How to create self-signed certificate with the help of open source tool (Eg. OpenSSL Tool)?

Vulnerability:

SSL Certificate Chain Contains RSA Keys Less Than 2048 bits

Synopsis:

The X.509 certificate chain used by this service contains certificates with RSA keys shorter than 2048 bits.

Description:

At least one of the X.509 certificates sent by the remote host has a key that is shorter than 2048 bits. According to industry standards set by the Certification Authority/Browser (CA/B) Forum, certificates issued after January 1, 2014 must be at least 2048 bits.

Some browser SSL implementations may reject keys less than 2048 bits after January 1, 2014. Additionally, some SSL certificate vendors may revoke certificates less than 2048 bits before January 1, 2014.

Solution:

Replace the certificate in the chain with the RSA key less than 2048 bits in length with a longer key of 4096 bits, and reissue any certificates signed by the old certificate.

This will help you to for any device certificate. Import the certificate in any network devices like firewall, VC device, Switches. Etc.

With a specific end objective to moderate this vulnerability, Request to generate the own self signed certificates.

2. The certificate can be generated using the open source software (Like- OpenSSL).

Download open source software from the internet which name is OpenSSL.

  1. Locate the Open SSL software in C:\temp\openssl and open CMD with Administrator privilege

1

  1. set the config file.

 set the openssl config file

set OPENSSL_CONF=C:\openssl-1.0.2j-fips-x86_64\OpenSSL\bin\openssl.cnf

2

  1. Generate a private key using OpenSSL tool.

cd OpenSSL\bin\

openssl.exe genrsa -out private.key 2048

3

  1. Generate a Certificate-CSR using OpenSSL tool. You can customize you certificate name as per your requirement.# openssl.exe req -out netsecaddict.csr -key private.key -new -sha256

After generating CSR you will get the certificate and private key in your openssl tool folder.

4

  1. verify the hash algorithm with rsaEncryption.

openssl.exe req -in netsecaddict.csr -noout -text

5

  1. Now create a self-signed certificate using CSR and private key.

openssl x509 -req -sha256 -days 365 -in netsecaddict.csr -signkey private.key -out netsecaddict.crt

6

If you can see in your openssl tool folder will get three items there

  • private key
  • Certificate signing request (CSR)
  • self-signed certificate

After the self-signed certificate has been generated, you can import the self-signed certificate into the require network device.

============================================================================

Thanks for read post if you have any query feel free to comment on below message box.

Advertisements

One thought on “How to create self-signed certificate with the help of open source tool (Eg. OpenSSL Tool)?

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.

Up ↑

%d bloggers like this: