Creating Self Signed Certificates
Often Applications (e.g. Oracle GoldenGate or Oracle GoldenGate Veridata) allow the usage of certificates. For test systems a self signed certificate can be used to quickly create and use them.
Table of Contents
Create the root CA certificate
This will create a directory named keys in the home directory of the current user. If the directory already exists and possibly contains certificates it will ask if the directory and all its contents should be removed. Then the new certificates will be created.
cd ~
(if [ -d ~/keys ] ; then
read -p "Directory ~/keys already exists! Remove it? [y/n]" inp
if [ $inp == "y" ] ; then rm -rf ~/keys ; fi
fi
if [ ! -d ~/keys ] ; then
mkdir ~/keys && openssl req -subj "/CN=MyRootCA" -newkey rsa:2048 -nodes -new\
-x509 -days 3650 -keyout ~/keys/ca_key.pem -out ~/keys/ca_cert.pem
fi)
This will create a private key (ca_key.pem) and a public key (ca_cert.pem). If you want to trust certificates signed by this new Certificate Authority (CA) for example with a browser, you could import this public key to the Certificate Store as described here.
Create a self signed certificate (server)
(cd ~/keys && read -p "Enter the fully qualified hostname (e.g. `hostname`): " sfqdn
sn=`echo $sfqdn|awk -F. {'print $1'}` && \
# create private key and csr (Certificate Signing Request)
openssl req -subj "/C=DE/O=OrgName/CN=$sn" -newkey rsa:2048 -nodes -keyout ./$sn\_key.pem -new -out ./$sn.csr && \
# create server certificate (sign with the Root CA)
cat << EOF > ./$sn.cnf
extendedKeyUsage = serverAuth
subjectAltName = DNS:$sn,DNS:$sfqdn,DNS:localhost,IP:127.0.0.1
EOF
openssl x509 -CAcreateserial -CA ./ca_cert.pem -CAkey ./ca_key.pem -req -in ./$sn.csr \
-extfile ./$sn.cnf -days 3650 -out ./$sn\_cert.pem)
This will create the server private key (lin1_key.pem) and the server public key (lin1_cert.pem).
Create a self signed certificate (client)
(cd ~/keys && read -p "Enter the CNAME of the client certificate (e.g. client1): " cname && \
# create private key and csr (Certificate Signing Request)
openssl req -subj "/C=DE/O=OrgName/CN=$cname" -newkey rsa:2048 -nodes -keyout ./$cname\_key.pem -new -out ./$cname.csr && \
# create client certificate (sign with the Root CA)
echo 'extendedKeyUsage = clientAuth' > ./$cname.cnf && \
openssl x509 -CAcreateserial -CA ./ca_cert.pem -CAkey ./ca_key.pem -req -in ./$cname.csr \
-extfile ./$cname.cnf -days 3650 -out ./$cname\_cert.pem)
This will create the client private key (client1_key.pem) and the client public key (client1_cert.pem).
Further info
The contents of a x509 certificate can be viewed with:
openssl x509 -text -in ~/keys/ca_cert.pem
Import the CA public key as a Trusted Root CA in Windows 10
The public key file c:\data\pkey.txt should look like and consist of the public key of the CA (ca_cert.pem):
-----BEGIN CERTIFICATE-----
.....
-----END CERTIFICATE-----Then import the public key (run in an admin command prompt):
certutil.exe -addstore root c:\daten\myrootca.txt
The output will look similar to this:
root "Trusted Root Certification Authorities"
Signature matches Public Key
Certificate "MyRootCA" added to store.
CertUtil: -addstore command completed successfully.If you want to delete the key later you can do that with (run in an admin command prompt):
certutil -delstore root MyRootCA
To show all stored keys in a Windows container (run in an admin command prompt):
certutil -store root
Leave a Reply