TLS Certificates
Advantage Concepts
Creating a Self-Signed Certificate for TLS Communications
In order to use Transport Layer Security (TLS), it is necessary to have a digitally signed certificate. These certificates can be purchased through a number of companies such as Thawte, VeriSign, and GeoTrust.
Depending on the usage scenario and requirements, however, you may want to use a self-signed certificate. There are a number of books and web sites that discuss the creation of digital certificates. The following is not meant to be a replacement for that information but rather is a very brief overview of steps that can be used to create a self-signed certificate on a Windows PC.
• | Make sure the OpenSSL command line executable (openssl.exe in Windows) is in your path along with the libraries libeay32.dll and ssleay32.dll. |
• | Set the OPENSSL_CONF environment variable to point to your OpenSSL configuration file (openssl.cnf). |
• | Edit the configuration file (openssl.cnf) to verify it has the desired settings. Examine all the values in it, particularly the paths and distinguished name information (common name, email address, etc.). |
• | Run the commands to create the public and private key for the "certificate authority", the signing request, and the signed certificate. Example commands for doing this are shown in this script. |
Example openssl.cnf file
openssl_conf = openssl_init
[openssl_init]
alg_section = algs
[ ca ]
default_ca = MyCertAuth
[ algs ]
fips_mode = yes
[ MyCertAuth ]
dir = c:/adscert
certificate = $dir/clientcert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/certificateauthoritykey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 365
default_md = sha1
policy = MyCertAuth_policy
x509_extensions = certificate_extensions
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
[ MyCertAuth_policy ]
commonName = match
stateOrProvinceName = supplied
countryName = supplied
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints = CA:false
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ req ]
default_bits = 2048
default_keyfile = c:/adscert/private/certificateauthoritykey.pem
default_md = sha1
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = www.mysite.com
stateOrProvinceName = ST
countryName = US
emailAddress = my@email.com
organizationName = myorganization
[ root_ca_extensions ]
basicConstraints = CA:true