SSL certificates play a key role in keeping websites secure. X.509 is an ITU standard that defines the format of public-key certificates, which are used in TLS/SSL and form the foundation of HTTPS. An X.509 certificate binds an identity to a public key by means of a digital signature. Such a certificate contains identity information (hostname, organization, etc.) and a public key (RSA, DSA, ECDSA, ed25519, and others). A certificate can be signed by a Certificate Authority or be self-signed.
Self-Signed Certificates
Creating a CA
- Generate an RSA key:
openssl genrsa -aes256 -out ca-key.pem 4096- Generate the CA’s public certificate:
openssl req -new -x509 -sha256 -days 365 -key ca-key.pem -out ca.pemOptional Step: Inspecting the Certificate’s Contents
To check the information contained in the certificate, you can use the following commands:
openssl x509 -in ca.pem -text
openssl x509 -in ca.pem -purpose -noout -textGenerating a Certificate
- Create an RSA key:
openssl genrsa -out cert-key.pem 4096- Create a Certificate Signing Request (CSR):
openssl req -new -sha256 -subj "/CN=yourcn" -key cert-key.pem -out cert.csr- Create an
extfilewith all the subject alternative names:
echo "subjectAltName=DNS:your-dns.record,IP:257.10.10.1" >> extfile.cnf
# optional
echo extendedKeyUsage = serverAuth >> extfile.cnf- Create the certificate:
openssl x509 -req -sha256 -days 365 -in cert.csr -CA ca.pem -CAkey ca-key.pem -out cert.pem -extfile extfile.cnf -CAcreateserialCertificate Formats
X.509 certificates exist in the Base64 formats PEM (.pem, .crt, .ca-bundle), PKCS#7 (.p7b, .p7s), and the binary formats DER (.der, .cer), PKCS#12 (.pfx, .p12).
Converting Certificates
| COMMAND | CONVERSION |
|---|---|
openssl x509 -outform der -in cert.pem -out cert.der | PEM to DER |
openssl x509 -inform der -in cert.der -out cert.pem | DER to PEM |
openssl pkcs12 -in cert.pfx -out cert.pem -nodes | PFX to PEM |
Verifying Certificates
You can verify a certificate’s validity with the following command:
openssl verify -CAfile ca.pem -verbose cert.pemInstalling the CA Certificate as a Trusted Root CA
On Debian and Its Derivatives
- Move the CA certificate (
ca.pem) to/usr/local/share/ca-certificates/ca.crt. - Update the certificate store:
sudo update-ca-certificatesSee the documentation here and here.
On Fedora
- Move the CA certificate (
ca.pem) to/etc/pki/ca-trust/source/anchors/ca.pemor/usr/share/pki/ca-trust-source/anchors/ca.pem. - Run the command (with sudo if necessary):
update-ca-trustSee the documentation here.
On Arch
System level – Arch (p11-kit)
- Run (as root):
trust anchor --store myCA.crt- The certificate will be written to
/etc/ca-certificates/trust-source/myCA.p11-kit, and the “legacy” directories will be updated automatically. - If you get a “no configured writable location” error or similar, import the certificate manually:
- Copy the certificate into the
/etc/ca-certificates/trust-source/anchorsdirectory.
- Copy the certificate into the
- Then run:
update-ca-trustThe wiki page is here.
On Windows
Assume the path to your generated CA certificate is C:\ca.pem. Run:
Import-Certificate -FilePath "C:\ca.pem" -CertStoreLocation Cert:\LocalMachine\Root- Set
-CertStoreLocationtoCert:\CurrentUser\Rootif you want to trust certificates only for the current user.
OR
At the command line, run:
certutil.exe -addstore root C:\ca.pemcertutil.exeis a built-in tool (the classic one fromSystem32) that adds a trusted certificate system-wide.
openssl pkcs12 -export -out rds_cert.pfx -inkey ca.key -in ca.pemThis process converts your certificate to the PKCS#12 (PFX) format, which can be used for various purposes.
On Android
The exact steps may vary depending on the device, but here is a generalized guide:
- Open your phone’s settings.
- Find the
Encryption & credentialssection. It’s usually located underSettings > Security > Encryption & credentials. - Select
Install a certificate. - Select
CA certificate. - Find the
ca.pemcertificate file on your SD card / internal storage using a file manager. - Select it to load.
- Done!