How to Create a Self-signed Security Key

With the rise in cloud computing, more and more companies are moving to services like Amazon for remote resources for their networks. The problem is, whenever you pass data over the internet, it’s vulnerable to interception by third parties. Whether that third party is a hacker on another continent, or more official ones on this one, doesn’t matter. Your data is being sent, and it can be sniffed out. Never fear, there is a solution.

Encryption keys are easy to create, and allow you to configure your own encryption types and levels. In this article, we’ll go over how to create your own key on Ubuntu servers. It will probably work just as well on other flavors of Unix/Linux, but the commands may vary a bit.

First, we’ll need to make sure that openssl is installed on your system. It’s usually there by default, but you can check by typing the following.

openssl version

It should return something like this – “OpenSSL 1.0.1 14 Mar 2012”. If you don’t see a version after typing that command, then we’ll need to install it.

apt-get install -y openssl

Once you’ve verified or installed openssl, we’ll need to generate a key. This example will use Triple DES encryption with a 2048 bit key.

openssl genrsa -des3 -out mykey.key 2048

You’ll see the following output that prompts you to create a password for your key.

Generating RSA private key, 2048 bit long modulus
................................................+++
.....................................+++
e is 65537 (0x10001)
Enter pass phrase for mykey.key:
Verifying - Enter pass phrase for mykey.key:

Next, we’ll need to create a Certificate Signing Request.

openssl req -new -key mykey.key -out mycert.csr

This will prompt you for some information with the following output.

Enter pass phrase for mykey.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:FL
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company Name
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Company Name

For most TLS tunnels, you’ll want the connection to be automatic, and not prompt you for a password, so we’ll strip that off with these commands.

cp mykey.key mykey.key.org  (This will create a backup copy of the key)
openssl rsa -in mykey.key.org -out mykey.key

You should be prompted for the password, and see the following output.

Enter pass phrase for mykey.key.org:
writing RSA key

Next, we’ll need to generate a self-signed certificate.

openssl x509 -req -days 365 -in mycert.csr -signkey mykey.key -out mycert.crt

Now that you have a key, it can be used for ssh access, sftp file transfers, secure email access, and https access to your web server, just to name a few.

Clay Piotowski has been in the Internet Security industry for over 10 years and is currently working with LogZilla. Clay really has a passion for developing complex software applications for all platforms.