ProgrammingTutorial

How to Create a Free SSL/TLS Certificate with OpenSSL on ubuntu/Linux

SSL/TLS certificates are used to encrypt data sent over internet communication. Without encryption, the received data could be vulnerable to being hacked by a man-in-the-middle attack. In public communication, you’ll need your certificate to be signed off by an approved Certificate Authority (CA), but in private communications, that isn’t necessary. If you don’t submit your public key for approval from any CA, web browsers will display warnings that the certificates aren’t trustworthy; however this has no impact on security measures at all. There are many tools available which allow you to create self-signed certificates easily. One of these tools is OpenSSL and it can be installed on Ubuntu servers without trouble at all – allowing users to generate their own SSL certificates very easily if they wish!

OpenSSL provides various functions to create, read, and verify certificates, certificate requests, and revocation lists. These can be used to create your own Certificate Authority (CA) or just to create a single certificate that you can use on your web server to secure communications with clients using SSL/TLS (HTTPS). If you’re in the market for an SSL/TLS certificate from a trusted Certificate Authority, see this list of Free SSL Certificates. Otherwise, you can create your own free certificate with OpenSSL by following the steps below.

Generating Free SSL Certificate with OpenSSL

OpenSSL is a free tool that can be used to generate self-signed SSL/TLS certificates. OpenSSL typically comes preinstalled in Linux systems, so if you have Ubuntu Server or any other Linux installation, creating a free SSL certificate using OpenSSL will require little effort. To check whether your operating system has OpenSSL preinstalled, open up the terminal and enter the below command.

openssl version -a

If you have OpenSSL installed, then this command will show the version of your install like below.

OpenSSL 1.1.1f  31 Mar 2020
built on: Wed Mar  9 12:12:45 2022 UTC
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-2iuOVN/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific

now, you can execute the Openssl command needed to create an SSL/TLS certificate for free. To begin, we will create a password key file that can generate private keys. To do this, you should execute the following command

openssl genrsa -des3 -passout pass:xnet@123 -out system.pass.key 2048

This command will create a password key file called system.pass.key. It is simple enough to call the file ‘system’ for simplicity, but feel free to use any name of your choosing. If you run ls, then you’ll see that there’s now a new file in your working directory.

We will now create a private key file with OpenSSL. To do this, we need to run the following command

openssl rsa -passin pass:xnet@123 -in system.pass.key -out system.key

This command will generate a private key file called system.key which needs to be securely stored if it falls into the wrong hands – as someone who has access to this key can decrypt your encrypted data.

Now you’ll find two files in your working directory. One is a key file that contains the password and one contains the private key information. You won’t need to use the password file again so we’re going to delete it with this command

rm system.pass.key

In order to generate public key files, we need CSR (Certificate Signing Request) files. Run this OpenSSL command to generate the CSR file.

openssl req -new -key system.key -out system.csr

This command will ask for some information about your SSL certificate like the below example. Enter the appropriate information when it appears.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IT
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Letsknowtech
Organizational Unit Name (eg, section) []:pet accessories
Common Name (e.g. server FQDN or YOUR name) []:paolotot
Email Address []:info@letsknowtech.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:letsknowtech
root@cyberpanel231onubuntu2004-s-4vcpu-8gb-fra1-01:~# openssl x509 -req -days 365 -in system.csr -signkey system.key -out system.crt
Signature ok
subject=C = IT, O = letsknowtech, OU = pet accessories, CN = paolotot, emailAddress = info@letsknowtech.com
Getting Private key

Now, we will use OpenSSL to create our public key certificate file. To do this, enter the following command.

openssl x509 -req -days 365 -in system.csr -signkey system.key -out system.crt

The above command will generate a public key certificate with 365 days of validity. However, if you would prefer it to be valid for longer than one year, please amend the amount of time in this command. In your current directory, you will now find three files – system.key and system.crt being the private and public keys respectively. Run the ls command to confirm.

root@cyberpanel2311:~# ls
snap  system.crt  system.csr  system.key

These OpenSSL generated files are now available for you to use on your webserver, email server or any other application requiring an SSL/TLS certificate. You can view inside of the generated files using less or echo commands.

In this article, we explored how to use the OpenSSL tool to create a free SSL certificate. Now you can protect your website against attackers by setting up HTTPS on it! If you’re confused at any point during the process, just let me know in the comment section I’ll do my best to help out.

Rishad is a software engineer with a passion for web development. He has been working as a freelancer for the past 3 years, helping businesses and individuals create professional and functional websites. He is an undergraduate student of BSC in Software Engineering (Kingston UK). Rishad’s expertise lies in JavaScript/PHP/Wordpress/React/Django/Python, and he is constantly learning and updating his skills to stay on top of the latest trends and best practices in web development.

Mohamed Rishad

Rishad is a software engineer with a passion for web development. He has been working as a freelancer for the past 3 years, helping businesses and individuals create professional and functional websites. He is an undergraduate student of BSC in Software Engineering (Kingston UK). Rishad's expertise lies in JavaScript/PHP/Wordpress/React/Django/Python, and he is constantly learning and updating his skills to stay on top of the latest trends and best practices in web development.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button

Adblock Detected

Please Turnoff the Adblocker to continue surfing the website