I’ve recently been writing some services in Java using Spring where the service will be accessed over HTTP when live. I obviously want to use this configuration in development but I don’t want to pay for a certificate.
Instead, I’ll create a self-signed root CA and sign the SSL certificate for the service myself using the new root CA.
Firstly you will need OpenSSL installed. I used the installation of OpenSSL on my MacBook Pro that comes with OS X. On Ubuntu you install it using:
sudo apt-get install openssl
Windows users can grab OpenSSL from here.
Create the Root Key
Next you need to create the root key.
openssl genrsa -out rootCA.key 2048
If you would like to add a password to the root key, which is highly recommended, do the following:
openssl genrsa -des3 -out rootCA.key 2048
Using the above command will ask for a password to secure the key. You will need to enter the password each time you use the key if you secure it.
Create a Root Certificate
The next step is to create a root certificate and self-sign the certificate using the root key generated earlier.
openssql req -x509 -new -nodes -key rootCA.key -sha256 -days 712 -out rootCA.pem
You will need to answer a few questions about the root CA. Here’s how I answered the questions:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:Lancashire Locality Name (eg, city) :Blackpool Organization Name (eg, company) [Internet Widgits Pty Ltd]:Andy McCall Ltd Organizational Unit Name (eg, section) :Development Common Name (eg, YOUR name) :Andy McCall Email Address :email@example.com
We now have a root CA that we can use to sign things with. If you are using Windows, install this CA into the local machine’s root certificate store using the Microsoft Management Console (MMC). There’s a guide at SQLServerMart that is easy enough to follow for servers, there’s also a guide here for the desktop. For other operating systems or platforms Google is your friend.
Create a Certificate
The next step is to create the certificate that will be used to secure the service over HTTPS. There are a number of steps to do this
Create the key
The first step is to create a private key.
openssl genrsa -out service.key 2048
Generate a Certificate Signing Request
Using the key create a certificate signing request for your service:
openssl req -new -key service.key -out service.csr
You’ll be asked a host of questions again, the important bit of information here is the common name. This will be how you will access your service. In this example the service is called service.local and I’ve added service.local to my hosts file. This would also work if you used a corporate DNS and you where securing myservice.mycorporation.myinternaldns.com or if you used an IP address. It basically has to match the address you will access the service on.
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:Lancashire Locality Name (eg, city) :Blackpool Organization Name (eg, company) [Internet Widgits Pty Ltd]:Andy McCall Ltd Organizational Unit Name (eg, section) :Development Common Name (eg, YOUR name) :service.local Email Address :firstname.lastname@example.org
Do not use a challenge password with this certificate.
Sign the Certificate Signing Request Using the Root
Now we sign the request to make to trust it:
openssl x509 -req -in service.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out service.crt -days 356 -sha256
We now have a signed certificate (service.crt) and a key file (service.key). Under Linux servers and hardware devices, we can use these two keys together to secure our service. Under Windows we need to import it into the certificate store first and to do that we need the files to be combined into a single Personal Information Exchange file.
Convert Certificate and Key into a Personal Information Exchange File
To import the certificate and key into the Windows certificate store we need to convert them to a Personal Information Exchange (.pfx) file.
openssl pkcs12 -export -out service.pfx -inkey service.key -in service.crt -certfile rootCA.pem
You don’t need to use an export password, but its obviously more secure if you do. This will produce a single .pfx file that you can import into your OS.
Once the certificate is installed you can check to see if the certificate is valid:
Clicking on the Certification Path shows the chain of trust:
Finally, set your service to run under HTTPS and use the new certificate to secure the service. Configure your endpoint within your application as service.local and you now have a correctly configured development environment that is live like.