PSCS Wiki

User Tools

Site Tools

Trace:
how_to:create_an_ssl_certificate

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
how_to:create_an_ssl_certificate [2026/03/23 10:09] – [Generating a self-signed certificate using OpenSSL] paulhow_to:create_an_ssl_certificate [2026/03/23 10:18] (current) – [Using OpenSSL] paul
Line 12: Line 12:
 Once you have generated the CSR you need to send it to a Certificate Authority. This is typically someone like GeoTrust, Sectigo etc. They will charge you (typically somewhere betwee £50 to £400 per year) to sign the certificate, and you will need to prove your identity to the CA by some means. The level of this proof usually depends on the type of certificate. Some will just need you to prove you own that domain (eg by acknowledging that you receive an email to the domain), others will need you to send in copies of documentation. Once you have generated the CSR you need to send it to a Certificate Authority. This is typically someone like GeoTrust, Sectigo etc. They will charge you (typically somewhere betwee £50 to £400 per year) to sign the certificate, and you will need to prove your identity to the CA by some means. The level of this proof usually depends on the type of certificate. Some will just need you to prove you own that domain (eg by acknowledging that you receive an email to the domain), others will need you to send in copies of documentation.
  
-You can also set up as your own CA. The Windows Server Certificate Server can do this for you, or you can use OpenSSL - see below. This is free, but when you access a service using a certificate signed by your own CA, the email client or web browser may warn you that the certificate is not validated properly, and you will need to accept the warning. The data will still be encrypted just as with a £400 Sectigo certificate, but the warning may not be desirable, and the server's identity will not be verified. It can be useful to use this method for testing, and then have a recognised CA sign the certificate when you are ready for wider deployment.+You can also generate self-signed certificates. The Windows Server Certificate Server can do this for you, or you can use OpenSSL - see below. This is free, but when you access a service using a self-signed certificate , the email client or web browser may warn you that the certificate is not validated properly, and you will need to accept the warning. The data will still be encrypted just as with a £400 Sectigo certificate, but the warning may not be desirable, and the server's identity will not be verified. It can be useful to use this method for testing, and then have a recognised CA sign the certificate when you are ready for wider deployment.
  
 Note that the 'Private Key' file MUST NOT require a password to access it. Note that the 'Private Key' file MUST NOT require a password to access it.
Line 44: Line 44:
 If you are using Linux, then OpenSSL is usually installed as standard If you are using Linux, then OpenSSL is usually installed as standard
  
-OpenSSL has to be used from a command prompt. The following sections give examples of how to perform common tasks using OpenSSL+OpenSSL has to be used from a command prompt. The following sections give examples of how to perform some common tasks using OpenSSL
  
 ====Generating a CSR using OpenSSL==== ====Generating a CSR using OpenSSL====
  
-Run+See the 'Using OpenSSL' section above for instructions on installation and usage 
-  openssl req -newkey rsa:2048 -nodes -keyout pkey.pem -out csr.csr+ 
 +Then run
 +  openssl req -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem
  
   - This will first display some 'garbage', which is the cryptographically secure random number generator operating   - This will first display some 'garbage', which is the cryptographically secure random number generator operating
Line 63: Line 65:
  
 This will generate two files:  This will generate two files: 
-  * pkey.pem. This is the private key. Keep this file very safe. If that gets lost, then you will need to regenerate the CSR, and send the new one to the Certificate Authority. Do not give pkey.pem to anyone you do not trust, as it will allow them to spoof your server certificate. Note that the Certificate Authority do NOT need access to the private key. +  * key.pem. This is the private key. Keep this file very safe. If that gets lost, then you will need to regenerate the CSR, and send the new one to the Certificate Authority. Do not give key.pem to anyone you do not trust, as it will allow them to spoof your server certificate. Note that the Certificate Authority do NOT need access to the private key. 
-  * csr.csr. This is the certificate request. You will need to send this to the Certificate Authority for them to generate the certificate for you. It is a text file, so you will be able to open it in something like Notepad and copy/paste the contents if necessary+  * csr.pem. This is the certificate request. You will need to send this to the Certificate Authority for them to generate the certificate for you. It is a text file, so you will be able to open it in something like Notepad and copy/paste the contents if necessary
  
 ====Generating a self-signed certificate using OpenSSL==== ====Generating a self-signed certificate using OpenSSL====
  
-openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -sha256 -days 365+See the 'Using OpenSSL' section above for instructions on installation and usage 
 + 
 +Then, run: 
 + 
 +  openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -sha256 -days 365
  
 This will generate a private key and self-signed certificate with an expiry of 365 days This will generate a private key and self-signed certificate with an expiry of 365 days
how_to/create_an_ssl_certificate.1774260543.txt.gz · Last modified: by paul

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki