1. Introduction
A certificate is a file that contains the public key of an organization/entity and some identifying information like its name, address, and email. We use certificates to secure communications between clients and servers.
The public key of a certificate is used to encrypt the information on the client side, while the private key is used to decrypt it on the server side.
In this tutorial, we’ll see how to generate and install certificates.
2. Generating a Certificate
Let’s first see how we can get a digital certificate.
2.1. Certificate Authority (CA)
A CA is an entity that issues digital certificates. To obtain a certificate from them, we need to send a Certificate Signing Request (CSR). A CSR is a file that contains our public key, information about the organization, and the type of cryptographic key to be used. This data is later used to generate our certificate.
Additionally, we need to send accompanying documents that prove our entity is who it claims to be. It’s only when the CA is satisfied with the identifying information that it can then issue us a certificate.
There are a number of CAs that we can choose from, e.g., GoDaddy, DigiCert, and Verisign. The choice to use can be based on personal reasons, such as recommendations from friends or our budget.
2.2. Self-signed Certificate
We can also generate a certificate directly from our computer without sending it to a third party.
First, let’s generate a CSR. To create one, we first need to generate a private key. There are many platforms we can choose from, such as Java’s keytool or OpenSSL. For our demonstration, we shall use the popular OpenSSL tool.
$ openssl genrsa -out server.key 2048If we wish to add a passphrase to the key, we use the -des3 option. A passphrase will add an extra layer of security to how our key is accessed. Consequently, it will require manual intervention when being used to start up a service.
With our private key (stored in the server.key file), we can now generate our CSR. To do so, let’s now run the command below:
$ openssl req -new -key server.key -out server.csrRunning the above command will present us with an interactive terminal requesting information about our organization:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:After we have filled in the required fields, we will get the server.csr file. We can then send this CSR file to our CA in order to issue us a certificate. However, since we want to sign our certificate, we’ll run the command below to generate a self-signed certificate (server.crt):
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crtIt’s important to note that using Certificate Authorities is more secure than independently signing one. A number of organizations, such as Visa, do not accept self-signed certificates.
Additionally, most browsers will issue a security warning when they notice a self-signed certificate. Therefore, it’s advisable that we only use self-signed certificates for testing purposes.
3. Installing a Certificate
Certificates are normally installed in the /etc/ssl/certs directory. To install our server.crt certificate, we’ll simply copy it to this directory:
$ cp server.crt /etc/ssl/certsWe can now go and configure our particular application to use this certificate. The application should simply ask us to point it to where we stored the certificate.
4. Conclusion
Certificates are a way to verify digital identity. They provide security for SSL/TLS connections on the Internet. In this article, we have seen how to generate and install them on our Linux computer.