How to create a self-signed or trusted third-party certificate with openssl

  • 7023144
  • 02-Jul-2018
  • 02-Jul-2018

Environment

SUSE
GroupWise
eDirectory

Situation

How to create a self-signed or trusted third-party certificate with openssl
How to generate a self-signed or trusted 3rd-party certificate using NetIQ Cool Tool OpenSSL-Toolkit

Resolution

How to generate a self-signed or trusted third-party certificate using openssl:

  1. Generate a Private Key by following the steps below from a terminal window:
    • openssl genrsa -des3 -out server.key 2048
    • Type the pass phrase to protect the key and press [Enter]
    • Re-enter the pass phrase.
  2. Generate a Certificate Signing Request by following the steps below:
    • openssl req -new -key server.key -out server.csr
    • Enter the pass phrase of the private key created in Step 1.
    • Fill in the Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit Name, Common Name, Email Address.
      Note: The Common Name should be the DNS name of the server (i.e. server.mydomain.com).
    • When asked for a Challenge password and optional company name, leave it blank.
  3. To sign the certificate, please select from the following options:
    • (Trusted 3rd-party Certificate Authority) Send the Certificate-Signing Request (CSR) to the third party for their signing. The following files should be received:
      • Server certificate (public key)
      • Intermediate CA and/or bundles that chain to the Trusted Root CA
    • (Self-signed) Sign the certificate with openssl:
      • openssl x509 -req -days 730 -in server.csr -signkey server.key -out server.crt
        Note: Increase or decrease 730 as needed. This is the number of days the certificate is valid for.
      • Enter the pass phrase of the Private Key. This is the same pass phrase that was entered in Step 1.
  4. (optional) If needed, create a concatenated PEM file:
    TID 7013103 - How to create a .pem File for SSL Certificate Installations

Additional Information

TID 7015502 - Common Mistakes in SSL Certificate Management & Implementation.
TID 7013103 - How to create a .pem File for SSL Certificate Installations.

How to generate a self-signed certificate using NetIQ Cool Tool OpenSSL-Toolkit:

  1. Download NetIQ Cool Tool OpenSSL-Toolkit.
  2. To generate the certificate, please select from the following options:
    • (Self-signed) Create the self-signed certificate:
      Select Create certificates | Self-Signed SSL Certificate (key, csr, crt)
      Note the following files will be created: server.key (private key), server.csr (certificate signing-request), server.crt (public key - server certificate), server.pem (concatenated pem file).
    • (Trusted 3rd-party) Create the Private Key and Certificate Signing Request:
      Select Private key & Certificate Signing Request (key, csr)
      Note the following files will be created: server.key (private key), server.csr (certificate signing-request).
  3. When filling out the prompted details:
    • Private Key:
      • Provide the path for a working directory to store these certificate files in.
      • Type the pass phrase to protect the key and press [Enter]
      • Re-enter the pass phrase.
    • Certificate-Signing Request (CSR):
      • Fill in the Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit Name, Common Name, Email Address.
        Note: The Common Name should be the DNS name of the server (i.e. server.mydomain.com).
      • When asked for a Challenge password and optional company name, leave it blank.
    • (conditional) Self-Signed Certificate:
      • Increase or decrease 730 as needed. This is the number of days the certificate is valid for.
      • Enter the pass phrase of the Private Key
  4. (conditional) If creating a Trusted 3rd-party certificate, please Submit the Certificate-Signing Request (CSR) to the Trusted 3rd-party Certificate Authority for signing. The following files should be received:
    • Server certificate (public key)
    • Intermediate CA and/or bundles that chain to the Trusted Root CA

Feedback service temporarily unavailable. For content questions or problems, please contact Support.