Creating Self Signed Certificates With WebID

On web you can find numerous tips on creating self-signed certificates. However, the number of pages thhat describe adding a URI to the subject alternative name field is not so much.

With OpenSSL you have to follow three steps;

  • create a private key.
    openssl genrsa -des3 -out myserver.key 2048
  • create a signing request.
    openssl req -new -key myserver.key -out myserver.csr
  • create the certificate by using signing request. Basically you need to send this signing request to an authority. However, you can also sign your certificate by yourself.
    openssl x509 -req -days 365 -in myserver.csr -signkey myserver.key -out myserver.crt
  • Additional step to convert certificate in PKCS#12 format which is a bundle of private key and the certificate.
    openssl pkcs12 -export -out myserver.p12 -inkey myserver.key -in myserver.crt

But there is also single step version:

openssl req  -x509 -nodes -days 365 -newkey rsa:2048 -keyout mykey.pem -out mycert.pem

How to add WebID

WebID is a URI to define an agent, robot, thing etc. In WebID authentication, we use certificates and inside the certificates we need to present the URI (WebID). The WebID should be under Subject Alternative Name field. In order to add it, you need to change the openssl.cnf file, in ubuntu it is located in /etc/ssl/openssl.cnf. Read the configuration file, you will learn a lot. May be there are other tricks that I am missing.

If you plan to use a Certificate Authority to sign your certificate as described in ssl with SAN, you need to enable v3 req section and place the URI in subject alternative name field. However, if you want to create your own self-signed certificate by using the single step command that is above, you need to place URI under the v3 ca section. The reason is that you are now your own certificate authority therefore you need to use CA section.