How to Generate TLS certificate with OpenSSL

Hello, dear!

Have a nice day!

The topic describes how to generate a TLS certificate with OpenSSL.

Prepare

Download and install OpenSSL tool

1. Download OpenSSL windows version from the official website: http://slproweb.com/products/Win32OpenSSL.html
   

2. Download OpenSSL dependency file Visual C++ 2008 Redistributables: http://slproweb.com/products/Win32OpenSSL.html
   

3. Run vcredist_x86.exe to install Visual C++ 2008 Redistributables.
   

4. Run Win32OpenSSL-1_0_1L.exe to install OpenSSL. In this guide, we will install this application at D:\OpenSSL-Win32.
   

Relevant files to prepare

1. Create a new folder myCA at D:\OpenSSL-Win32\bin to save the new generated certificates.
   

2. Create files and folders at D:\OpenSSL-Win32\bin\myCA.
   

   New certs: store new generated certificate
   

   Private: store private key of CA certificate
   

   Crl: store revoked certificate
   

   Index.txt: automatic information of new generated certificate
   

   Serial: initial content can be: 00
   

   Crlnumber: initial content can be: 00
   

3. Open D:\OpenSSL-Win32\bin\openssl.cfg, change some of the parameter.
   

Generate certificate

1. Make a root certificate and the corresponding private key file.
   

   1. Run D:\OpenSSL-Win32\bin\openssl.exe
      

   2. Execute the following command to make the root certificate myca.crt and private key file myca.key.
      

      OpenSSL> req -config openssl.cfg -new -x509 -keyout myCA/private/myca.key -out m
      

      yCA/certs/myca.pem -days 3650

   3. Some of the default parameter is configured in openssl.cfg. After this command, the CA certificate and corresponding private key will be generated.
      

   4. The private key of CA certificate is at D:\OpenSSL-Win32\bin\myCA\private.
      

   5. The CA certificate is at D:\OpenSSL-Win32\bin\myCA\certs.
      

2. Make private key of the device certificate
   

   1. Execute the following command to make device certificate sc_key.pem.
      

      OpenSSL> genrsa -des3 -out myCA/private/sc_key.pem 2048
      

   2. If the command above executes successfully, the program will generate private key sc_key.pemat D:\OpenSSL-Win32\bin\myCA\private.

3. Make a device certificate request file.

   1. Execute the following command to make a request file:
      

      OpenSSL> req -config openssl.cfg -new -key myCA/private/sc_key.pem -out myCA/sc.
      

      csr -days 3650
      

   2. If the command above executes successfully, the request file sc.csr will be generated at D:\OpenSSL-Win32\bin\myCA
      

4. Create a device certificate signed by CA certificate.
   

   1. Execute the following command to make device certificate:
      

      OpenSSL> ca –config openssl.cfg –in myCA/sc.csr –out myCA/certs/sc_cert.pem
      

   2. If the command above executes successfully, the new device certificate will be generated at D:\OpenSSL-Win32\bin\myCA\certs
      

      PS: If an error is reported during the signing, make sure the value of unique_subject in myCA \ index.txt.attr file is no.
      

Summary

With this document, you can generate a CA center to sign certificates. You can generate device certificates and private keys.

Something important

• There should be only one CA center for all of the devices.
  

• For one kind of device, we should generate one device certificate and one private key, for example, we can generate one device certificate and one private key for all the TE-desktop.
  

• If you want to generate one more certificate and private key, you just need to run steps 2-4 again.
  

Appendix

Convert PEM certificate into DER certificate

OpenSSL> x509 -inform PEM -in myCA/certs/rse_cert.pem -outform DER -out myCA/cer

ts/rse_cert.cer

Thanks for reading!