Creating Self-Signed SSL Certificates

www.altova.com Print this Topic Previous Page Up One Level Next page

Home >  Configuring the Server > Setting up SSL Encryption >

Creating Self-Signed SSL Certificates

This demo shows you how to create self-signed SSL certificates for FlowForce Server running on a private network. Note that this demo is intentionally simplified and may not be suitable for use in production. Your organization will likely have specific security policies concerning SSL certificates and might use SSL tools other than the ones described below. For information about obtaining SSL certificates signed by a trusted certificate authority, see Signing SSL Certificates with a Certificate Authority.

 

Prerequisites

This example makes use of the OpenSSL toolkit (https://www.openssl.org/) to generate self-signed certificates. Note that OpenSSL is an open source library, it is not a binary application compiled for a particular platform. The compilation and installation instructions for OpenSSL vary for each operating system and are outside of the scope of this documentation. On a Linux and Mac machine, it is likely that OpenSSL is already available; otherwise, you can install it or update it from the command line. You can quickly check if OpenSSL present by typing the command below (it displays the current OpenSSL version):

 

openssl version

 

On Windows, you can either compile binaries from the official OpenSSL source code, or, alternatively, download a binary distribution that includes OpenSSL, such as Cygwin (https://cygwin.com/).

 

Create the root certificate

 

1.Create a directory that will store all certificates used in this demo (for example, "C:\secure"). This will be the working directory for all subsequent OpenSSL commands (that is, any file paths are relative to it). Therefore, change to this directory from the command line:

 

cd C:\secure

 

2.For this demo, we will be issuing certificates with OpenSSL extensions. To make this possible, find the openssl.cnf file of your OpenSSL distribution and copy it to the working directory created in the previous step.
3.Create the root private key. Be aware that the root private key is the most sensible piece of your public key infrastructure, so it must always be generated and stored in a secure environment (in this demo, it is stored in "C:\secure").

 

openssl genrsa -aes256 -out root.key 2048

 

When prompted, type a password to protect the root key. You will subsequently need this password to sign certificate requests.

 

4.Create the root certificate. The command below generates a self-signed certificate for the private key created above, with a validity of 3650 days. Notice that the -config parameter points to the openssl.cnf file in the same directory. The -extensions parameter refers to the "v3_ca" extension (section) defined in openssl.cnf.

 

openssl req -config openssl.cnf -extensions v3_ca -x509 -new -nodes -key root.key -sha256 -days 3650 -out root.pem

 

When prompted, enter information about your organization, for example:

 

Country Name (2 letter code) [AU]: AT

State or Province Name (full name) [Some-State]: .

Locality Name (eg, city) []: Vienna

Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd

Organizational Unit Name (eg, section) []: IT

Common Name (eg, YOUR name) []: Demo CA

Email Address []: test@example.org

 

You can fill in the required fields as applicable to your organization. For the field Common Name, enter the name of your self-signed certificate authority ("Demo CA", in this example).

 

Create the FlowForce certificate

You can now create the actual certificate to be used for SSL encryption (by FlowForce Server, or FlowForce Web Server, or both). The following OpenSSL command creates the private key:

 

openssl genrsa -out flowforce.key 2048

 

Note

The private key must be in PEM (Privacy Enhanced Mail) format. The file extension of PEM files is usually .pem but it can also be .key, .cert, .cer, or .crt.
In order for the private key to be usable in FlowForce, it must not be password protected.
The private key must be stored securely.

 

Next, open the working openssl.cnf file and add the following section to it:

 

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName=DNS:server.my.domain.com

 

Make sure to change the subjectAltName ("Subject Alternative Name") so that it corresponds to the FQDN (fully qualified domain name) of the machine where FlowForce Server runs. In this example, it is set to "server.my.domain.com". Specifying a subject alternative name is required by Google Chrome 58 or later; otherwise, your self-signed certificate will generate a NET::ERR_CERT_COMMON_NAME_INVALID error (see https://support.google.com/chrome/a/answer/7391219?hl=en).

 

Next, create a Certificate Signing Request (CSR), as shown below. Notice that the -config parameter points to the openssl.cnf file edited previously. The -extension parameter refers to the "server_cert" extension defined in openssl.cnf.

 

openssl req -config openssl.cnf -extensions server_cert -new -nodes -key flowforce.key -out flowforce.csr

 

When prompted, enter information about your organization, for example:

 

Country Name (2 letter code) [AU]: AT

State or Province Name (full name) [Some-State]: .

Locality Name (eg, city) []: Vienna

Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd

Organizational Unit Name (eg, section) []: IT

Common Name (eg, YOUR name) []: server.my.domain.com

Email Address []: test@example.org

 

Note

For the field Common Name, make sure to enter the FQDN (fully qualified domain name) of the host machine where FlowForce Server runs.
Leave the challenge password field empty when prompted.

 

For this demo, we will sign the FlowForce certificate directly with the root certificate. Note that, in a production environment, the root certificate does not normally sign server certificates directly; instead, intermediary certificates are used. The command below signs the flowforce.csr certificate request against the root certificate created previously and creates a flowforce.crt file (which is the server certificate required in FlowForce Server):

 

openssl x509 -extfile openssl.cnf -extensions server_cert -req -in flowforce.csr -CA root.pem -CAkey root.key -CAcreateserial -out flowforce.crt -days 365 -sha256

 

Summary

If you followed the steps above, you must have by now the following certificates and keys:

 

root.key - This is your certificate authority's (CA) private key. Store this file in a secure place; if this key becomes compromised, then anyone can generate browser-trusted certificates on your behalf.
root.pem - This is the public certificate of your certificate authority. You will need to install (import) this certificate into the trusted certificates store of each machine (or browser) that needs to access FlowForce securely, see Importing Root Certificates.
flowforce.key - This private key accompanies your self-signed certificate used by FlowForce (see next item).
flowforce.crt - This is a self-signed certificate to be used by FlowForce Server, FlowForce Web Server, or both.

 

You can now enable SSL for FlowForce Server, FlowForce Web Server, and for the HTTP connection between them, as shown below:

 

Enabling SSL for FlowForce Web Server
Enabling SSL for FlowForce Server
Enabling SSL between FlowForce Web Server and FlowForce Server

© 2019 Altova GmbH