4.1 KiB
Certificate Generation Guide
This directory contains certificates for the HTTPS server example. This guide explains how to generate new server and client certificates signed by the existing CA certificate.
Prerequisites
- OpenSSL installed on your system
- Existing CA certificate (
cacert.pem) and CA private key (cakey.pem) - Configuration files for certificate extensions (
server_cert.confandclient_cert.conf)
Generating Server Certificate
Follow these steps to create a new server certificate signed by the CA:
1. Generate Server Private Key
openssl genpkey -algorithm RSA -out new_server.key -pkeyopt rsa_keygen_bits:2048
This creates a 2048-bit RSA private key for the server.
2. Create Certificate Signing Request (CSR)
openssl req -new -key new_server.key -out new_server.csr -config server_cert.conf
This generates a CSR using the server's private key and the configuration specified in server_cert.conf.
3. Sign the Server Certificate with CA
openssl x509 -req -in new_server.csr -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out new_server.pem -days 3650 -extensions v3_req -extfile server_cert.conf
This creates the server certificate (new_server.pem) valid for 10 years (3650 days), signed by the CA certificate.
Generating Client Certificate
Follow these steps to create a new client certificate signed by the CA:
4. Generate Client Private Key
openssl genpkey -algorithm RSA -out new_client.key -pkeyopt rsa_keygen_bits:2048
This creates a 2048-bit RSA private key for the client.
5. Create Certificate Signing Request (CSR)
openssl req -new -key new_client.key -out new_client.csr -config client_cert.conf
This generates a CSR using the client's private key and the configuration specified in client_cert.conf.
6. Sign the Client Certificate with CA
openssl x509 -req -in new_client.csr -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out new_client.pem -days 3650 -extensions v3_req -extfile client_cert.conf
This creates the client certificate (new_client.pem) valid for 10 years (3650 days), signed by the CA certificate.
Installing the Certificates
7. Copy Certificates to Expected Locations
cp new_server.pem servercert.pem && \
cp new_server.key prvtkey.pem && \
cp new_client.pem client_cert.pem && \
cp new_client.key client_key.pem
This copies the newly generated certificates and keys to the filenames expected by the example application.
File Naming Convention
The example application expects the following files:
servercert.pem- Server certificateprvtkey.pem- Server private keyclient_cert.pem- Client certificateclient_key.pem- Client private keycacert.pem- CA certificate (for verification)
Security Notes
⚠️ Important Security Considerations:
- The private keys (
prvtkey.pem,client_key.pem,cakey.pem) should be kept secure. As these are for demonstration purposes, they are included here, but in a production environment, ensure they are stored securely and access is restricted. - The certificates in this example directory are for demonstration purposes only
- For production use, generate new certificates with appropriate security parameters
- Consider using shorter validity periods for production certificates
- Store private keys with restricted file permissions (e.g.,
chmod 600)
Verifying Generated Certificates
You can verify the generated certificates using:
# Verify server certificate
openssl x509 -in servercert.pem -text -noout
# Verify client certificate
openssl x509 -in client_cert.pem -text -noout
# Verify certificate chain
openssl verify -CAfile cacert.pem servercert.pem
openssl verify -CAfile cacert.pem client_cert.pem
Troubleshooting
- If certificate verification fails, ensure the CA certificate and key are valid and match
- Check that the configuration files (
server_cert.conf,client_cert.conf) contain appropriate Subject Alternative Names (SANs) and extensions - Ensure OpenSSL version is up to date for best compatibility