As developers it is quite common to have the need for certificates that can be attached to web servers or application servers or processes(java, nodejs, python etc) to facilitate TLS communication for the applications. So self signed certificates is the most easiest way to generate our own certificates without relying on a public and trusted CA(certificate authority). In this article we will go through how to generate public key certificates with and without SAN and how to inspect a public key or X509 certificate.
Pre-requisite
openssl
— mostly available by default in linux installations. If not, please install based on your OS support.
Generate self signed certificate:
To generate a self signed certificate, use below command. It will prompt you with several options, either press enter or provide values to your liking. The only value that really matters when establishing TLS communication with most of the applications is the Common Name (aka CN)
. If SAN(Subject alternate name) is not available(later we will see how to add SAN to a cert) in the certificate to match a domain, most of the tools will try to match the domain with the CN
and will fail if they don’t match. So if you don’t want to add SAN but want to rely on a hostname/CN, use below command
openssl req -x509 -nodes -newkey rsa:4096 -keyout api-server-key.pem -out api-server-cert.pem -sha256 -days 365