Jun 26, 2020
OpenSSL is a wide spread open source cryptographic software library that contains implementations of the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Today most open source security applications utilize OpenSSL.
Hypertext Transfer Protocol Secure (HTTPS) is encrypted using TLS or its predecessor SSL. Encryption of HTTP traffic helps protect against man-in-the-middle and eavesdropping attacks and is a powerful security tool for deploying applications, even those that never see public access. As a side note, HTTPS is also required for HTTP/2, which has several advantages over HTTP/1.
For a website to show the “secure connection” 🔒 padlock icon in the address bar, the site’s certificate has to be signed by a trusted certificate authority, such as Let’s Encrypt, for the web browser to accept the certificate without warning.
For a site or service contained within one’s LAN, a certificate authority cannot sign the certificate because it is not accessible on a public domain. In this case a self-signed certificate can be implemented. As the name implies, a self-signed certificate does not need to be signed by a certificate authority. While this allows for broader use of HTTPS, if an attacker obtains a self-signed certificate, they could intercept traffic to the site or service using the stolen certificate.
OpenSSL is installed by default on most Linux distributions. OpenSSL commands are fairly cryptic, but a self-signed certificate can be generated with one command. I will go through each of the command-line arguments individually for clarity.
openssl req \ -x509 -nodes -days 365 \ -subj '/C=US/ST=State/L=City/CN=www.example.com' \ -newkey rsa:2048 -keyout mycert.pem -out mycert.pem
- req - indicates certificate request
- -x509 - use x509 certificate standard
- -nodes - do not encrypt key protected with passphrase
- -days 365 - key is valid for 365 days
- -subj ‘/C=US/ST=State/L=City/CN=www.example.com’ - Country, State, Location, and Common Name of server
- -newkey rsa:2048 - generate RSA key 2048 bits long
- -keyout /private.key - path for private key
- -out /public.pem - path for public key
x509 is a certificate standard, defining the format of public key certificates. The subject information is optional, but can be helpful if you’re auditing the certificates on your home network. Certificates can be protected with a passphrase, but I skip this step as for me the additional complexity outweights the minimal security gain. My current standard, which here I’m defining as the cryptographic algorithm Let’s Encrypt and Mozilla use, is a 2048 bit RSA key. Notice the -keyout and -out both point to the same path; this will generate one key file containing both the public and private portions.
Learning about OpenSSL and cryptography in general can certainly lead you down a rabbit hole. If you’d like to learn more check out the OpenSSL documentation and here for OpenSSL command-line utilities.