How to create a valid self signed SSL Certificate?

Introduction

In this tutorial, we will guide you through the process of creating a valid self-signed SSL certificate using OpenSSL. This certificate can be used for your internal network, specifically for applications like a Proxmox Server. Self-signed certificates are useful for testing and internal applications where you control the environment.

Step 1: Understand TLS Basics

Before generating a certificate, it is important to understand some fundamental concepts of TLS (Transport Layer Security):

• TLS is a protocol that ensures privacy between communicating applications and users on the internet.
• A valid SSL certificate authenticates the identity of a server and establishes an encrypted connection.

Step 2: Learn About Valid SSL Certificates

• Valid SSL certificates are issued by trusted Certificate Authorities (CAs) and are recognized by web browsers.
• Self-signed certificates, while not recognized by external browsers, are useful for internal purposes.

Step 3: Reasons to Use Self-Signed Certificates

• Cost-effective: No need to purchase certificates from a CA.
• Control: You manage the certificate lifecycle entirely.
• Suitable for testing: Ideal for development and internal network scenarios.

Step 4: Generate a Private CA

1. Open your command line interface.
2. Generate a private key for your Certificate Authority (CA):

   openssl genrsa -out privateCA.key 2048
   

3. Create a self-signed root certificate:

   openssl req -x509 -new -nodes -key privateCA.key -sha256 -days 1024 -out privateCA.crt
   

   • Follow the prompts to enter relevant information such as country, state, and organization.

Step 5: Generate and Sign an SSL Certificate

1. Create a private key for your SSL certificate:

   openssl genrsa -out myserver.key 2048
   

2. Create a Certificate Signing Request (CSR):

   openssl req -new -key myserver.key -out myserver.csr
   

3. Sign the CSR with your private CA:

   openssl x509 -req -in myserver.csr -CA privateCA.crt -CAkey privateCA.key -CAcreateserial -out myserver.crt -days 500 -sha256
   

Step 6: Upload a Full Chain Certificate

• Combine the certificate and the CA certificate into a full chain certificate if required by your server:

  cat myserver.crt privateCA.crt > fullchain.crt
  

Step 7: Import Private CA in Windows

1. Open the Microsoft Management Console (MMC).
2. Go to File > Add/Remove Snap-in.
3. Choose Certificates and click Add.
4. Select Computer account and then Local computer.
5. Right-click on Trusted Root Certification Authorities and choose Import.
6. Follow the prompts to import your privateCA.crt.

Conclusion

You have successfully created a valid self-signed SSL certificate for your internal network using OpenSSL. You can now use this certificate with applications like Proxmox Server. To further secure your environment, consider regularly renewing your certificates and keeping your CA private key safe. For further reading or troubleshooting, refer to the OpenSSL documentation or community forums.