Generating a 2048-bit public key x509 certificate with sha256 digest algorithm is not very tough. But OpenSSL help menu can be confusing. This post would help anyone who had to walk that path of upgrading sha1 or issuing a new self-signed x509 certificate with 2048-bit key and sign with sha256 hash. Step 1: Supported OpenSSL version for sha256. Generate self-signed certificate openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt This will generate a self-signed SSL certificate valid for 1 year. The 2048-bit RSA alongside the sha256 will provide the maximum possible security to the certificate. Openssl req -new -x509 -nodes -sha1 -key private.key -out certificate.crt - days However when opening the site in Chrome50+ it informs me that the site is not secure because of the SHA1 depreciated through its security vulnerabilities.Can I use x509 with sha256 or is there a better command?

If you don’t have access to a certificate authority (CA) for your organization and want to use Open Distro for Elasticsearch for non-demo purposes, you can generate your own self-signed certificates using OpenSSL.

You can probably find OpenSSL in the package manager for your operating system.

On CentOS, use Yum:

On macOS, use Homebrew:

Generate a private key

The first step in this process is to generate a private key using the genrsa command. As the name suggests, you should keep this file private.

Private keys must be of sufficient length to be secure, so specify 2048:

You can optionally add the -aes256 option to encrypt the key using the AES-256 standard. This option requires a password.

Generate a root certificate

Next, use the key to generate a self-signed certificate for the root CA:

Change -days 30 to 3650 (10 years) or some other number to set a non-default expiration date. The default value of 30 days is best for testing purposes.

  • The -x509 option specifies that you want a self-signed certificate rather than a certificate request.
  • The -sha256 option sets the hash algorithm to SHA-256. SHA-256 is the default in later versions of OpenSSL, but earlier versions might use SHA-1.

Follow the prompts to specify details for your organization. Together, these details form the distinguished name (DN) of your CA.

Generate an admin certificate

To generate an admin certificate, first create a new key:

Then convert that key to PKCS#8 format for use in Java using a PKCS#12-compatible algorithm (3DES):

Next, create a certificate signing request (CSR). This file acts as an application to a CA for a signed certificate:

Sha256

Follow the prompts to fill in the details. You don’t need to specify a challenge password. As noted in the OpenSSL Cookbook, “Having a challenge password does not increase the security of the CSR in any way.”

Finally, generate the certificate itself:

Just like the root certificate, use the -days option to specify an expiration date of longer than 30 days.

(Optional) Generate node and client certificates

Follow the steps in Generate an admin certificate with new file names to generate a new certificate for each node and as many client certificates as you need. Each certificate should use its own private key.

If you generate node certificates and have opendistro_security.ssl.transport.enforce_hostname_verification set to true (default), be sure to specify a common name (CN) for the certificate that matches the hostname of the intended node. If you want to use the same node certificate on all nodes (not recommended), set the hostname verification to false. For more information, see Configure TLS certificates.

Sample script

If you already know the certificate details and don’t want to specify them as the script runs, use the -subj option in your root-ca.pem and CSR commands:

Openssl X509 Extensions

Get distinguished names

If you created admin and node certificates, you must specify their distinguished names (DNs) in elasticsearch.yml on all nodes:

But if you look at the subject of the certificate after creating it, you might see different formatting:

If you compare this string to the ones in elasticsearch.yml above, you can see that you need to invert the order of elements and use commas rather than slashes. Enter this command to get the correct string:

Then you can copy and paste the output into elasticsearch.yml:

Configure certificates

This process generates many files, but these are the ones you need to add to your cluster configuration:

  • root-ca.pem
  • admin.pem
  • admin-key.pem
  • (Optional) each-node-cert.pem
  • (Optional) each-node-key.pem

For information about adding and using these certificates in your own setup, see Docker security configuration and Configure TLS certificates.

Run securityadmin.sh

After configuring your certificates and starting Elasticsearch, run securityadmin.sh to initialize the security plugin:

For more information about what this command does, see Apply configuration changes.

If you use Docker, see Bash access to containers.

Kibana

Depending on your settings in kibana.yml, you might need to add root-ca.pem to your Kibana node. You have two options: disable SSL verification or add the root CA.

  • Disable SSL verification:

  • Add the root CA:

For testing purposes, it is necessary to generate secure self-signed server and client certificates. However, I have found that many tutorials available on the web are complicated, and they do not cover certificates that use safe algorithms. And so, since “necessity is the mother of invention”, I decided to create a simple tutorial and share it with all of you!

Why OpenSSL?

I choose to use OpenSSL because it is available on all platforms (Linux, macOS, Windows) which means this tutorial can be followed on any platforms.

Openssl

About the Steps

While there are many steps in this process, please do not worry. My goal is to make this as simple as possible for you, and so I have broken every action down into a single step. This way, everything should be clear, and my hope is that you won’t waste time or get frustrated along the way. There is one requirement before starting all of this, you’ll need to have OpenSSL. Ok, ready? Let’s get started!

Step 1 - Certificate Authority

Step 1.1 - Generate the Certificate Authority (CA) Private Key

Every certificate must have a corresponding private key. Generate this using the following command line:

This will create a 256-bit private key over an elliptic curve, which is the industry standard. We know that Curve25519 is considered safer than this NIST P-256 curve but it is only standardized in TLS 1.3 which is not yet widely supported.

Step 1.2 - Generate the Certificate Authority Certificate

The CA generates and issues certificates. Here is a link to additional resources if you wish to learn more about this.

Generate the Root CA certificate using the following command line:

You will be prompted to provide some information about the CA. Here is what the request looks like:

Below is an example using information that is specific to Devolutions (replace with your own specific information):

Your CA will be created once you enter your information.

Step 2: Server Certificate

This step may be repeated for each server you need.

Step 2.1 - Generate the Server Certificate Private Key

To generate the server private key, use the following command line:This will create the file name server.key.

Step 2.2 - Generate the Server Certificate Signing Request

To generate the server certificate signing request, use the following command line:

For maximum security, we strongly recommend that the signing request should only be generated on the server where the certificate will be installed. The server private key should never leave the server!

You will be prompted to provide some information about the server certificate. You can enter the same information you used for the CA certificate. For example:

In addition, you will be prompted to create a password. Make sure to use a long, strong, and unique password. Here is an example (do not use this one!):

Openssl X509 Example

Step 2.3 - Generate the Server Certificate

You are now ready to generate the server certificate, which can be done through the following command line:

This step should only be performed on the Certificate Authority server as the CA private key should never leave the host where it has been generated. You must transfer the signing request to the CA server.

Openssl X509 Commands

Step 3: Client Certificate

This step may be repeated for each client you need.

Step 3.1 - Generate the Client Certificate Private Key

Use the following command line to create the client certificate private key:This will create a file named “client1.key”.

Step 3.2 - Create the Client Certificate Signing Request

You need to create a signing request to generate a certificate with the CA. Use the following command line:

For maximum security, we strongly recommend that the certificate signing request should only be generated on the client where the certificate will be installed. The client private key should never leave the client!

Next, you will be prompted to submit information about the client certificate. You can enter the same information as the CA certificate, except for the last two entries: Common Name and Email Address. These should be the name and email of an individual and not your company. For example:

X509Openssl

You will also be asked to set a password on the certificate signing request. Once again, make sure that you choose a strong and safe password. Here is an example (do not use this one!):

Step 3.3 - Generate the Client Certificate

You are now ready to generate the client certificate, which can be done through the following command line:

This step should only be performed on the Certificate Authority server as the CA private key should never leave the host where it has been generated. You must transfer the signing request to the CA server.

We recommend generating a single certificate for each client, as this lets you quickly identify the affected client in the event if an issue or problem.For maximum security, the client private key should remain on the client and never be copied on another host.

I hope that you’ve found this tutorial simple and helpful. If you have any questions or comments, please post your feedback below!

Coments are closed

Most Viewed Posts

  • Iphone Facebook Messenger
  • Heat Burn
  • Medipaint Pro
  • Ios 3

Scroll to top