Check out a free preview of the full Web Security course

The "OpenSSL" Lesson is part of the full, Web Security course featured in this preview video. Here's what you'd learn in this lesson:

Mike reviews how to generate keys and sign certificates with OpenSSL, a software library for applications that secure communications over computer networks.


Transcript from the "OpenSSL" Lesson

>> Mike North: So the way we typically generate this kind of thing is we use OpenSSL. You probably have a version of OpenSSL on your operating system. It is the most used library for doing this kind of thing and you want to use a library in this case. Do not try to invent your own encryption algorithm, do not invent your own hashing algorithms, this is like an area of code you don't want to play amateur with.

Simply because there are known documented easy mistakes and you're gonna have to go through like the first 15 years of hardening the way this should work. Leave this stuff to experts, consume it from the library. OpenSSL's are very tried and tested library. They did have an issue called heart bleed a couple years ago.

This is a zero day bug I believe, where people just had to patch a whole bunch of crap really, really quickly. But it still is the best we've got here. So, what you need to know is it's a command line driven tool. There is no good UI I'm aware of that sits on top of OpenSSL.

Typical thing you do is you just learn to use a couple different commands and I’ve given them to you. So what were gonna do in this next exercise it involves generating a certificate, so if you'tr tuning out pay attention. The four steps here, number one you want to generate a private key.

And this is the thing that you would never let anyone else see. This is what allows you to decode messages that are sent to you and hidden for your eyes only. Then we're going to generate a public key from the private key. And this only has the power to write encrypted messages.

You're gonna take that private key and you're also gonna make something called a certificate signing request. Think of this as the precursor of that certificate that identifies your domain. And the last step is signing the certificate with your private key, so this creates what is called a self-signed certificate.

Your system is not going to trust it by default, I'll show you how can add it to your trust store. Keep in mind, see that -days 3 in the 4th step on the 1st line of the 4th step. So you want to, whenever you're playing around with this kind of stuff, just for added safety, make really short-lived certificates.

That just, even if you trust manually. Like, in the next step, we're gonna make a certificate that lasts one day. By tomorrow, it won't work anymore. So if I'm tricking you and stealing stuff, I better do it quick.
>> Mike North: Typically if you were getting this certificate signed by a certificate authority, like a trusted root like Komodo or like Let's Encrypt, this last step would be something that they would do with their private key.

And in doing so, they're basically saying this person has gone through the appropriate validation procedure, I hereby sign off on this request to generate a certificate. Please consider it valid, and I am hereby attaching my seal on this, I am the one who approved it.

Learn Straight from the Experts Who Shape the Modern Web

  • In-depth Courses
  • Industry Leading Experts
  • Learning Paths
  • Live Interactive Workshops
Get Unlimited Access Now