Introduction
In this lab, you will explore the practical aspects of creating and managing X.509 certificates, a cornerstone of modern digital security. X.509 certificates are digital documents that bind a public key to an identity, such as a person or a server, and are fundamental to protocols like TLS/SSL for securing web traffic.
Using the powerful openssl command-line tool, you will learn how to perform essential certificate management tasks. You will start by understanding the structure of a certificate, then create a self-signed certificate for development purposes. Following that, you will generate a Certificate Signing Request (CSR) and act as a simple Certificate Authority (CA) to sign it, producing a trusted certificate within your own system.
By the end of this lab, you will have a solid, hands-on understanding of the certificate lifecycle.
Overview of X.509 Certificates
In this step, we will cover the basic theory behind X.509 certificates. There are no commands to execute here; this section is for your understanding before we begin the hands-on tasks.
An X.509 certificate is a standardized digital document that contains crucial information for establishing trust. Its main components include:
- Subject: The identity of the certificate holder (e.g., a person, a server name like
www.example.com). - Issuer: The entity that verified the identity and signed the certificate (the Certificate Authority or CA).
- Public Key: The public key corresponding to the subject's private key.
- Validity Period: The dates (
Not BeforeandNot After) during which the certificate is valid. - Signature: The digital signature of the issuer, which guarantees the certificate's authenticity.
A self-signed certificate is a special type of certificate where the issuer and the subject are the same. Essentially, the certificate signs itself. While these certificates are not trusted by public browsers or systems (because they are not verified by a known CA), they are extremely useful for internal testing, development environments, or private networks where you control both the client and the server.
In the next step, you will create your own self-signed certificate.
Create a Self-Signed Certificate
In this step, you will create a self-signed certificate. A private key named private.pem has already been generated for you in the ~/project directory to simplify the process. You will use this key to generate a certificate.
The command openssl req is used for creating and processing certificate requests. Let's break down the flags we will use:
-new: Generates a new certificate request.-x509: Outputs a self-signed certificate instead of a certificate request.-key private.pem: Specifies the private key to use.-out cert.pem: Specifies the output filename for the certificate.-days 365: Sets the validity of the certificate to 365 days.-subj "...": Provides the subject information non-interactively.
Now, run the following command in your terminal to create the certificate:
openssl req -new -x509 -key private.pem -out cert.pem -days 365 -subj "/C=US/ST=California/L=Mountain View/O=MyOrg/CN=example.com"
This command will not produce any output, but it will create a new file. You can verify that the cert.pem file has been created by listing the files in the current directory:
ls
You should see cert.pem in the output, along with the pre-generated files.
ca-key.pem ca.pem cert.pem private.pem
View Certificate Details
In this step, you will inspect the contents of the self-signed certificate you just created. This allows you to verify its details and understand its structure in a human-readable format.
We will use the openssl x509 command, which is designed for viewing and manipulating certificate files.
-in cert.pem: Specifies the input certificate file.-text: Prints the full certificate details in text format.-noout: Prevents the command from printing the encoded version of the certificate.
Execute the following command to view the details of cert.pem:
openssl x509 -in cert.pem -text -noout
The output will be quite long, but scroll through it and pay attention to these key fields:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
...
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = California, L = Mountain View, O = MyOrg, CN = example.com
Validity
Not Before: ...
Not After : ...
Subject: C = US, ST = California, L = Mountain View, O = MyOrg, CN = example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
...
Notice that the Issuer and Subject fields are identical. This is the defining characteristic of a self-signed certificate.
Generate Certificate Signing Request
In this step, you will generate a Certificate Signing Request (CSR). A CSR is a block of encoded text containing your public key and identity information. You send a CSR to a Certificate Authority (CA) to request a signed digital certificate.
We will again use the openssl req command, but this time without the -x509 flag, so it produces a CSR instead of a self-signed certificate.
-new: Indicates a new request.-key private.pem: Uses your existing private key.-out csr.pem: Specifies the output filename for the CSR.-subj "...": Provides the identity information for the certificate you are requesting.
Run the following command to generate a CSR for a fictional web application:
openssl req -new -key private.pem -out csr.pem -subj "/C=US/ST=New York/L=New York City/O=MyWebApp/CN=webapp.example.com"
This command will create a new file named csr.pem. You can verify its creation with the ls command:
ls
You will now see csr.pem in your project directory.
ca-key.pem ca.pem cert.pem csr.pem private.pem
This CSR is now ready to be sent to a CA for signing.
Sign the CSR
In this final step, you will act as a Certificate Authority (CA) to sign the CSR you created in the previous step. For this purpose, a simple CA certificate (ca.pem) and its corresponding private key (ca-key.pem) have been pre-generated in your environment.
We will use the openssl x509 -req command to process the CSR and issue a new certificate.
-req: Specifies that we are processing a CSR.-in csr.pem: The input CSR file.-CA ca.pem: The CA's certificate used for signing.-CAkey ca-key.pem: The CA's private key used for signing.-out signed-cert.pem: The output file for the newly signed certificate.-days 365: Sets the validity period.-CAcreateserial: Creates and manages a serial number file (ca.srl), which is required for CAs to track issued certificates.
Execute the command below to sign the CSR:
openssl x509 -req -in csr.pem -CA ca.pem -CAkey ca-key.pem -out signed-cert.pem -days 365 -CAcreateserial
You will see output confirming the signature was successful:
Certificate request self-signature ok
subject=C = US, ST = New York, L = New York City, O = MyWebApp, CN = webapp.example.com
Now, list the files to see your newly created certificate, signed-cert.pem, and the serial file, ca.srl.
ls
ca-key.pem ca.pem ca.srl cert.pem csr.pem private.pem signed-cert.pem
You can inspect this new certificate with openssl x509 -in signed-cert.pem -text -noout. You will notice that the Issuer is now the CA (CN=myca.com), and the Subject is the identity from your CSR (CN=webapp.example.com).
Summary
In this lab, you gained hands-on experience with the fundamental lifecycle of X.509 certificates using the openssl tool.
You have successfully learned how to:
- Understand the core components of an X.509 certificate and the concept of self-signed certificates.
- Create a self-signed certificate suitable for development and testing using
openssl req. - Inspect the details of a certificate to verify its contents with
openssl x509. - Generate a Certificate Signing Request (CSR) to formally request a certificate from a CA.
- Act as a simple Certificate Authority to sign a CSR and issue a new, valid certificate.
These skills are essential for anyone involved in system administration, network security, or software development, providing the foundation for managing secure communications in a variety of applications.
