I'd like to create SSL sertificates for my test environment

Question

Does anyone have a handy script to generate SSL certificates such that it generates the CA certificate and the server certificate. More importantly, create it in a way that I can import the CA certificate into my trusted root list (of my windows system) so that the browser does not flag the site as untrusted.

I used the following script to do it but I am not able to persuade my browser to trust the certificate. I'd greatly appreciate any help here.

# Generate a private key
openssl genrsa -des3 -out server.key 1024

# Generate a CSR (Certificate Signing Request)
openssl req -new -key server.key -out server.csr

# Remove Passphrase from Key
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

# Generating a Self-Signed Certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Regards, Kashyap

Answer 1

Your script is only generating one certificate, a self-signed certificate. Usually, the self-signed certificate is called the Root certificate. This can be used as a CA certificate, but often an intermediate CA certificate is created and signed by the Root private key. This intermediate CA certificate is then used to sign Server certificates. So you have this hierarchy:

Root -> CA -> Server

The CA and Root cert can go into the trusted certificate list. Then a browser that trusts that list will also trust any certificate signed by the CA or Root entities.

You don't have to have this hierarchy...you can use the Root certificate as the CA and skip the middle cert. You can also just use 1 self-signed certificate as the Root/Server certificate. See this article (Trusting self-signed certificates).

But assuming you do have this hierarchy, here are some OpenSSL commands to generate the necessary keys and certificates:

# 1. Create Root private key
openssl genrsa -out root.key 2048

# 2. Create self-signed Root certificate
openssl req -new -key root.key -x509 -out root.crt -days 5000 -sha256

# 3. Create CA private key
openssl genrsa -out ca.key 2048

# 4. Create CA CSR
openssl req -new -key ca.key -out ca.csr -days 5000

# 5. Sign and create CA certificate
openssl x509 -req -in ca.csr -CA root.crt -CAkey root.key -out ca.crt -set_serial 2 -days 5000 -sha256

# 6. Create Server private key
openssl genrsa -out server.key 2048

# 7. Create Server CSR
openssl req -new -key server.key -out server.csr -days 5000

# 8. Sign and create Server certificate
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -out server.crt -set_serial 3 -days 5000 -sha256

Change the key bits, # of valid days, serial numbers, and add V3 extensions as you see fit.

Also remember that different browsers have different lists that they trust. Chrome and IE use the Windows default list. Firefox has its own list.