One way to make TLS certificates for testing is to use the OpenSSL command line tool. This can be installed on most computers by either downloading a pre-built package, or building it from the OpenSSL source code. The command is ‘openssl’ and it contains many sub-commands that exercise features in the OpenSSL library. Once the ‘openssl’ command is installed, a folder should be selected to work in and a few files need to be created in that folder. For this example, create the following files: ‘index.txt’, ‘serial.txt’, ‘ca.cnf’ and ‘server.cnf’. The file ‘index.txt’ is left empty, and the file ‘serial.txt’ is given the contents ‘00’. The following commands will generate these files on Linux:
> touch index.txt > echo 00 > serial.txt |
The two ‘.cnf’ files are configuration files for the OpenSSL commands. The file ‘ca.cnf’ contains definitions for our certificate authority, and the file ‘server.cnf’ contains definitions for a TLS server. For this example, these files have the following contents:
ca.cnf
[ req ] distinguished_name = thing1 prompt = no
[ thing1 ] commonName = ca.net emailAddress = [email protected]
[ ca ] default_ca = thing2
[ thing2 ] new_certs_dir = . private_key = ca.key certificate = ca.crt database = index.txt default_md = sha256 policy = whatever serial = serial.txt default_days = 365
[ whatever ] commonName = supplied emailAddress = supplied |
server.cnf
[ req ] distinguished_name = thing1 prompt = no
[ thing1 ] commonName = server.net emailAddress = [email protected] |
After the files are in place, the following commands can be run to generate the certificates:
> openssl genrsa -out ca.key 4096 > openssl req -new -x509 -key ca.key -out ca.crt -config ca.cnf > openssl genrsa -out server.key 4096 > openssl req -new -key server.key -out server.csr -config server.cnf > openssl ca -in server.csr -out server.crt -config ca.cnf |
The final command will prompt (y/n) twice to verify that the server certificate should be signed. After running these commands, the following files are generated and can be used for TLS testing: ‘ca.crt’, ‘server.key’ and ‘server.crt’. The files ‘server.key’ and ‘server.crt’ are used by the TLS server. The file ‘ca.crt’ is used by any client that will connect to the server. These certificates are considered self-signed because they are not signed by an official certificate authority, so they are only useful for testing purposes.