Generating SSL Certificates for testing purposes
To start with, check that OpenSSL is installed. If not, it should be available as a package for your operating system.
Two bash scripts placed in JetConf repository in
utils/cert_gen directory are provided:
gen_server_cert.shis used once for generating the server certificate.
gen_client_cert.shis used repeatedly for creating client certificates.
Their usage is described below.
WARNING: Self-signed certificates are of course not considered trustworthy by web browsers and operating systems, so they are only suitable for testing.
The generated server and client certificates have to be signed by a Certificate Authority (CA). For production uses, a trusted CA should always be used. For testing purposes, though, a self-signed CA-like certificate will do. The easiest, but least secure, way is to use the pre-generated CA-like certificate and private key from the files
ca.key available from the JetConf repository (subdirectory
utils/cert_gen). Alternatively, the CA-like certificate and key can be generated using the procedure below.
Generate your own CA-like certificate
Make or move to your working directory
$ mkdir my_ca_cert $ cd my_ca_cert
$ openssl genrsa -out ca.key 2048
ca.pem certificate. details
$ openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.pem
Some parameters of the certificate have to be filled in. They are not terribly important for testing purposes. For example:
Country Name (2 letter code) [AU]:CZ State or Province Name (full name) [Some-State]: Locality Name (eg, city) : Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example CA Organizational Unit Name (eg, section) :exca.cz Common Name (e.g. server FQDN or YOUR name) :firstname.lastname@example.org Email Address :email@example.com
To generate a new server certificate for JetConf that will be accepted even by
the more pedantic web browsers like Chrome, just run the provided
The script can be used in one of the two following ways:
$ ./gen_server_cert.sh <out_file_suffix> <domain/ip>
The command will generate a new server private key along with the certificate.
$ ./gen_server_cert.sh <out_file_suffix> <domain/ip> <server_key>
In this case, the name of the private key file passed to the script as the
The script autodetects if the certificate is being issued for a domain
name or an IP address (
<domain/ip>), and sets the appropriate SAN value.
For example, this command will create a certificate named
example.com domain with new private key
$ ./gen_server_cert.sh example example.com
If you want this certificate to be accepted by your web browser, the issuing CA's certificate needs to be imported to your browser.
WARNING: It is strongly recommended not to import the provided CA's certificate (
ca.pem) to your production browser, as its private key is publicly known. If you do so, someone could perform a MITM attack to any connection with an SSL-protected website.
gen_client_cert.sh script is intended for generating client certificates signed by the previously created CA-like certificate.
The script is used simply as follows:
$ ./gen_client_cert.sh <email_address>
The issued certificate will use the email address passed in the argument is used as the emailAddress DN and commonName parameter of the client certificate. Also, the email address identifies the client to the JetConf server.
For example, the command
$ ./gen_client_cert.sh firstname.lastname@example.org
will generate the following files:
email@example.com- the client certificate
firstname.lastname@example.org- the client private key
email@example.com_curl.pfx- the previous 2 files combined and protected by a password. Some utilities, such as curl, expect the client certificate in this so called PKCS#12 format. In case you are wondering, the password is again the email address, i.e.
firstname.lastname@example.org this case.