How to create .pem files for https web server

node.js ssl https webserver pem
94,633

Solution 1

The two files you need are a PEM encoded SSL certificate and private key. PEM encoded certs and keys are Base64 encoded text with start/end delimiters that look like -----BEGIN RSA PRIVATE KEY----- or similar.

To create an SSL certificate you first need to generate a private key and a certificate signing request, or CSR (which also contains your public key).You can do this in a variety of ways, but here's how in OpenSSL.

openssl req -newkey rsa:2048 -new -nodes -keyout key.pem -out csr.pem

This will cause you to enter an interactive prompt to generate a 2048-bit RSA private key and a CSR that has all the information you choose to enter at the prompts. (Note: Common Name is where you'll want to put the domain name you'll be using to access your site.) Once you've done this you would normally submit this CSR to a trusted certificate authority and once they've validated your request you would receive a certificate.

If you don't care about your certificate being trusted (usually the case for development purposes) you can just create a self-signed certificate. To do this, we can use almost the same line, but we'll pass two extra parameters.

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

This will give you a cert (valid for 10 years) and key pair that you can use in the code snippet you posted.

Solution 2

Just follow this procedure :

  1. create the folder where you want to store your key & certificate :

    mkdir conf

  1. go to that directory :

    cd conf

  1. grab this ca.cnf file to use as a configuration shortcut :

    wget https://raw.githubusercontent.com/anders94/https-authorized-clients/master/keys/ca.cnf

  1. create a new certificate authority using this configuration :

    openssl req -new -x509 -days 9999 -config ca.cnf -keyout ca-key.pem -out ca-cert.pem

  1. now that we have our certificate authority in ca-key.pem and ca-cert.pem, let's generate a private key for the server :

    openssl genrsa -out key.pem 4096

  1. grab this server.cnf file to use as a configuration shortcut :

    wget https://raw.githubusercontent.com/anders94/https-authorized-clients/master/keys/server.cnf

  1. generate the certificate signing request using this configuration :

    openssl req -new -config server.cnf -key key.pem -out csr.pem

  1. sign the request :

    openssl x509 -req -extfile server.cnf -days 999 -passin "pass:password" -in csr.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem

I found this procedure here, along with more information on how to use these certificates.

Share:
94,633
Jeffrey
Author by

Jeffrey

Sr. Architect at Juranzhijia. Has strong experience in designing the architecture of cloud products and devops system. Frequently used languages are C++, Node.js, javascript. Develop on Windows, Mac OS X and Ubuntu platforms. Interested in programming for the embedded smart devices.

Updated on July 08, 2022

Comments

  • Jeffrey
    Jeffrey almost 2 years

    I'm using the Express framework in Node.js to create a web server. I want to use ssl for the web server's connection.

    The code to create the https web server is as below.

    var app = express.createServer({
  key: fs.readFileSync('./conf/key.pem'),
  cert: fs.readFileSync('./conf/cert.pem')
});
module.exports = app;

    Question: How to create the key.pem and cert.pem required by express?

  • nkint
    nkint almost 10 years
    what about for client certificate and key?
  • Ninjaxor
    Ninjaxor almost 9 years
    This post is complete, run both of the two commands he pasted to win the keys+cert. The client doesn't establish trust, only the server.
  • StormTrooper
    StormTrooper over 8 years
    @paul Can you please tell me where are these .pem key and cert generated to? I mean which directory? I am using Ubuntu 14
  • Paul Kehrer
    Paul Kehrer over 8 years
    They'll write to the current working directory of your shell.
  • Zhiyong
    Zhiyong almost 7 years
    Note that the self-signed certificate generated this way is version 1, containing CN, but no SAN. "Since version 58, Chrome requires SSL certificates to use SAN (Subject Alternative Name) instead of the popular Common Name (CN), thus CN support has been removed." [Fixing Chrome 58+ [missing_subjectAltName] with openssl when using self signed certificates](alexanderzeitler.com/articles/…)
  • Sanchit Jain
    Sanchit Jain almost 4 years
    How do i do this in Windows
  • Oliver Dixon
    Oliver Dixon over 2 years
    No cert file is generated for me. Any ideas? Ran both commands.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to create an HTTPS server in Node.js?
iOS HTTPS requests 101
NodeJS https server returning ERR_SSL_PROTOCOL_ERROR using express
Does HTTPS/SSL make sense on a local network?
Where is the private key after using certreq for CSR generation on Windows 10?
Apache SSL: server cert does not include ID which matches server name
Node.js HTTPS 400 Error - 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
How to export private key from Windows Certificate Manager?
Nodejs https request UNABLE_TO_GET_ISSUER_CERT_LOCALLY
SSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode