Tuesday, July 28, 2015

Create self-singed certificate with extentions

For testing reasons I wanted to create a self-signed certificate that includes the subject alternative name extension, using openssl. Most guides require the creation of an openssl configuration file. I found out that this can be done without any configuration file, using only two openssl commands and a file that contains the subject alternative name extension parameters.

The first command is the following:

openssl req -newkey rsa:1024 -keyout server.key -out server.csr -subj '/C=GR/ST=Attiki/L=Athens/O=Fotiou Corp/OU=Security Department/CN=localhost/emailAddress=my@email.address' -nodes

This command creates a new private key and a new certificate signing request. Let's see the command parameters:

-newkey rsa:1024      It creates an RSA 1024 bits key
-keyout server.key  This is the file where the private key is stored
-out server.csr        This the file where the certificate signing request is stored
-subj ...                   This is the information included in the certificate
-nodes                          This command parameter instructs openssl to not encrypt the private key

Now create a file and insert the subject alternative name extension parameters. In this example, I have created a file named extentions.cnf which contains the following text:

subjectAltName=DNS:example.com, DNS:localhost

This line indicates that this certificate is valid for two DNS names, namely example.com and localhost. You may notice that the CN name included in the -subj command line parameter is also included here; the reason for that is because most browsers ignore the CN field when the subject alternative name extension is used. Finally the following command creates the desired certificate

openssl x509 -req -days 365 -signkey server.key -in server.csr -out server.crt -extfile extentions.cnf


Where:
-days 3650                          It is the number of days for which the certificate is valid
-signkey server.key         It is the private key generated previously and it used to sign the certificate
-in server.csr                   The certificate signing request we created with the previous command
-out server.crt                 The file in which the certificate will be stored
-extfile extentions.cnf The file we created with the subject alternative name extension parameters