Create a SSL Certificate

Owned by Thomas Sikora
Last updated: 05.04.24
4 min read

About this task

How to create a SSL certificate 

Applies to

All Versions and Systems

Procedure

On Linux with openssl tools installed

Step1: Prepare needed information

Information

Example

Information

Example

BVQ Server Hostname

bvq-server

BVQ Server DNS name(s)

bvq-server.sva.de

Password for key encryption

keypassword

DNS address of your Certification Authority Server

ca-server.example.com

Name of your Certification Authority

Name-of-CA

 

Step1: Create a SSH Key .ini file for your BVQ Server

Create the .ini file in Folder /etc/pki/tls/certs/ e.g. by using vi
vi /etc/pki/tls/certs/bvq-server.ini
Insert the following text

Example openssl config (.ini) file
[ req ] default_bits = 4096 default_md = sha256 prompt = no encrypt_key = no distinguished_name = req_distinguished_name req_extensions = v3_req x509_extensions = v3_ca [ req_distinguished_name ] C = DE ST = Hessen L = Wiesbaden O = SVA GmbH OU = IT-Administration / Monitoring CN = 10.10.10.10 emailAddress = bvq@sva.de [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [ v3_ca ] basicConstraints = critical,CA:TRUE keyUsage = digitalSignature, cRLSign, keyCertSign subjectAltName = @alt_names [ alt_names ] IP.1 = 10.10.10.10


Important

In addition to the changes you need to make to adapt the .ini to your needs. It may be necessary to enter DNS names [ alt_names ] IP.1 = 10.10.10.10 DNS.1 = example.com DNS.2 = www.example.com DNS.3 = subdomain.example.com

 

Step 2: Generate the openssl key and certificate request

  1. Use command openssl to generate the key and ceritificate request file
    after that insert a password into the blank to crypt your key (<PASWD>  /  "Privat Key Password")

    openssl command for key generation

    [root@bvqdemo certs]# openssl req -newkey rsa:4096 -sha256 -days 365 -nodes -out /etc/pki/tls/certs/bvq-server.csr -keyout /etc/pki/tls/private/bvq-server.key -config /etc/pki/tls/certs/bvq-server.ini -passin stdin Ignoring -days; not generating a certificate <PASWD> Generating a RSA private key ..........++++ ...........................................................................................................................................................................................................................................................................................................................++++ writing new private key to '/etc/pki/tls/private/bvq-server.key'



  2. Now two new files should appear

    Resulting files of a successful openssl certificate generation



Step 3: Copy the files to your BVQ° Server

File

Example

File

Example

Private Key file

bvq-server.key

Certificate request file

bvq-server.csr



Example copy session with MS PowerShell

 

Step 4: Generate the Certificate Request on your Windows BVQ° Server

Use the Windows command certreq to request a certificate from your Certification Authority Server. The following step depends on the PKI/CA used.

certreq command for .pem file generation

The bvq-server.crt certificate file should appear in the current directory.

Step 5: Run the BVQ Server Installer

Now you should have these elements prepared:

Element

Example

Element

Example

Private key file

bvq-server.key

CRT Certificate file

bvq-server.crt

Password for key encryption

keypassword

Insert all this in the related fields of the BVQ Server installer dialogue (see step 8 in the Installation guide).





 

Command explanation and additional information

Self Sign your own .csr

 

 


OpenSSL Command Components

Command Part

Meaning

Command Part

Meaning

openssl

Command to invoke the OpenSSL toolkit, used for a wide range of cryptography tasks.

req

Stands for "PKCS#10 certificate request and certificate generating utility," used to create CSRs or self-signed certificates.

-newkey rsa:4096

Creates a new RSA key of 4096 bits in length.

-x509

Generates a self-signed certificate instead of a certificate signing request.

-sha256

Uses SHA-256 as the hashing algorithm for the certificate.

-days 365

Sets the validity period of the certificate to 365 days.

-nodes

Creates a private key without password protection.

-out

Specifies the filename and path where the certificate or CSR will be saved.

-keyout

Specifies the filename and path for the private key.

-config

Specifies the path to the configuration file containing additional options.

-passin

Specifies how the password for accessing the private key or other encrypted data is entered.


.ini Configuration Details

Configuration Entry

Meaning

Configuration Entry

Meaning

[ req ]

A section in the configuration file containing general settings for the certificate request.

default_bits

The length of the key to generate in bits.

default_md

The default hashing algorithm for the signature.

prompt

Controls whether OpenSSL should ask interactively for the DN (Distinguished Name) fields.

encrypt_key

Specifies whether the private key should be encrypted.

[ req_distinguished_name ]

A section defining the DN fields for the certificate request.

C, ST, L, O, OU, CN, emailAddress

Fields of the Distinguished Name specifying the country, state/province, locality, organization, organizational unit, common name, and email address.

[ v3_req ], [ v3_ca ]

Sections defining specific extensions for certificates.

basicConstraints

Defines whether a certificate can act as a CA (Certificate Authority). CA:TRUE allows it, CA:FALSE disallows it. critical,CA:TRUE indicates the certificate can act as a CA and the constraint is critical.

keyUsage

Specifies the purposes the key can be used for, such as digital signatures, key encipherment, etc.

extendedKeyUsage

Specifies extended purposes like server authentication (serverAuth).

subjectAltName

Allows specifying alternative names for the subject, including DNS names and IP addresses.

[ alt_names ]

A section listing alternative names under which the server is accessible.

 

Certificate Signing Request (CSR) Submission in Windows

Command

Meaning

Command

Meaning

certreq -submit

Command-line tool in Windows used for certificate requests, with the switch to submit the CSR.

-config "ca-server.example.com\Name-of-CA"

Specifies the path to the CA where the CSR is submitted. The path consists of the CA server name and the CA name itself, separated by a backslash.

-attrib CertificateTemplate:EXAMPLE-SSLCERTIFICATE

Specifies additional attributes for the request. Here, a specific certificate template attribute is used to indicate which template the CA should use to create the certificate.

".\bvq-server.csr" ".\bvq-server.crt"

The first path is the location of your CSR file, and the second path is where the signed certificate will be saved.