name (eg, city) []:Freiburg
Organization Name (eg, company) []:My Certification Company GmbH
Organizational Unit Name (eg, section) []:Department of Blog Certification
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Generate a key and "certification request"

$ openssl genrsa -out my.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................................................+++++
......+++++
e is 65537 (0x010001)

$ openssl req -new -key my.key -out my.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:DE
State or Province Name (full name) []:Baden-W├╝rttemberg
Locality Name (eg, city) []:Mannheim
Organization Name (eg, company) []:My Company GmbH
Organizational Unit Name (eg, section) []:Department of Blogging
Common Name (e.g. server FQDN or YOUR name) []:mydomain.com
Email Address []:me@mydomain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Note above, that for "common name" you must enter the FQDN in case you will use the certificate for HTTPS.

Sign the certification request

$ openssl x509 -req -extfile <(printf "subjectAltName=DNS:mydomain.com,DNS:*.mydomain.com") -days 3650 -in my.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out my.crt
Signature ok
subject=C = DE, ST = Baden-W\C3\83\C2\BCrttemberg, L = Mannheim, O = My Company GmbH, OU = Department of Blogging, CN = mydomain.com, emailAddress = me@mydomain.com
Getting CA Private Key

Above, we also add subject alternative names. This way the browser will accept this certificate for sub-domains, too.

Export a keystore

$ openssl pkcs12 -export -out keystore.p12 -inkey my.key -in my.crt -certfile ca.crt
Enter Export Password:
Verifying - Enter Export Password:

Check your new certificate

$ openssl x509 -in my.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            16:63:19:f6:17:33:9d:aa:4b:6b:9e:e3:17:b5:dd:37:e9:f3:b3:90
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = DE, ST = Baden-W\C3\83\C2\BCrttemberg, L = Freiburg, O = My Certification Company GmbH, OU = Department of Blog Certification
        Validity
            Not Before: Nov 15 18:55:26 2020 GMT
            Not After : Nov 13 18:55:26 2030 GMT
        Subject: C = DE, ST = Baden-W\C3\83\C2\BCrttemberg, L = Mannheim, O = My Company GmbH, OU = Department of Blogging, CN = mydomain.com, emailAddress = me@mydomain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:cf:eb:a7:a7:71:27:08:b8:e6:be:0f:9c:d2:cb:
                    99:12:67:bb:81:de:60:37:0b:34:88:e4:fe:b4:36:
                    da:bb:a4:cf:78:59:7b:0e:2d:bc:ff:6a:7a:a8:d7:
                    1c:1f:fe:1e:9e:f5:e4:b5:03:19:fe:00:24:60:03:
                    5e:b9:8e:44:ab:12:1c:cd:51:16:8c:31:41:21:42:
                    fd:06:e3:a0:16:d3:b2:75:b5:8c:67:0e:28:c5:c3:
                    7b:43:aa:5e:68:94:2f:ad:ce:05:35:bb:08:62:4c:
                    49:b8:8a:fd:d0:9e:10:19:0e:a7:32:46:72:12:bb:
                    1d:85:d0:a7:85:b2:53:53:11:1a:58:9a:23:ab:96:
                    99:ee:46:28:45:5e:81:66:33:68:73:dd:84:ee:3c:
                    02:61:9e:6f:63:0a:6e:60:a5:d8:8e:4a:9b:cf:da:
                    84:18:1d:c0:cd:b4:3b:4a:68:e8:f9:2a:75:ea:f5:
                    d2:09:b2:4f:45:39:fa:05:a6:43:b3:95:73:47:b6:
                    0e:20:da:09:8f:61:9c:07:94:63:d6:c8:7a:ac:72:
                    e0:b5:f5:fa:31:15:1f:e4:5f:49:5f:6a:2a:7b:fb:
                    b8:6c:36:93:1b:bc:07:33:7a:80:75:4a:c0:b9:af:
                    2f:fd:51:0c:28:f2:7b:71:80:cd:02:0b:28:d8:ce:
                    8e:eb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:mydomain.com, DNS:*.mydomain.com
    Signature Algorithm: sha256WithRSAEncryption
         6b:d5:5d:ce:f1:13:d3:65:ea:70:48:ce:be:0d:08:07:56:21:
         18:d5:2e:54:20:86:03:2d:91:d4:50:10:45:d2:97:c5:b0:d0:
         56:99:02:cc:3b:9a:d4:51:67:e4:00:62:34:2a:28:44:f5:e2:
         3f:81:fb:be:4d:41:ee:ea:0d:9b:e7:eb:32:df:30:5a:94:2c:
         60:cc:2b:49:b1:22:12:ad:44:ce:21:25:8c:94:ec:09:9d:5e:
         4b:5c:d2:c1:f6:49:8b:80:eb:32:9d:bd:48:9b:a2:36:ed:f3:
         a8:e1:99:9b:c5:27:d5:29:22:70:2e:06:51:6a:51:5c:48:26:
         48:5a:f1:e1:88:c1:02:3d:d6:d7:4f:5b:40:d5:23:4c:c7:97:
         4f:d2:97:b7:f4:a7:c9:65:55:94:0e:91:28:5c:31:6d:09:6e:
         fd:e1:4a:24:08:c5:d6:92:19:3d:b0:29:7b:e6:7d:89:8a:e9:
         0b:d6:e2:f4:89:ab:04:ff:e1:ea:65:87:32:15:85:37:e5:fa:
         98:a4:e9:cb:44:f5:03:f3:60:7f:62:7c:dd:45:4b:2b:ef:c6:
         94:48:57:67:01:92:7b:e3:03:d3:ad:ec:b2:43:4c:7b:e5:65:
         1a:c5:a9:9e:d8:f9:58:1f:37:9d:0e:e2:e6:33:5d:01:89:fa:
         78:f3:35:c1

How it looks like