Be your own CA

From BubbaWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Tired of untrusted SSL messages? Then why not be your own Certificate Authority !?


This how-to describes how to generate your own CA certificate and generate and sign your own certificates.


Generate a CA Certificate and Key

Become the root user

su -
mkdir -m 0755 CA CA/private CA/certs CA/newcerts CA/crl
cd CA
touch index.txt
echo 1000 > serial
cp /etc/ssl/openssl.cnf .
chmod 600 index.txt serial openssl.cnf 

Modify the following parameters in the just copied file openssl.cnf

default_md = sha256
default_bits = 2048
dir = . # Where everything is kept
certificate = $dir/certs/myca.crt # The CA certificate
private_key = $dir/private/myca.key # The private key

Generate your CA certificate

openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 7300

The certificate will be valid for about 20 years.


Keep your password and key safe!

chmod 400 private/myca.key 

Generate a Certificate Request

Generate your B3 server certificate.


Note:


Fill in your B3 server name when asked the question: Common Name (eg, YOUR name) []:


Just hit enter when asked the question: A challenge password []:


otherwise you would be forced to enter the password everytime you start or restart the Apache webserver

openssl req -config openssl.cnf -new -nodes -keyout private/server.key -out server.csr -days 3650

The certificate will be valid for about 10 years.


Keep the key safe

chmod 400 private/server.key

Sign the Certificate Request

openssl ca -config openssl.cnf -policy policy_anything -out certs/server.crt -infiles server.csr
rm server.csr

Verify the certificate

openssl x509 -subject -issuer -enddate -noout -in certs/server.crt
openssl verify -purpose sslserver -CAfile certs/myca.crt certs/server.crt

Bounce Apache

Replace the old certifcates with your new certificates

cp /etc/apache2/cacert.pem /etc/apache2/cacert.pem.orig
cp /etc/apache2/privkey.pem /etc/apache2/privkey.pem.orig

cp /root/CA/certs/server.crt /etc/apache2/cacert.pem
cp /root/CA/private/server.key /etc/apache2/privkey.pem

Restart the Apache webserver

/etc/init.d/apache2 restart

Import the CA certificate

Import the CA certificate, this is file /root/CA/certs/myca.crt, into the browser of your choice.


You could also make it publicly available for http access by coping the file to (for example) /home/web.


References