You are not logged in.
- Topics: Active | Unanswered
#1 2017-11-19 17:18:04
- loadlover
- Member
- Registered: 2017-05-10
- Posts: 103
Simplest way to generate self-signed SSL key pair?
Hello for today,
I've been familiarizing myself with SSL key pairs (for Postfix, but that doesn't matter). After reading around in the ArchWiki and elsewhere, I came to the conclusion that, having installed OpenSSL, a rather long way of generating a self-signed certificate is something like:
(umask 077; openssl req -new -nodes -newkey rsa:4096 -keyout /etc/postfix/burnkey.pem -noout -pubkey -out /etc/postfix/burnpub.pem)
(umask 077; openssl req -new -key /etc/postfix/burnkey.pem -out /etc/postfix/burncsr.pem)
(umask 077; openssl x509 -req -in /etc/postfix/burncsr.pem -signkey /etc/postfix/burnkey.pem -days 365 -out /etc/postfix/burncrt.pem)The result is two key pair options:
1. The private key (/etc/postfix/burnkey.pem) and an unsigned public key (/etc/postfix/burnpub.pem).
2. The private key (/etc/postfix/burnkey.pem) and a self-signed public certificate (/etc/postfix/burncrt.pem).
A shortcut, albeit with less control over signing, is something like:
(umask 077; openssl req -x509 -nodes -newkey rsa:4096 -keyout /etc/postfix/burnkey.pem -days 365 -out /etc/postfix/burncrt.pem)The result is one key pair:
The private key (/etc/postfix/burnkey.pem) and a self-signed public certificate (/etc/postfix/burncrt.pem).
Here's a kinda compromise between the two:
(umask 077; openssl genrsa -out /etc/postfix/burnkey.pem 4096)
(umask 077; openssl req -x509 -new -key /etc/postfix/burnkey.pem -days 365 -out /etc/postfix/burncrt.pem)The result is one key pair:
The private key (/etc/postfix/burnkey.pem) and a self-signed public certificate (/etc/postfix/burncrt.pem).
To generate a CA-signed key pair using Let's Encrypt as a CA, I'm using:
pacman -S --noconfirm certbot ufw
systemctl enable --now ufw
ufw allow 80
certbot certonly --standalone --preferred-challenges http -d mydomainnameThe result is one key pair:
The private key (/etc/letsencrypt/live/mydomainname/privkey.pem) and a CA-signed public certificate (/etc/letsencrypt/live/mydomainname/fullchain.pem).
I have to say I like this because it's FREE! 
Other free CA options are http://www.cacert.org/ and https://www.startcomca.com/.
I would greatly appreciate some pointers on how I could better these methods.
Thanks,
- Loady
EDIT: I made very slight changes to better reflect the fact that private keys have no expiration date in OpenSSL. At least, this is the 'simple' answer.
Last edited by loadlover (2017-11-30 20:52:03)
Offline
#2 2017-11-29 18:46:16
- loadlover
- Member
- Registered: 2017-05-10
- Posts: 103
Re: Simplest way to generate self-signed SSL key pair?
Just to follow up my own post with a further question:
Does Let's Encrypt's method somehow tuck their (CA) public certificate inside fullchain.pem? Or does their software take care of this in another way? Or have they simply put it in /etc/ssl/certs?
In really plain speak: how do they ensure you have their public key data?
- Loady
Last edited by loadlover (2017-11-30 20:59:19)
Offline
#3 2017-11-29 21:17:13
- jsoy9pQbYVNu5nfU
- Member
- Registered: 2013-04-19
- Posts: 108
Re: Simplest way to generate self-signed SSL key pair?
I recommend aur/xca.
It's a pragmatic GUI to the openssl binary's x509-relevant commands. It also let's you manage your own CA and public/private key pairs in a simple enough way and assists in selecting certificate properties. The great advantage you get by using xca instead of just openssl commands is that you gain some insight into what's actually available in terms of functionality. You can always automate by scripting openssl later.
Offline
#4 2017-12-01 15:10:54
- loadlover
- Member
- Registered: 2017-05-10
- Posts: 103
Re: Simplest way to generate self-signed SSL key pair?
This from the ArchWiki (https://wiki.archlinux.org/index.php/OpenSSL):
Certificate authorities return certificates from end-user requests. In order to do this, the returned end-user certificate is signed with the CA private key and CA certificate, which in turn contains the CA public key.Just to be absolutely clear - does the returned end-user certificate ACTUALLY CONTAIN the CA public key? I.e. so that you do NOT need to have the CA certificate anywhere on your system?
Thanks
- Loady
Offline
#5 2017-12-03 23:23:27
- jsoy9pQbYVNu5nfU
- Member
- Registered: 2013-04-19
- Posts: 108
Re: Simplest way to generate self-signed SSL key pair?
This from the ArchWiki (https://wiki.archlinux.org/index.php/OpenSSL):
Certificate authorities return certificates from end-user requests. In order to do this, the returned end-user certificate is signed with the CA private key and CA certificate, which in turn contains the CA public key.Just to be absolutely clear - does the returned end-user certificate ACTUALLY CONTAIN the CA public key? I.e. so that you do NOT need to have the CA certificate anywhere on your system?
Thanks
- Loady
Not necessarily, and not a 'key', a certificate.
The CA returns to you the signed certificate, in a common container format, usually PEM. Usually, the CA returns only the signed certificate, and for use e.g. in a web browser, you might have to add intermediate certificates that lead to a commonly trusted root. With PEM files, that's very simple, you can just concatenate the certs `cat $certificate.pem intermediate.pem > chained.pem`. If you need to chain in your private key too e.g. for use with HAProxy or whatever, you likewise just append it.
See here for a quick-and-dirty overview over certificate container formats.
Offline