--- title: Server certificate utility tasks description: Create a CSR and save it in a local file called csr.pem: component: pingoneaic page_id: pingoneaic:realms:server-certificates-utility-tasks canonical_url: https://docs.pingidentity.com/pingoneaic/realms/server-certificates-utility-tasks.html page_aliases: ["realms:ssl-certificates-self-managed-utility-tasks.adoc"] section_ids: create-a-self-signing-ca-certificate-and-a-self-signed-certificate: Create a self-signing CA certificate and a self-signed certificate server-certificates-check-a-csr: Check a CSR server-certificates-check-a-certificate: Check a certificate --- # Server certificate utility tasks ## Create a self-signing CA certificate and a self-signed certificate 1. Create a CSR and save it in a local file called `csr.pem`: * [Create a CSR using the command line](server-certificates-api.html#create-a-csr-using-the-command-line) * [Create a CSR using the certificate API](server-certificates-api.html#create-a-csr-using-the-certificate-api) * [Create a CSR using the admin console](server-certificates-ui.html#create-a-csr-using-the-ui) 2. Create a self-signing CA certificate and private key: 1. Save the following OpenSSL configuration in a local file called `openssl-req-ca.conf`: ```ini [ req ] (1) x509_extensions = x509_req_ext [ x509_req_ext ] (2) subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:TRUE keyUsage = critical, digitalSignature, cRLSign, keyCertSign ``` | | | | ----- | ------------------------------------------------------------------------------------------- | | **1** | Configures the `openssl req` command. | | **2** | Configures the `openssl req` command when using the `x509` flag to create a CA certificate. | 2. Generate a self-signing CA certificate and private key: ```none $ openssl req \ -x509 -nodes -newkey rsa:2048 -sha256 -days 30 \ -out ca-cert.pem -keyout ca-key.pem \ -subj "/CN=Self-signing CA" \ -config openssl-req-ca.conf ``` 3. Review the self-signing CA certificate and private key, which are respectively in the local files `ca-cert.pem` and `ca-key.pem`: * For examples of a certificate and private key, learn more in [PEM-formatted certificate examples](ssl-certificate-reference.html#certificate-examples). * To check the information in the certificate, learn more in [Check a certificate](#server-certificates-check-a-certificate). 3. Create a self-signed certificate: 1. Save the following OpenSSL configuration in a local file called `openssl-req-sign.conf`: ```ini [ req ] (1) x509_extensions = x509_req_ext [ x509_req_ext ] (2) subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always keyUsage = critical, digitalSignature extendedKeyUsage = serverAuth ``` | | | | ----- | ------------------------------------------------------------------------------ | | **1** | Configures the `openssl req` command. | | **2** | Configures the `openssl req` command when using the `x509` flag to sign a CSR. | 2. Generate a self-signed certificate using the CSR, the self-signing CA certificate and private key, and the configuration in `openssl-req-sign.conf`: ```none $ openssl req \ -x509 -nodes -sha256 -days 30 -copy_extensions copy \ -in csr.pem -out cert.pem -CA ca-cert.pem -CAkey ca-key.pem \ -config openssl-req-sign.conf ``` 3. Review the self-signed certificate, which is in the local file `cert.pem`: * For an example of a certificate, learn more in [PEM-formatted certificate examples](ssl-certificate-reference.html#certificate-examples). * To check the information in the certificate, learn more in [Check a certificate](#server-certificates-check-a-certificate). ## Check a CSR To check the information in a CSR, run this command: ```none $ openssl req -in -noout -text (1) ``` | | | | ----- | ---------------------------------------------------------------------------------------------------- | | **1** | Replace \ with the name of the local file containing your CSR; for example, `csr.pem`. | > **Collapse: Show output** > > ```none > Certificate Request: > Data: > Version: 1 (0x0) > Subject: CN = www.pingidentity.com, O = Ping Identity Corporation, OU = IT, ⏎ > C = US, street = 1001 17th Street, L = Denver, ST = Colorado, ⏎ > postalCode = 80202, emailAddress = example.user@pingidentity.com, ⏎ > businessCategory = Private Organization, serialNumber = 3463471, ⏎ > jurisdictionC = US, jurisdictionL = Wilmington, ⏎ > jurisdictionST = Delaware (1) > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > 00:df:cf:53:47:8b:6a:51:23:0c:b9:8d:65:31:13: > ...8<... > 69:71:13:b3:6a:86:d2:a4:7f:25:01:c0:8f:71:96: > 16:75 > Exponent: 65537 (0x10001) > Attributes: > Requested Extensions: > X509v3 Subject Alternative Name: (2) > DNS:support.pingidentity.com, DNS:labs.pingidentity.com > Signature Algorithm: sha256WithRSAEncryption > Signature Value: > ab:6d:a7:14:8a:07:6b:69:c8:f7:e9:1f:ca:d3:d4:6d:53:ad: > ...8<... > 84:33:a5:48:61:dd:88:10:41:cc:d8:62:e9:3a:61:85:7d:06: > 55:04:19:ff > ``` > > | | | > | ----- | ------------------------------------------------------------------------------------------------ | > | **1** | Check the subject contains the fields you entered for the CSR, particularly for EV certificates. | > | **2** | If you entered SANs for the CSR, check the SAN extension is present. | ## Check a certificate To check the information in a certificate, run this command: ```none $ openssl x509 -in -text -noout (1) ``` | | | | ----- | --------------------------------------------------------------------------------------------------------------------- | | **1** | Replace \ with the name of the local file containing your certificate; for example, `cert.pem`. | > **Collapse: Show output** > > ```none > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 2 (0x2) > Signature Algorithm: sha256WithRSAEncryption > Issuer: CN = Self-signing CA > Validity > Not Before: May 2 12:07:51 2024 GMT > Not After : Jun 1 12:07:51 2024 GMT (1) > Subject: CN = www.pingidentity.com, C = US, ST = Colorado, L = Denver, ⏎ > O = Ping Identity Corporation, OU = IT (2) > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > 00:d0:52:11:d0:47:34:32:26:85:ae:c8:db:e1:59: > ...8<... > b8:90:00:12:f8:c4:4c:a2:9c:71:e9:22:c4:89:19: > 35:3f > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Subject Key Identifier: > 7B:1D:14:C9:3C:4A:67:37:A2:E5:BE:B5:30:19:BE:EF:E6:08:B3:D6 > X509v3 Authority Key Identifier: > 6E:41:13:8E:26:E4:B0:7E:63:ED:07:0C:4E:2D:CD:FA:66:28:20:21 > X509v3 Key Usage: critical > Digital Signature > X509v3 Extended Key Usage: > TLS Web Server Authentication > X509v3 Subject Alternative Name: (3) > DNS:support.pingidentity.com, DNS:labs.pingidentity.com > Signature Algorithm: sha256WithRSAEncryption > Signature Value: > 22:60:ab:f8:13:cd:af:36:62:06:c5:fe:d4:eb:4f:7e:17:d1: > ...8<... > 67:c5:8d:dd:ad:68:c6:7a:1d:5c:a5:df:cd:0b:d9:de:83:0f: > 20:42:83:61 > ``` > > | | | > | ----- | ------------------------------------------------------------------------------------------------ | > | **1** | Check the expiry date. | > | **2** | Check the subject contains the fields you entered for the CSR, particularly for EV certificates. | > | **3** | If you entered SANs for the CSR, check the SAN extension is present. |