1
00:00:00,000 --> 00:00:10,960
In this video, you'll learn how to create self-signed certificates.

2
00:00:10,960 --> 00:00:15,000
So PKI certificates are commonly used in Linux services.

3
00:00:15,000 --> 00:00:19,280
And to secure resources like web servers, it's essential to understand how certificates

4
00:00:19,280 --> 00:00:20,280
are working.

5
00:00:20,280 --> 00:00:25,760
To use public keys, they need to be signed by a certificate authority, and self-signed

6
00:00:25,760 --> 00:00:29,780
certificates are an easy way to get started with your own certificates.

7
00:00:29,780 --> 00:00:34,939
And as just mentioned, it's perfectly acceptable to use them if you are using them internally

8
00:00:34,939 --> 00:00:36,580
only.

9
00:00:36,580 --> 00:00:41,660
And these certificates can next be used in different services that need a TLS encrypted

10
00:00:41,660 --> 00:00:44,619
channel, for instance.

11
00:00:44,619 --> 00:00:48,880
Now let me demonstrate how to do this.

12
00:00:48,880 --> 00:00:51,220
So first, I walk you through the demo.

13
00:00:51,220 --> 00:00:55,560
And you need to understand that this demo consists of different steps.

14
00:00:55,560 --> 00:01:00,919
Step number one is where you create the certificate authority, because self-signed certificates

15
00:01:00,919 --> 00:01:05,800
are all about certificates that are signed, and signing takes place by the certificate

16
00:01:05,800 --> 00:01:06,800
authority.

17
00:01:06,800 --> 00:01:10,480
I'll later tell you about the commands.

18
00:01:10,480 --> 00:01:14,000
Next step is to create the certificate.

19
00:01:14,000 --> 00:01:18,300
So you need to create a private key and generate a certificate request from it.

20
00:01:18,300 --> 00:01:21,959
In case you are wondering what is this between the double quotes, well, that is how you can

21
00:01:21,959 --> 00:01:28,720
easily recognize the required commands in the man page, as I will show you in a bit.

22
00:01:28,720 --> 00:01:34,919
So the certificate is extracted from a private key, and once you have extracted the certificate

23
00:01:34,919 --> 00:01:41,320
signing request from the private key, you can self-sign the certificate.

24
00:01:41,320 --> 00:01:46,519
So when you generate a public-private key pair, you create certificate signing requests,

25
00:01:46,519 --> 00:01:50,720
and that is what you send to the certificate authority, and that is going to do the signing

26
00:01:50,720 --> 00:01:52,620
for you.

27
00:01:52,620 --> 00:01:54,559
And that is how it works.

28
00:01:54,559 --> 00:01:58,279
Let me show you so that we can see the result.

29
00:01:58,279 --> 00:02:05,519
So I'm going to create these certificates in a dedicated directory, so mkdir openSSL.

30
00:02:05,519 --> 00:02:07,279
It's in my home directory, and that's okay.

31
00:02:07,279 --> 00:02:10,679
I just want a safe location where I can work with this.

32
00:02:10,679 --> 00:02:13,880
Then I'm going to use the openSSL command.

33
00:02:13,880 --> 00:02:18,679
There are some easy-to-use front-end commands, but the easy-to-use front-end commands all

34
00:02:18,679 --> 00:02:20,520
go back to openSSL.

35
00:02:20,520 --> 00:02:24,080
They're distribution-specific, which is why I don't like them.

36
00:02:24,080 --> 00:02:28,320
Better invest your time in understanding openSSL.

37
00:02:28,320 --> 00:02:32,960
Gen RSA to generate an RSA key.

38
00:02:32,960 --> 00:02:40,279
Minus-3, which is the encryption algorithm, and minus-out is specifying the output, and

39
00:02:40,279 --> 00:02:44,360
the output is myca.key.

40
00:02:44,360 --> 00:02:51,000
And 2048 is the number of bits that I'm using for this key.

41
00:02:51,000 --> 00:02:55,679
So what you generate here is a private key, and the encryption algorithm makes it you

42
00:02:55,679 --> 00:02:59,839
can use it as a certificate authority private key.

43
00:02:59,839 --> 00:03:05,360
Now you need PAMP passphrase, and this passphrase is what you are going to use whenever you

44
00:03:05,360 --> 00:03:07,960
need to use the private key.

45
00:03:07,960 --> 00:03:14,440
So the certificate authority private key is used for signing of public key certificates,

46
00:03:14,440 --> 00:03:19,520
and you should protect that because this is secure business, and that is why in this case

47
00:03:19,520 --> 00:03:22,960
I'm entering a passphrase.

48
00:03:22,960 --> 00:03:31,160
Now I'm using openSSL REC for a request, minus-X509, that's the X509 certificate, minus-new.

49
00:03:31,160 --> 00:03:32,600
We want a new one.

50
00:03:32,600 --> 00:03:33,600
No DES.

51
00:03:33,600 --> 00:03:35,119
We don't need DES encryption.

52
00:03:35,119 --> 00:03:48,199
Minus-key, myca.key, minus-char256 for the algorithm, minus-DES3650, that's the validity,

53
00:03:48,199 --> 00:03:52,759
and minus-out, myca.PAMP.

54
00:03:52,759 --> 00:03:53,759
So what is this doing?

55
00:03:53,759 --> 00:04:00,000
Well, this is going to create the certificate authority certificate, and that is what you

56
00:04:00,000 --> 00:04:02,559
are going to hand out to the clients.

57
00:04:02,559 --> 00:04:07,240
An important parameter is minus-DES3650.

58
00:04:07,240 --> 00:04:13,759
The certificate authority certificate typically is valid for a long period because if it expires,

59
00:04:13,759 --> 00:04:19,040
all the certificates that it has signed will expire as well.

60
00:04:19,040 --> 00:04:20,720
Now we need to enter the passphrase.

61
00:04:20,720 --> 00:04:25,119
That's the passphrase for the certificate authority private key, and now it is asking

62
00:04:25,119 --> 00:04:27,559
me more information about it.

63
00:04:27,559 --> 00:04:35,000
Now for the CA, it's not essential, but it's good practice to include the information.

64
00:04:35,000 --> 00:04:41,440
But if it's internal only, feel free to enter on all requests because these parts of information

65
00:04:41,440 --> 00:04:43,959
are used for verification purposes.

66
00:04:43,959 --> 00:04:45,839
It's relevant on the internet.

67
00:04:45,839 --> 00:04:50,720
For a self-signed certificate, it's not that relevant.

68
00:04:50,720 --> 00:04:56,239
Now I'm going to create a private key and generate a certificate request from it.

69
00:04:56,239 --> 00:05:01,239
So at this point, we have the MyCA key and the MyCA PAM, which means that we have the

70
00:05:01,239 --> 00:05:03,959
certificate authority key material.

71
00:05:03,959 --> 00:05:08,160
So now let's create a private key for use in a server.

72
00:05:08,160 --> 00:05:17,920
Open SSL, gen RSA, minus out, TLS.key, 2048.

73
00:05:17,920 --> 00:05:23,160
So once again, we generate a private key, and the only difference with the private key

74
00:05:23,279 --> 00:05:30,200
used by the CA is that we don't use DES3 algorithm, but it's still a private key.

75
00:05:30,200 --> 00:05:36,200
From the private key, we are going to extract the certificate signing request.

76
00:05:36,200 --> 00:05:39,720
So open SSL, rec for request, minus new.

77
00:05:39,720 --> 00:05:47,040
So new request, minus key, TLS.key, minus out, TLS.CSR.

78
00:05:47,040 --> 00:05:52,920
That is the certificate signing request, and that is what you are going to sign later.

79
00:05:52,920 --> 00:06:00,399
Now while creating the certificate signing request, you need at least to enter a common name.

80
00:06:00,399 --> 00:06:05,679
The country name, the state, the locality, that doesn't matter too much.

81
00:06:05,679 --> 00:06:11,119
What matters is the common name, because the common name is the name of your server host.

82
00:06:11,119 --> 00:06:15,839
So let's call it linuxplus.example.com.

83
00:06:15,839 --> 00:06:21,279
Think about this carefully, because this certificate is going to be used by the server,

84
00:06:21,279 --> 00:06:27,720
and if the certificate name does not match the name of the user, then the client will reject it.

85
00:06:27,720 --> 00:06:30,799
So this is very important information.

86
00:06:30,799 --> 00:06:33,440
The rest of the information is all optional.

87
00:06:33,440 --> 00:06:39,160
So now we have the certificate signing request, and we can go over to step three.

88
00:06:39,160 --> 00:06:47,760
And step three is where we are going to use the certificate authority to sign the certificate request,

89
00:06:47,760 --> 00:06:55,600
and that is openSSL, x509, minus rec, minus in, TLS.CSR.

90
00:06:55,600 --> 00:06:59,640
So we put the certificate signing request in, minus CA.

91
00:06:59,640 --> 00:07:02,760
That's an identifier of the certificate authority.

92
00:07:02,760 --> 00:07:08,880
And this certificate authority is just identified by its public key certificate,

93
00:07:08,880 --> 00:07:13,640
but we also need access to the CA private key.

94
00:07:13,640 --> 00:07:18,640
Now, the CA needs to create a serial number for its own administration,

95
00:07:18,640 --> 00:07:23,000
and minus out is specifying what it is going to create.

96
00:07:23,000 --> 00:07:25,839
So it creates TLS.CRT.

97
00:07:25,839 --> 00:07:28,119
Minus days, 1650.

98
00:07:28,119 --> 00:07:30,600
That's the validity of the request.

99
00:07:30,600 --> 00:07:38,600
And you need to make sure that it will be valid throughout the lifetime of the certificate authority public key certificate.

100
00:07:38,600 --> 00:07:43,880
And finally, minus SHA256 for the encryption algorithm.

101
00:07:43,880 --> 00:07:45,359
Oh, and did I make a mistake?

102
00:07:45,359 --> 00:07:47,000
Yeah, I made a mistake.

103
00:07:47,000 --> 00:07:51,000
My mistake is in the CA, minus CA key.

104
00:07:51,000 --> 00:07:56,799
Minus CA key needs the argument myCA.key.

105
00:07:56,799 --> 00:07:59,720
And now we can see that it is doing all right.

106
00:07:59,720 --> 00:08:03,440
We can see the common name, and it's asking for the passphrase.

107
00:08:03,440 --> 00:08:08,279
That is a certificate authority passphrase that I've used before.

108
00:08:08,279 --> 00:08:13,920
So I'm going to enter it, and the result is that now I have a TLS.CRT.

109
00:08:13,920 --> 00:08:19,040
That is the public key certificate that will be handed out to the clients,

110
00:08:19,040 --> 00:08:25,880
and the TLS.key, that is the private key that I can use on my server itself.

111
00:08:25,880 --> 00:08:29,720
Now, the procedure that we have just gone through is a complex procedure.

112
00:08:29,720 --> 00:08:31,480
So I want you to understand what to do.

113
00:08:31,480 --> 00:08:36,960
So I've created some slides with all the commands where I'm going to tell you what it is doing.

114
00:08:36,960 --> 00:08:40,320
So first, we were using OpenSSL GenRSA.

115
00:08:40,320 --> 00:08:45,559
GenRSA is a generic part that generates the private key.

116
00:08:45,559 --> 00:08:48,599
DES3 is the encryption algorithm,

117
00:08:48,599 --> 00:08:53,559
which is recommended for the certificate authority because it's relatively strong.

118
00:08:53,559 --> 00:08:56,400
And out generates an output file.

119
00:08:56,400 --> 00:09:00,960
Next step was OpenSSL REC minus X.509.

120
00:09:00,960 --> 00:09:06,080
So the REC argument calls the PKCS10 certificate request

121
00:09:06,080 --> 00:09:09,000
and certificate generating utility.

122
00:09:09,000 --> 00:09:13,520
So OpenSSL always works with specific subcommands,

123
00:09:13,520 --> 00:09:16,080
and REC is what we are using here.

124
00:09:16,080 --> 00:09:20,799
X.509 produces a self-signed certificate instead of a CSR,

125
00:09:20,799 --> 00:09:23,280
which is a certificate signing request.

126
00:09:23,280 --> 00:09:25,520
New generates a new request.

127
00:09:25,520 --> 00:09:31,000
NODES ensures that if a private key is created, it is not encrypted.

128
00:09:31,000 --> 00:09:34,119
KEY specifies the file to read the key from.

129
00:09:34,119 --> 00:09:38,080
SHA256 is used to generate secured hashes,

130
00:09:38,080 --> 00:09:42,599
and DASE specifies the validity of the certificate in DASE.

131
00:09:42,599 --> 00:09:45,280
And .PAM is a self-signed PAM file,

132
00:09:45,280 --> 00:09:48,679
a file that can be used to distribute a complete certificate chain,

133
00:09:48,679 --> 00:09:52,559
and which is a common standard in cryptography.

134
00:09:52,559 --> 00:09:57,760
Now, notice that the example generate a self-signed root certificate also works.

135
00:09:57,760 --> 00:10:00,719
Have a look at man OpenSSL-REC,

136
00:10:00,719 --> 00:10:05,080
and this combines this step with the previous step.

137
00:10:05,080 --> 00:10:11,000
Next, we have used the OpenSSL genRSA minus out TLS.key,

138
00:10:11,000 --> 00:10:15,559
which will generate a private key to be used by your server.

139
00:10:15,559 --> 00:10:20,919
From that private key, we have extracted the certificate signing request,

140
00:10:20,919 --> 00:10:24,599
and minus out is the name of the certificate signing request.

141
00:10:24,599 --> 00:10:27,039
And very important is the common name.

142
00:10:27,039 --> 00:10:31,239
It needs to match the host name that is going to use the certificate.

143
00:10:31,239 --> 00:10:33,760
And you can find these commands in the man page as well.

144
00:10:33,760 --> 00:10:36,400
If you use man OpenSSL-REC,

145
00:10:36,400 --> 00:10:40,799
look at create a private key and generate a certificate request from it.

146
00:10:40,799 --> 00:10:42,840
You don't have to memorize all of this.

147
00:10:42,840 --> 00:10:49,960
If you have system access, the man page of OpenSSL-REC is quite specific.

148
00:10:49,960 --> 00:10:55,640
Last step was OpenSSL-X509, where X509 is assigning utility.

149
00:10:55,640 --> 00:10:59,239
REC tells OpenSSL that we need to create a request.

150
00:10:59,239 --> 00:11:00,760
In is for the input file.

151
00:11:00,760 --> 00:11:06,440
CA and CA-key are identifying the certificate authority keys.

152
00:11:06,440 --> 00:11:08,359
CA creates a serial.

153
00:11:08,359 --> 00:11:12,559
It's a mandatory option that will create the CA serial number.

154
00:11:12,559 --> 00:11:15,479
Out is a certificate that is going to be produced.

155
00:11:15,520 --> 00:11:21,280
DASE is the validity, and SHA-256 is the hashing algorithm.

156
00:11:21,280 --> 00:11:26,640
And you can also find this information in man OpenSSL-X509

157
00:11:26,640 --> 00:11:32,320
in signer certificate request using the certificate extensions.

158
00:11:32,320 --> 00:11:38,000
And that is how you can create your own self-assigned public-private certificate pair.

159
00:11:38,000 --> 00:11:41,280
And you can use them internally on your web service, for instance.