Setting up OpenSSL to generate X509 certificates

Document created by slaya03 Employee on Apr 14, 2017
Version 1Show Document
  • View in full screen mode

Setting up OpenSSL to generate X509 certificates:

When a public key infrastructure certificate is generated, it is generated in two parts, a key pair, the .cer or .pem file containing the public key and the .key file containing the private key.
The .p12 files contain both the public and private keys and are the type of client certificate file required for use as a personal cert in a browser.

Certificate files ending in .cer and .pem are public certificates. They contain only the public key of a key pair.
Certificate files ending in .p12 are certificates that contain the full key pair, both the public key and the private key.
And .key files contain just the private key.
The private key is used to sign data and to decrypt data that was encrypted using the matching public key. The public key is used to encrypt data, and to verify data signed by the matching private key.

This approach to generate x509 certificates using OpenSSL require 3 subdirecties: private, requests, and certs.

private contains your CA files.

requests is where you place your request files (.reqInfo and .req or .cnf) for creating personal or server certs.

certs is where new certs are placed.

Creating your own certificate authority using OpenSSL simply means creating your own set of four files in the private directory: cas.pem, ca.key,, and yourFriendlyUniqueCAname.cer

The yourFriendlyUniqueCAname.cer is created by making a copy of cas.pem and renaming it. .pem and .cer files serve the same purpose.

You must create your CA files before you can create personal or server certs.

Information reqarding creating your Certificate Authority (CA)
ca.key is the CA cert private key created from the pass phrase you provide.

cas.pem and yourFriendlyUniqueCAname.cer are the Root Cert for your OpenSSL CA. is the file that keeps track of the latest serial number available for new certs.

Create the file with the command: echo 01 >

Writing 01 into the file is required, not just 1, because openssl is expecting a hex number.

A .pem file is the same thing as a .cer file.

After creating your certificate authority Root Certificate in .pem format, simply copy the .pem file with a new name ending with the extension .cer.

Use the Certificate Authority .cer root CA file you just created to import into browsers and web sites in order to establish trust for the personal and server certs you create.

The following command is used to create the CA:
$ openssl req -new -x509 -days 1095 -keyout ./private/ca.key -out ./private/cas.pem


$ openssl req -new -x509 -days 1095 -keyout ./private/ca.key -out ./private/cas.pem

Generating a 1024 bit RSA private key
writing new private key to 'ca.key'
Enter PEM pass phrase: firewall
Verifying - Enter PEM pass phrase: firewall
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:MA
Locality Name (eg, city) []:FA
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CA
Organizational Unit Name (eg, section) []:GD
Common Name (eg, YOUR name) []:nowhere
Email Address []

$ ls
ca.key cas.pem

Information reqarding creating a personal certificate
When creating a simple person certificate, you must copy the file PersonalCertTemplate.reqInfo into the requests directory and rename it with the name of the user you are creating a personal cert for.

For more complicated certs use a .cnf file as input.

Creating a p12 cert is a three step process:

1) Copy the PersonalCertTemplate.reqInfo file into the request directory, renaming it username.reqInfo as you copy it.
2) Run "createpersonalcert username" to create the username.cer file.
3) Run "createp12 username" to create the username.p12 file from the username.cer file.

If you only need a .cer file, stop at step two :-)

openssl genrsa -out ./certs/%1.key 1024
openssl req -key ./certs/%1.key -new -utf8 -out ./requests/%1.req -config ./requests/%1.cnf
openssl x509 -req -in ./requests/%1.req -CA ./private/cas.pem -passin pass:%2 -CAkey ./private/ca.key -CAserial ./private/ -out ./certs/%1.cer -days 1095 -extfile ./requests/%1.cnf -extensions v3_req

openssl pkcs12 -export -chain -CAfile ./private/cas.pem -out ./certs/%1.p12 -inkey ./certs/%1.key -in ./certs/%1.cer -name %1 -password pass:%2