x509 defines the format for public key based certificate.
openssl with local CA Link to heading
In this section, I will use openssl to generates CA cert and key. And use that CA to sign the cert.
# Generate private key
openssl genrsa -out server.key 2048
# Generate csr
openssl req -new -key server.key -out server.csr
# Create CA
openssl req -x509 \
-sha256 -days 356 \
-nodes \
-newkey rsa:2048 \
-subj "/CN=demo.com/C=US/L=San Fransisco" \
-keyout rootCA.key -out rootCA.crt
# Sign cert with CA
openssl x509 -req \
-in server.csr \
-CA rootCA.crt -CAkey rootCA.key \
-CAcreateserial -out server.crt \
-days 365 \
-sha256
It’s clear that issuer is the CA but the subject is different (it’s the default)
$ openssl x509 -in server.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
...
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = demo.com, C = US, L = San Fransisco
Validity
Not Before: Apr 9 20:32:08 2023 GMT
Not After : Apr 8 20:32:08 2024 GMT
Subject: C = IR, ST = CORK, L = CORK, O = FOO, OU = BAR
openssl self-signed cert Link to heading
openssl can be used to generated private key and certificate.
# Generate private and key and cert in one go
openssl req -x509 \
-newkey rsa:4096 \
-keyout key.pem \
-out cert.pem \
-sha256 \
-days 365
In this case both the subject and issuer are the same(the default if nothing is set)
$ openssl x509 -in cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
...
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Validity
Not Before: Apr 9 13:24:50 2023 GMT
Not After : Apr 8 13:24:50 2024 GMT
Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Checks Link to heading
Checking the private key
$ openssl rsa -in key.pem -check
Calculate module and md5 of cert and private key
$ openssl x509 -noout -modulus -in cert.pem| openssl md5
$ openssl rsa -noout -modulus -in key.pem| openssl md5
Enter pass phrase for key.pem: