Blog

Secure Your Dev Environment and PoC: Creating Self-Signed TLS Certificates

Welcome to the world of TLS certificates! If you’re planning to work with AWS load balancers or just want to understand the basics of web security, you’re in the right place. This blog post is your first step into the realm of Transport Layer Security (TLS), focusing on creating self-signed certificates.

While self-signed certificates aren’t suitable for production environments, they’re an excellent tool for learning and testing. By creating your own certificate, you’ll gain hands-on experience with the concepts that underpin secure web communications.

Understanding TLS Certificates

TLS (Transport Layer Security) certificates, also known as SSL (Secure Sockets Layer) certificates, are digital documents that authenticate the identity of a website and enable encrypted connections. These certificates contain:

  1. The website’s public key
  2. Information about the website owner
  3. The digital signature of a Certificate Authority (CA)

Think of a TLS certificate as a digital passport for websites. Just as a passport verifies your identity when you travel, a TLS certificate verifies a website’s identity to visitors and their browsers.

The Importance of TLS Certificates

  1. Security: TLS certificates enable HTTPS, which encrypts data transmitted between a user’s browser and the website. This prevents eavesdropping, data theft, and man-in-the-middle attacks.
  2. Authentication: They verify that users are connecting to the legitimate website and not an impersonator, protecting against phishing attacks.
  3. Trust: Websites with valid TLS certificates display a padlock icon in the browser, indicating a secure connection. This builds user trust and confidence.
  4. SEO Benefits: Search engines like Google favor HTTPS websites, potentially boosting search rankings.
  5. Compliance: Many regulations (like GDPR and PCI DSS) require secure connections for handling sensitive data.
  6. Performance: Modern web technologies like HTTP/2 require HTTPS, which can improve website loading speeds.
  7. Browser Warnings: Most modern browsers warn users when accessing sites without valid TLS certificates, which can deter visitors from non-secure sites.

In essence, TLS certificates are essential for maintaining a secure, trustworthy, and high-performing web presence. They protect both website owners and users by ensuring data integrity and confidentiality during online interactions.

The difference between self-signed and CA-issued certificates

Self-Signed Certificates:

  1. Creation: Generated by the same entity that uses the certificate.
  2. Trust: Not inherently trusted by browsers or operating systems.
  3. Cost: Free to create.
  4. Use Case: Ideal for development, testing, and internal networks.
  5. Validation: No third-party verification of the certificate holder’s identity.
  6. Browser Warnings: Typically trigger security warnings in web browsers.
  7. Scalability: Each client must manually trust the certificate.

CA-Issued Certificates:

  1. Creation: Issued by a trusted Certificate Authority (CA).
  2. Trust: Automatically trusted by most browsers and operating systems.
  3. Cost: Usually involves a fee, though some CAs offer free options (e.g., Let’s Encrypt).
  4. Use Case: Necessary for public-facing websites and applications.
  5. Validation: CA verifies the identity of the certificate requester (extent varies by certificate type).
  6. Browser Warnings: Do not trigger warnings if valid and up-to-date.
  7. Scalability: Trusted globally without additional configuration on client devices.

A step-by-step process to create your own self-signed certificate

Create parameters to request our Mock Certificate Authority:

ShellScript
COUNTRY=BR
STATE=SP
LOCALITY=SP
ORGANIZATION=Sample
COMMONNAME=sample.aws
EMAIL=admin@sample.aws
PASSPHRASE=""

Create the Mock Certificate Authority Certificate and Private Key using the parameters defined earlier:

ShellScript
openssl req \
    -new \
    -newkey rsa:2048 \
    -days 365 \
    -nodes \
    -x509 \
    -subj "/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORGANIZATION/CN=$COMMONNAME/emailAddress=$EMAIL" \
    -keyout ca_pvtk.key \
    -out    ca_cert.crt

Request the domain’s Certificate and Private Key using the same parameters defined earlier.

ShellScript
openssl req \
        -new \
        -nodes \
        -newkey rsa:2048 \
        -keyout sample_pvt.key \
        -out    sample_pvt.req \
        -batch \
        -subj "/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORGANIZATION/CN=*.$COMMONNAME/emailAddress=$EMAIL"

Sign the domain’s Certificate and Private Key using the Mock CA created earlier.

ShellScript
openssl x509 \
        -req \
        -in sample_pvt.req \
        -CA ca_cert.crt \
        -CAkey ca_pvtk.key \
        -CAcreateserial \
        -out sample_pvt.crt \
        -days 3650 \
        -sha256

Encode the .key and .crt files into Privacy Enhanced Mail (PEM) which is the format usually the most universally accepted format across major cloud providers.

ShellScript
openssl rsa  -in sample_pvt.key  -outform PEM -out sample_pvtk.pem 
openssl x509 -in sample_pvt.crt -inform  PEM  >    sample_pvtc.pem

Verify and inspect your newly created certificate

View certificate contents

ShellScript
openssl x509 -in sample_pvtc.pem -text -noout

Verify the certificate’s validity dates

ShellScript
openssl x509 -in sample_pvtc.pem -noout -dates

Check the certificate’s subject and issuer

ShellScript
openssl x509 -in sample_pvtc.pem -noout -subject -issuer
Tags: , ,

Leave a Reply