OpenSSL Certificate Generation Workflow¶

OpenSSL is a robust tool used for managing SSL/TLS certificates, often utilized to create Self-signed certificates for development environments or to establish a local Certificate Authority (CA).^[600-developer__tools__security__openssl.md]

Prerequisites and Setup¶

Before generating certificates, it is necessary to prepare the environment and acquire the tool. On Windows systems, while installation used to be manual, it is recommended to use an integrated shell like Cmder or the Windows Subsystem for Linux (WSL) for a smoother workflow^[600-developer__tools__security__openssl.md:29-32].

A specific directory should be prepared to store the generated keys and certificates (e.g., D:\SSL) to keep the files organized^[600-developer__tools__security__openssl.md:32-33].

Workflow Steps¶

1. Generate the CA Private Key¶

The first step in acting as your own Certificate Authority is generating a private key for the root CA^[600-developer__tools__security__openssl.md].

[OpenSSL](<./openssl.md>) genrsa -des3 -out rootCA.key 4096

• -des3: Encrypts the key using the Triple DES algorithm.
• -out: Specifies the output filename.
• 4096: The key length in bits.

During this step, a password (passphrase) must be set and remembered, as it is required to use the key^[600-developer__tools__security__openssl.md:34-35].

2. Generate the Root Certificate¶

Once the private key is created, it is used to generate a self-signed root certificate^[600-developer__tools__security__openssl.md].

[OpenSSL](<./openssl.md>) req -x509 -new -nodes -key rootCA.key -sha256 -days 36500 -out rootCA.crt

• -req: Certificate request.
• -x509: Outputs a Self-Signed Certificate instead of a certificate request.
• -new: New request.
• -nodes: No DES (do not encrypt the output private key).
• -key: The private key used to sign the certificate.
• -sha256: Specifies the hash algorithm.
• -days: Validity period (e.g., 36500 days for 100 years).
• -out: The output certificate file.

This produces the rootCA.crt file^[600-developer__tools__security__openssl.md:36].

Trust and Verification¶

To function correctly within a development environment, the generated rootCA.crt must be imported into the "Trusted Root Certification Authorities" store on the operating system or browser^[600-developer__tools__security__openssl.md].

This workflow addresses the Public Key Distribution Problem, where one must verify that a public key retrieved over the network is authentic^[600-developer__tools__security__openssl.md]. By establishing a local CA, developers can sign their own certificates or inspect Cipher Suites used by servers^[600-developer__tools__security__openssl.md].

Related Concepts¶

• [[Public Key Infrastructure]]
• Self-Signed Certificate
• Digital Signature

Sources¶

^[600-developer__tools__security__openssl.md]