SSL/TLS Certificates
X.509 certificates bind identities to public keys via digital signatures. Can be self-signed or CA-signed.
Generate Self-Signed CA
bash
# CA private key
openssl genrsa -aes256 -out ca-key.pem 4096
# CA certificate (10 years)
openssl req -new -x509 -sha256 -days 3650 -key ca-key.pem -out ca.pem
# Inspect
openssl x509 -in ca.pem -text
openssl x509 -in ca.pem -purpose -noout -textGenerate Server Certificate
bash
# Server private key
openssl genrsa -out cert-key.pem 4096
# CSR
openssl req -new -sha256 -subj "/CN=exploit.se" -key cert-key.pem -out cert.csr
# Extension file
echo "subjectAltName=DNS:exploit.se,IP:10.10.10.10" >> extfile.cnf
echo "extendedKeyUsage = serverAuth" >> extfile.cnf
# Sign
openssl x509 -req -sha256 -days 3650 -in cert.csr -CA ca.pem -CAkey ca-key.pem \
-out cert.pem -extfile extfile.cnf -CAcreateserialVerify
bash
openssl verify -CAfile ca.pem -verbose cert.pemFormat Conversions
| Command | Result |
|---|---|
openssl x509 -outform der -in cert.pem -out cert.der | PEM → DER |
openssl x509 -inform der -in cert.der -out cert.pem | DER → PEM |
openssl pkcs12 -in cert.pfx -out cert.pem -nodes | PFX → PEM |
Install as Trusted Root
Debian / Linux:
bash
sudo cp ca.pem /usr/local/share/ca-certificates/ca.crt
sudo update-ca-certificatesWindows (PowerShell):
powershell
Import-Certificate -FilePath "C:\ca.pem" -CertStoreLocation Cert:\LocalMachine\RootWindows (cmd):
bash
certutil.exe -addstore root C:\ca.pemAndroid: Settings → Security → Encryption and Credentials → Install CA Certificate