Good job done. Very clearly explained and everything was right to the point and it held my attention. Everyone should do their training videos like this.
Great Video, Very clearly explained about CA, CSR. I have a question: When we are opening the //https connection using self signed CA certificate getting some warnings on //https web page. May I know the reason? Kindly, respond. Thanks
Dear Ankur, Thanks for the kind feedback. In case of a self-signed certificate, we get SSL warning because chain of trust is not identified by the browser. Browser trusts only CA signed certificates (unless you explicitly add your certificate in the trust store). I will recommend you to watch my other video where I explained SSL chain of trust in much detail.
Hi sir, I want to configure certificate based authentication, it requirement 1.CA, 2.User Certificate, 3.server certificate. What should I do, whether is same with you do?
all those who are having error like me The only thing that worked for me in this situation was the self-created openssl.cnf file. Here are the basics needed for this exercise (edit as needed): # # OpenSSL configuration file. # # Establish working directory. @/c:\Users\User\Desktop\test dir = . [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database = $dir/certindex.txt new_certs_dir = $dir/certs certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = md5 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #------------------------- ---------------------------------- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value #------------------------ ------------------------------ 0.organizationName_default = My Company localityName_default = My Town stateOrProvinceName_default = State or Providence countryName_default = US [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash # copy till here now save this file and run the command as openssl req -new -key tutorialspedia.key -out tutorialspedia.csr -config openssl.cnf hope this will work for you :)
only for creation of the csr file the private key is needed. in the csr file itself only the public key is contained. en.wikipedia.org/wiki/Certificate_signing_request
@@subhakardondapati8340 you are correct. i think the video is using the entire key pair file instead of the public key to generate the CSR which in turn will go to the CA. This is a very important piece of information that will kill you in any test or interview.
please help 9:50 when i tried to self-sign i got the following output instead of 'Signature Ok' output: openssl x509 -in friday.csr -out friday.crt -req - signkey friday.key -days 365 x509: Use -help for summary. everything until that is clear, someone pls help fast.
Great video, but you now have weird files on your computer. What do you do with these weird files. Do I ftp to my server, control panel, do I need to go to ican or other ssl org to upload them?
executing openssl command to generate key pair using "openssl genrsa -out keyfile.key 2048" but facing an error "genrsa: Can't open "keyfile.key" for writing, Permission denied". Could you guide me hot to fix this
I also had a problem with installing it on windows but then I found this tutorial helpful ua-cam.com/video/YNKUpNpM0Q0/v-deo.html&ab_channel=TechDeepDiveTechDeepDive
info given in this video was insufficient to running localhost with https using openssl certificate. It ended with net::cert_common_name_invalid error in chrome on windows and also with hhtps strickedout in url with no green lock in browser address bar. I appreciate further help to fix the error...
Nice video in detail. I have one question in terms of renewal. To renew the existing CA signed certificate, is it correct to give old CSR (CSR generated to get CA signed initially). Is there any validity for key pair and CSR generated?
Good explanation in detail. I have one query in terms of renewal. To renew the existing CA signed certificate, is it correct to give old CSR (CSR generated to get CA signed initially). Is there any validity for key pair and CSR generated?
Very nice video. Thank you very much. How to create certificate with encryption and does the server also should have a certificate with encrypted key? And also can we use Portecle to generate certificates with encrypted key for linux?
Hello, I created a ssl certificate but i dont want to put a specific CN name, rather just a * wildcard because in the server side hostname will keep changing periodically so i dont want to generate certificate everytime. Whatever the hostname it be the client can connect . Is there a way around ??
Dear Jai, You can use *.host.com and this way your certificate will be valid for that domain and any subdomains but having only * without even a mention of a host at all doesn't make sense for any real production environment.
Hello Again, I dont know if you have time for this but i have a situation and trying to find a solution for it since some days but no positive result yet. I will be very grateful if any insights can be provided by you. I have a server with serverCertificates and a client with its own certificate. I am potraying as a CA. I am working with RPi. When i set CN in the serverCertificate as 'raspberrypi' and in the client hostname as 'raspberrypi' for sending https.request, I get desired result all looks perfect. Problem is instead of CN i want to use 'subjectAltName' in my certificate so that i can also nominate an IP as my [alt_names]. I created the certificate with alt_names getting help from some website but when i send client request to the server from a remote machine connected to the same network i get an error stating hostname is invalid. Below is the error : Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: 10.10.10.10 is not in the cert's list: at Object.checkServerIdentity (tls.js:287:12) at TLSSocket.onConnectSecure (_tls_wrap.js:1511:27) at TLSSocket.emit (events.js:315:20) at TLSSocket._finishInit (_tls_wrap.js:936:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:710:12) { reason: "IP: 10.10.10.10 is not in the cert's list: ", host: '10.10.10.10', If you want the config i used for creating certificate i can also share that. Just let me know. Any help from you ??
The video is good but you have a major mistake. I think the video is using the entire key pair file instead of the public key to generate the CSR which in turn will go to the CA. This is a very important piece of information that will kill you in any test or interview. The steps are correct but the files being used are wrong. The CSR should be created only with the public key file, the CA will generate a certificate. After verification, the CA sends you a signed digital certificate that contains your distinguished name, your public key, the CA's distinguished name, and the signature of the certificate authority. You store this signed certificate in your key database.
@@LeXT89 That’s correct. The private key file, which also contains the public key information, is used to sign the CSR. The CSR does not contain the private key. It isn't necessary to extract the public key to create a CSR. OpenSSL supports the creation of the CSR directly from the private key file.
wow everything worked so flawlessly, you're a hero
Excellent video Sir. Thank you; it is greatly appreciated.
Lot's of CSR videos but this one was perfect! Thank you!
Excellent demonstration sir. Thank you for making this clear to me.
I needed someone to explain it like this for so long. Thank you man.
It cleared all my doubts..nicely explained..thanks for the amazing video..!
Great video ... I was confused before watching this, now I understand much better. Thanks.
Very well demonstrated key-pair generation, extracting public key, CSR and self-signed certificate. Great work!
Short video, simple to understand. WOW!!! Thank you
Good job done. Very clearly explained and everything was right to the point and it held my attention. Everyone should do their training videos like this.
BRAVO! thank you for the clear and practical explanation!
Thanks a lot .Love from India
Just created my first key, ever. Now going to implement this....
Thanks a lot bro..I was looking for a simple but explanatory tutorial on how certificates work..this video helped me to understand a lot
JazakAllah Abdul Rauf. Glad that It helped.
Hi Sir, what you said was awesome and great informative and I'll suggest few and give knowledge on this sir ❤🙏
Hello when i use command for create csr file. This file is not shown when type dir command
it is not created. Why this issue happened ?
Awesome. This is what I needed this morning.
Worked for me, best video on openssl
how to creat command "CLS" clear screen in this toolkit , or same equivalent???????????????????????
Awesome explanation bro !!!
Very useful - clear and consise. Thanks for sharing.
JazakAllah. Thanks
Great Video, Very clearly explained about CA, CSR.
I have a question:
When we are opening the //https connection using self signed CA certificate getting some warnings on //https web page. May I know the reason?
Kindly, respond.
Thanks
Dear Ankur,
Thanks for the kind feedback.
In case of a self-signed certificate, we get SSL warning because chain of trust is not identified by the browser. Browser trusts only CA signed certificates (unless you explicitly add your certificate in the trust store).
I will recommend you to watch my other video where I explained SSL chain of trust in much detail.
Clear explanation to the point. Thanks buddy. Keep uploading more videos like this.
6:00 Why did you pass the initial key file? .. shouldnt we pass the public key file?
Thanks for the clear explanation
Thanks a lot for the precise, and informative video.
Thankyou. Video was very clear
excellent video. thank you.
Thank you very much. Was thinking I will never get it with this csr.
Hi sir,
I want to configure certificate based authentication, it requirement
1.CA,
2.User Certificate,
3.server certificate.
What should I do, whether is same with you do?
Thanks from Poland!👍
Command to create self signed certificate with csr and private key is not working shows x509: Use -help for summary. any idea?
all those who are having error like me
The only thing that worked for me in this situation was the self-created openssl.cnf file.
Here are the basics needed for this exercise (edit as needed):
#
# OpenSSL configuration file.
#
# Establish working directory.
@/c:\Users\User\Desktop\test
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/certs
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = My Company
localityName_default = My Town
stateOrProvinceName_default = State or Providence
countryName_default = US
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
# copy till here
now save this file and run the command as
openssl req -new -key tutorialspedia.key -out tutorialspedia.csr -config openssl.cnf
hope this will work for you :)
really great way of teaching thanks.
Thanks for your feedback Vivek.
Good explanation , keep it up
Good job clearly explained
superb knowledge ... my friend .. keep sharing it..
5:40 WHY DO I have to provide my *Private key* to the *CA Authority* for CSR , This seems to be wrong to me. Please explain.
I believe you misunderstood the point. I explained in the video that CSR is shared with the CA.
only for creation of the csr file the private key is needed. in the csr file itself only the public key is contained.
en.wikipedia.org/wiki/Certificate_signing_request
@@TutorialsPediaVideos I see in the command you used to generate cert, you used private key... is the public key need to be given? please clarify
@@subhakardondapati8340 you are correct. i think the video is using the entire key pair file instead of the public key to generate the CSR which in turn will go to the CA. This is a very important piece of information that will kill you in any test or interview.
Great video.. all commands worked for me...thanks...one query how to add critical extensions using your commands?
please help 9:50
when i tried to self-sign i got the following output instead of 'Signature Ok'
output:
openssl x509 -in friday.csr -out friday.crt -req - signkey friday.key -days 365
x509: Use -help for summary.
everything until that is clear, someone pls help fast.
i'm unable to generate tha crt file , pls help
Great video, but you now have weird files on your computer. What do you do with these weird files. Do I ftp to my server, control panel, do I need to go to ican or other ssl org to upload them?
Very nice job.
Please add info on how to create "non-self-signed certificates". Meaning certificate verifying some other public key. Thanks
Thank you bro!!
you are save my life!!
Awesome explanation. Thank you!
Thank you very much, very clear and to the point!
Thanks for the great tutorials. How I securely push these key (private & cer) in jks file ?
Can you tell me how we can extract the private key from the key pair, as well as the public key?
how can we stop the stdin for step 3 like country name etc, and provide through argparser ?
Well done for this nice video
executing openssl command to generate key pair using "openssl genrsa -out keyfile.key 2048" but facing an error "genrsa: Can't open "keyfile.key" for writing, Permission denied". Could you guide me hot to fix this
Run the cmd as an administrator
Thanks a lot!!! Exactly what I was looking for
thanks bro, you are the best
Great Tutorial, Thanks
Great job!
Hi, how can get my Certicate Signed by 'CA' instead of Self-Signed?
Hi Vipul,
Once you have created CSR, in order to get it signed by a CA, you need to share your CSR with a CA for the subsequent steps.
@@TutorialsPediaVideos thanks, is there a free CA that you know?
Thanks! You helped a lot
i am getting an error saying warning can't open config file: C:/OpenSSL/openssl.cnf please do help
Good job mate :) PK/ISB at last someone from PK
So happy to see that. Subbed him.
I am getting Can't open -testauto.key for reading, No such file or directory error any idea ?? followed the same steps
same error bro
@@ashishsulakhe3894 same here
If I want to create SSL certificates on cluster having 4-5 nodes, can we have same crt copied to all hosts?
Thanks - I had all this confused. You helped a lot. Now how do I get this into Windows 10?
Thanks Dave for your feedback. You can download windows version of openssl and use it in your machine. I myself created this tutorial in Windows 10.
I also had a problem with installing it on windows but then I found this tutorial helpful
ua-cam.com/video/YNKUpNpM0Q0/v-deo.html&ab_channel=TechDeepDiveTechDeepDive
Great presentation - thanks
Thanks for your kind feedback Mark.
very helpful. thank you
Job saving info for me.
Its asking me - Enter pass phrase for domain. What is the pass phrase??
How to solve the invalid digest for sha1 error while creating csr
Very informative 😊👏
wow thank you explained so clearly
info given in this video was insufficient to running localhost with https using openssl certificate. It ended with net::cert_common_name_invalid error in chrome on windows and also with hhtps strickedout in url with no green lock in browser address bar. I appreciate further help to fix the error...
In this case can we generate public keys and match with public keys being used by differenrt companies?
this is just perfect, simple, effective !
hi bro, can you check my error''Unable to load config info from /usr/local/ssl/openssl.cnf''
Try to run as administrator.
good video, very nicely explained. thanks
Thanks, Its really helpful.
You are welcome Ruchi.
3:25 you have not generated key PAIR right? You have just created the private key. Where is the public key?
Hisir.
How do one vedio on how to create csr repo
thank you very much, it was very useful
Can I deploy certificate on godaddy domain?
Awesome 😍
Nice video in detail. I have one question in terms of renewal. To renew the existing CA signed certificate, is it correct to give old CSR (CSR generated to get CA signed initially). Is there any validity for key pair and CSR generated?
Good explanation in detail. I have one query in terms of renewal. To renew the existing CA signed certificate, is it correct to give old CSR (CSR generated to get CA signed initially). Is there any validity for key pair and CSR generated?
wow..
It helped me a lot
Good job! Thank you!
How should I verify that same csr for the crt that was created
Very nice video. Thank you very much. How to create certificate with encryption and does the server also should have a certificate with encrypted key? And also can we use Portecle to generate certificates with encrypted key for linux?
CAn you create an video about self signing code signing certificate
Can you also make a video on certificate chaining / Intermediate CAS
great tutorial, thank you!
Thanks for your feedback Enrique.
how can use this ssl certification...how use for get a localhost in https
Did you figure out if yes please explain me
@@harshjha271 Hi Harsh, if you figure out please explain me
how can i remove or rekove the same certificate ??
Thank you So Much Sir
Hello,
I created a ssl certificate but i dont want to put a specific CN name, rather just a * wildcard because in the server side hostname will keep changing periodically so i dont want to generate certificate everytime. Whatever the hostname it be the client can connect . Is there a way around ??
Dear Jai,
You can use *.host.com and this way your certificate will be valid for that domain and any subdomains but having only * without even a mention of a host at all doesn't make sense for any real production environment.
@@TutorialsPediaVideos thank you for your quick response. Appreciate it.
Hello Again,
I dont know if you have time for this but i have a situation and trying to find a solution for it since some days but no positive result yet. I will be very grateful if any insights can be provided by you.
I have a server with serverCertificates and a client with its own certificate. I am potraying as a CA. I am working with RPi. When i set CN in the serverCertificate as 'raspberrypi' and in the client hostname as 'raspberrypi' for sending https.request, I get desired result all looks perfect. Problem is instead of CN i want to use 'subjectAltName' in my certificate so that i can also nominate an IP as my [alt_names]. I created the certificate with alt_names getting help from some website but when i send client request to the server from a remote machine connected to the same network i get an error stating hostname is invalid. Below is the error :
Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: 10.10.10.10 is not in the cert's list:
at Object.checkServerIdentity (tls.js:287:12)
at TLSSocket.onConnectSecure (_tls_wrap.js:1511:27)
at TLSSocket.emit (events.js:315:20)
at TLSSocket._finishInit (_tls_wrap.js:936:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:710:12) {
reason: "IP: 10.10.10.10 is not in the cert's list: ",
host: '10.10.10.10',
If you want the config i used for creating certificate i can also share that. Just let me know.
Any help from you ??
Thank you!
It's very helpful~!
Glad to hear that it helped.
Nice explanation ! Thank you !
Thanks Jimmy. Glad that it was helpful.
awsome!!!!!!
I Like it.
thanks for your help bro
You are welcome Roberto.
The video is good but you have a major mistake. I think the video is using the entire key pair file instead of the public key to generate the CSR which in turn will go to the CA. This is a very important piece of information that will kill you in any test or interview. The steps are correct but the files being used are wrong. The CSR should be created only with the public key file, the CA will generate a certificate. After verification, the CA sends you a signed digital certificate that contains your distinguished name, your public key, the CA's distinguished name, and the signature of the certificate authority. You store this signed certificate in your key database.
Are you serious ? "CSRs are signed using the private key to prevent tampering in transit to the CA.
@@LeXT89 That’s correct. The private key file, which also contains the public key information, is used to sign the CSR. The CSR does not contain the private key. It isn't necessary to extract the public key to create a CSR. OpenSSL supports the creation of the CSR directly from the private key file.
Unable to load config info from /usr/local/ssl/openssl.cnf getting this error for csr