Difference between revisions of "Be your own CA"

From BubbaWiki
Jump to navigation Jump to search
 
(4 intermediate revisions by one other user not shown)
Line 1: Line 1:
Tired of untrusted SSL&nbsp;messages? Then why not be your own Certificate Authority&nbsp;!?<br>  
Tired of untrusted SSL&nbsp;messages? Then why not be your own Certificate Authority&nbsp;!?<br>  


This how-to describes how to generate your own CA certificate and generate and sign your own certificates.<br>  
This how-to describes how to generate your own CA certificate and generate and sign your own certificates.<br>  


== Generate a CA Certificate and Key  ==
== Generate a CA Certificate and Key  ==


Become the root user<br>  
Become the root user<br>  
<pre>su -
<pre>su -
mkdir -m 0755 CA CA/private CA/certs CA/newcerts CA/crl
mkdir -m 0755 CA CA/private CA/certs CA/newcerts CA/crl
cd CA
cd CA
touch index.txt
echo 1000 &gt; serial
cp /etc/ssl/openssl.cnf .
cp /etc/ssl/openssl.cnf .
chmod 600 index.txt serial openssl.cnf </pre>  
chmod 600 index.txt serial openssl.cnf </pre>  
Modify the following parameters in the just copied file openssl.cnf<br>  
Modify the following parameters in the just copied file openssl.cnf<br>  
<pre>default_md = sha256
<pre>default_md = sha256
default_bits = 2048
default_bits = 2048
Line 17: Line 24:
certificate = $dir/certs/myca.crt # The CA certificate
certificate = $dir/certs/myca.crt # The CA certificate
private_key = $dir/private/myca.key # The private key</pre>  
private_key = $dir/private/myca.key # The private key</pre>  
Generate your CA certificate<br>  
Generate your CA certificate<br>  
<pre>openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825</pre>  
<pre>openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 7300</pre>  
The certificate will be valid for about 20 years.
 
Keep your password and key safe!<br>  
Keep your password and key safe!<br>  
<pre>chmod 400 private/myca.key </pre>  
<pre>chmod 400 private/myca.key </pre>
== Generate a Certificate Request  ==
== Generate a Certificate Request  ==


Generate your B3 server certificate. <br>  
Generate your B3 server certificate. <br>  
'''Note:'''<br>


Fill in your B3 server name when asked the question: Common Name (eg, YOUR name) []:<br>  
Fill in your B3 server name when asked the question: Common Name (eg, YOUR name) []:<br>  
<pre>openssl req -config openssl.cnf -new -nodes -keyout private/server.key -out server.csr -days 365</pre>  
 
Just hit enter when asked the question: A challenge password []:<br>
 
otherwise you would be forced to enter the password everytime you start or restart the Apache webserver
<pre>openssl req -config openssl.cnf -new -nodes -keyout private/server.key -out server.csr -days 3650</pre>  
The certificate will be valid for about 10 years.<br>
 
Keep the key safe<br>  
Keep the key safe<br>  
<pre>chmod 400 private/server.key</pre>  
<pre>chmod 400 private/server.key</pre>
== Sign the Certificate Request  ==
== Sign the Certificate Request  ==
<pre>openssl ca -config openssl.cnf -policy policy_anything -out certs/server.crt -infiles server.csr
<pre>openssl ca -config openssl.cnf -policy policy_anything -out certs/server.crt -infiles server.csr
rm server.csr</pre>  
rm server.csr</pre>  
== Verify the certificate  ==
== Verify the certificate  ==
<pre>openssl x509 -subject -issuer -enddate -noout -in certs/server.crt
<pre>openssl x509 -subject -issuer -enddate -noout -in certs/server.crt
openssl verify -purpose sslserver -CAfile certs/myca.crt certs/server.crt</pre>  
openssl verify -purpose sslserver -CAfile certs/myca.crt certs/server.crt</pre>  
== Bounce Apache  ==
== Bounce Apache  ==


Replace the old certifcates with your new certificates<br>  
Replace the old certifcates with your new certificates<br>  
<pre>cp /etc/apache2/cacert.pem /etc/apache2/cacert.pem.orig
<pre>cp /etc/apache2/cacert.pem /etc/apache2/cacert.pem.orig
cp /etc/apache2/privkey.pem /etc/apache2/privkey.pem.orig
cp /etc/apache2/privkey.pem /etc/apache2/privkey.pem.orig
Line 43: Line 76:
cp /root/CA/certs/server.crt /etc/apache2/cacert.pem
cp /root/CA/certs/server.crt /etc/apache2/cacert.pem
cp /root/CA/private/server.key /etc/apache2/privkey.pem</pre>  
cp /root/CA/private/server.key /etc/apache2/privkey.pem</pre>  
Restart the Apache webserver<br>  
Restart the Apache webserver<br>  
<pre>/etc/init.d/apache2 restart</pre>  
<pre>/etc/init.d/apache2 restart</pre>  
== Import the CA certificate  ==
== Import the CA certificate  ==


Import the CA certificate, this is file /root/CA/certs/myca.crt, into the browser of your choice.  
Import the CA certificate, this is file /root/CA/certs/myca.crt, into the browser of your choice.  
You could also make it publicly available for http access by coping the file to (for example) /home/web.


== References  ==
== References  ==


*http://openssl.org/  
*http://openssl.org/  
*http://www.g-loaded.eu/2005/11/10/be-your-own-ca/  
*http://www.g-loaded.eu/2005/11/10/be-your-own-ca/  
*http://www.eclectica.ca/howto/ssl-cert-howto.php<br>  
*http://www.eclectica.ca/howto/ssl-cert-howto.php<br>  
*http://www.top20toolbar.com/misc/codesigncert.htm<br>
*http://www.top20toolbar.com/misc/codesigncert.htm<br>

Latest revision as of 20:45, 7 September 2011

Tired of untrusted SSL messages? Then why not be your own Certificate Authority !?


This how-to describes how to generate your own CA certificate and generate and sign your own certificates.


Generate a CA Certificate and Key

Become the root user

su -
mkdir -m 0755 CA CA/private CA/certs CA/newcerts CA/crl
cd CA
touch index.txt
echo 1000 > serial
cp /etc/ssl/openssl.cnf .
chmod 600 index.txt serial openssl.cnf 

Modify the following parameters in the just copied file openssl.cnf

default_md = sha256
default_bits = 2048
dir = . # Where everything is kept
certificate = $dir/certs/myca.crt # The CA certificate
private_key = $dir/private/myca.key # The private key

Generate your CA certificate

openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 7300

The certificate will be valid for about 20 years.


Keep your password and key safe!

chmod 400 private/myca.key 

Generate a Certificate Request

Generate your B3 server certificate.


Note:


Fill in your B3 server name when asked the question: Common Name (eg, YOUR name) []:


Just hit enter when asked the question: A challenge password []:


otherwise you would be forced to enter the password everytime you start or restart the Apache webserver

openssl req -config openssl.cnf -new -nodes -keyout private/server.key -out server.csr -days 3650

The certificate will be valid for about 10 years.


Keep the key safe

chmod 400 private/server.key

Sign the Certificate Request

openssl ca -config openssl.cnf -policy policy_anything -out certs/server.crt -infiles server.csr
rm server.csr

Verify the certificate

openssl x509 -subject -issuer -enddate -noout -in certs/server.crt
openssl verify -purpose sslserver -CAfile certs/myca.crt certs/server.crt

Bounce Apache

Replace the old certifcates with your new certificates

cp /etc/apache2/cacert.pem /etc/apache2/cacert.pem.orig
cp /etc/apache2/privkey.pem /etc/apache2/privkey.pem.orig

cp /root/CA/certs/server.crt /etc/apache2/cacert.pem
cp /root/CA/private/server.key /etc/apache2/privkey.pem

Restart the Apache webserver

/etc/init.d/apache2 restart

Import the CA certificate

Import the CA certificate, this is file /root/CA/certs/myca.crt, into the browser of your choice.


You could also make it publicly available for http access by coping the file to (for example) /home/web.


References