Automate the Local Certificate Authority Registration with Python
How to make a self-signed SSL certificate with your own CA
What is an SSL Certificate?
If you have a padlock icon beside the URL in the browser, it’s meant the server had the SSL certificate. This certificate is usually signed by a Certificate Authority, like Digicert, Comodo, Let’s Encrypt, etc. The SSL Certificate will download into your browser and verify that the domain is valid by the trusted certificate authority.
Self-signed SSL Certificate
The third parties Certificate Authority have more cost of expense, but you still can use your local SSL Certificate. It’s meant your certificate will signed by yourself, and it’s free.
Certificate Signing Request (CSR)
CSR is the file contains any information to request the public key with signed by a Certificate Authority (CA). When requesting certificate to the CA you must generate CSR file first and upload that file into the CA.
Local Certificate Authority
The easy way to make the Certificate Authority (CA) is just four steps with openssl command:
1. Create config file and save it into ca.cnf
[req]
default_bits = 2048
prompt = no
default_md = sha256
encrypt_key = no
distinguished_name = dn[dn]
C = ID # country code
O = Local Digital Cert Authority # organization
OU = www.ca.local # organization unit/department
CN = Self-Signed Root CA # common name / your cert name
2. Generate the private key for the CA
openssl genrsa -out ca-private.key 20483. Generate CSR with config file and ca-private.key
openssl req -new -key ca-private.key -out ca.csr -config ca.cnf4. Generate the self-signed CA certificate
openssl x509 -req -days 3650 -n ca.csr -signkey ca-private.key -out ca-public.crtExplanation:
-days <number> →how long your CA certificate is valid, usually CA have 25 years validity or 9125 days.
And finally we have some files in the directory:
- ca.cnf →the config file contains the attribute information
- ca-private.key → the private key for signing the server certificate
- ca.csr → the certificate signing request for making CA public key
- ca-public.crt → the root certificate for signing the server certificate.
For making this command simply, I use Python and the subprocess module:
Python Script for Registration CSR
If you have been ever requesting a certificate to pay the Certificate Authority (Digicert/ Comodo/ Let’s Encrypt/ etc.) you have to upload your Certificate Signing Request (CSR) into the website.
Inspired by that process, I wanna make a Python script to automate the signing process of the local certificate authority just by using the CSR file.
This script is so simple, just like the bash scripting. But in this time, I just wanna use the Python script. Just copy and use my script below:
This script has been tested on Linux, if you use Windows I recommend you to use Git Bash for running this Python script because Git Bash has pre-installed OpenSSL.
How to use the Python script:
ca.crt is the root certificate and server.crt is the public key that sign by CA.
Bonus
You can find my repository in this link below.
Conclusion
The self-signed certificate is free for use, but you must import the root certificate into all browsers manually. By default, your browser will download the certificate from the famous Certificate Authority. I recommend you to use this self-signed certificate in your local web server or application.The self-signed certificate is free for use, but you must import the root certificate into all browsers manually. By default, your browser will download the certificate from the famous Certificate Authority. I recommend you to use this self-signed certificate in your local web server or application.
More content at PlainEnglish.io. Sign up for our free weekly newsletter. Follow us on Twitter and LinkedIn. Join our community Discord.
