Certificate Generation Guide

This directory contains certificates for the HTTPS server example. This guide explains how to generate new server and client certificates signed by the existing CA certificate.

Prerequisites

• OpenSSL installed on your system
• Existing CA certificate (cacert.pem) and CA private key (cakey.pem)
• Configuration files for certificate extensions (server_cert.conf and client_cert.conf)

Generating Server Certificate

Follow these steps to create a new server certificate signed by the CA:

1. Generate Server Private Key

openssl genpkey -algorithm RSA -out new_server.key -pkeyopt rsa_keygen_bits:2048

This creates a 2048-bit RSA private key for the server.

2. Create Certificate Signing Request (CSR)

openssl req -new -key new_server.key -out new_server.csr -config server_cert.conf

This generates a CSR using the server's private key and the configuration specified in server_cert.conf.

3. Sign the Server Certificate with CA

openssl x509 -req -in new_server.csr -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out new_server.pem -days 3650 -extensions v3_req -extfile server_cert.conf

This creates the server certificate (new_server.pem) valid for 10 years (3650 days), signed by the CA certificate.

Generating Client Certificate

Follow these steps to create a new client certificate signed by the CA:

4. Generate Client Private Key

openssl genpkey -algorithm RSA -out new_client.key -pkeyopt rsa_keygen_bits:2048

This creates a 2048-bit RSA private key for the client.

5. Create Certificate Signing Request (CSR)

openssl req -new -key new_client.key -out new_client.csr -config client_cert.conf

This generates a CSR using the client's private key and the configuration specified in client_cert.conf.

6. Sign the Client Certificate with CA

openssl x509 -req -in new_client.csr -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out new_client.pem -days 3650 -extensions v3_req -extfile client_cert.conf

This creates the client certificate (new_client.pem) valid for 10 years (3650 days), signed by the CA certificate.

Installing the Certificates

7. Copy Certificates to Expected Locations

cp new_server.pem servercert.pem && \
cp new_server.key prvtkey.pem && \
cp new_client.pem client_cert.pem && \
cp new_client.key client_key.pem

This copies the newly generated certificates and keys to the filenames expected by the example application.

File Naming Convention

The example application expects the following files:

• servercert.pem - Server certificate
• prvtkey.pem - Server private key
• client_cert.pem - Client certificate
• client_key.pem - Client private key
• cacert.pem - CA certificate (for verification)

Security Notes

⚠️ Important Security Considerations:

• The private keys (prvtkey.pem, client_key.pem, cakey.pem) should be kept secure. As these are for demonstration purposes, they are included here, but in a production environment, ensure they are stored securely and access is restricted.
• The certificates in this example directory are for demonstration purposes only
• For production use, generate new certificates with appropriate security parameters
• Consider using shorter validity periods for production certificates
• Store private keys with restricted file permissions (e.g., chmod 600)

Verifying Generated Certificates

You can verify the generated certificates using:

# Verify server certificate
openssl x509 -in servercert.pem -text -noout

# Verify client certificate
openssl x509 -in client_cert.pem -text -noout

# Verify certificate chain
openssl verify -CAfile cacert.pem servercert.pem
openssl verify -CAfile cacert.pem client_cert.pem

Troubleshooting

• If certificate verification fails, ensure the CA certificate and key are valid and match
• Check that the configuration files (server_cert.conf, client_cert.conf) contain appropriate Subject Alternative Names (SANs) and extensions
• Ensure OpenSSL version is up to date for best compatibility