Creating custom Certificates
SSL Certificates
There are two kinds of certificates: those signed by a 'Certificate Authority', or CA, and 'self-signed' certificates. A Certificate Authority is a trusted source for an SSL certificate, and using a certificate from a CA allows your users to trust the identity of your website. In most cases, you would want to use a CA-signed certificate in a production environment. For testing purposes, however, a self-signed certificate is completely sufficient.
To generate a self-signed certificate, run the following command in an openSSL shell:
openSSL> req -newkey rsa:2048 -nodes -keyout vimacc_SSL.key -x509 -days 730 -out vimacc_SSL_selfsigned_cert.pem -config C:\Projects\vimacc\third-party\openssl\Windows\x64\debug\ssl\openssl.cnf
You will be prompted with some questions (You can find more detailed instructions on this under e.g. digitalocean.com or ssl-trust.com) that could for example, look like this:
# Country Name (2 letter code) [AU]: DE
# State or Province Name (full name) [Some-State]: Niedersachsen
# Locality Name (eg, city) []: Hannover
# Organization Name (eg, company) [Internet Widgits Pty Ltd]: Accellence Technologies GmbH
# Organizational Unit Name (eg, section) []: vimacc VMS
# Common Name (eg, YOUR name) []: SSL vimacc (better no accellence domain name here!)
# Email Address []: info@accellence.de
This should leave you with two files, vimacc_SSL_selfsigned_cert.pem (the certificate) and vimacc_SSL.key (the private key). This is all you need for an SSL connection.
Working with signed certificates
Another approach is to only work with signed certificates:
- The client must create a CSR (Certificate signing request) with the details from the server (e.g. address, port, other data).
- The administrator of the client system must send this CSR to the administrator of the server system.
- The CSR is signed on the server-side system and the signed certificate must be sent back to the administrator of the client side.
- During connection, the client also sends a certificate to the server and due to the signing process the server can identify the client as well.
This means that only known clients can establish a connection.
openssl x509 -in certificate.pem -text