Difference between revisions of "Be your own CA"
Jump to navigation
Jump to search
Melle Visser (talk | contribs) |
Melle Visser (talk | contribs) |
||
| Line 1: | Line 1: | ||
Why not be your own Certificate Authority !?<br> | |||
This how-to describes to | This how-to describes how to generate your own CA certificate and generate and sign your own certificates.<br> | ||
== Generate a CA Certificate and Key == | |||
Become the root user<br> | |||
Become the root user<br> | |||
<pre>su - | <pre>su - | ||
mkdir -m 0755 CA CA/private CA/certs CA/newcerts CA/crl | mkdir -m 0755 CA CA/private CA/certs CA/newcerts CA/crl | ||
cd CA | cd CA | ||
cp /etc/ssl/openssl.cnf . | cp /etc/ssl/openssl.cnf . | ||
chmod 600 index.txt serial openssl.cnf </pre> | chmod 600 index.txt serial openssl.cnf </pre> | ||
Modify the following parameters in the just copied file openssl.cnf<br> | Modify the following parameters in the just copied file openssl.cnf<br> | ||
<pre>default_md = sha256 | <pre>default_md = sha256 | ||
default_bits = 2048 | default_bits = 2048 | ||
dir = . # Where everything is kept | dir = . # Where everything is kept | ||
certificate = $dir/certs/myca.crt # The CA certificate | certificate = $dir/certs/myca.crt # The CA certificate | ||
private_key = $dir/private/myca.key # The private key</pre> | private_key = $dir/private/myca.key # The private key</pre> | ||
Generate your CA certificate<br> | |||
<pre>openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825</pre> | <pre>openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825</pre> | ||
Keep your password and key safe!<br> | Keep your password and key safe!<br> | ||
<pre>chmod 400 private/myca.key </pre> | <pre>chmod 400 private/myca.key </pre> | ||
== Generate a Certificate Request == | == Generate a Certificate Request == | ||
Generate your B3 server certificate. <br> | |||
Fill in your B3 server name when asked the question: Common Name (eg, YOUR name) []:<br> | Fill in your B3 server name when asked the question: Common Name (eg, YOUR name) []:<br> | ||
<pre>openssl req -config openssl.cnf -new -nodes -keyout private/server.key -out server.csr -days 365</pre> | <pre>openssl req -config openssl.cnf -new -nodes -keyout private/server.key -out server.csr -days 365</pre> | ||
Keep the key safe<br> | Keep the key safe<br> | ||
<pre>chmod 400 private/server.key</pre> | <pre>chmod 400 private/server.key</pre> | ||
== Sign the Certificate Request == | == Sign the Certificate Request == | ||
<pre>openssl ca -config openssl.cnf -policy policy_anything -out certs/server.crt -infiles server.csr | <pre>openssl ca -config openssl.cnf -policy policy_anything -out certs/server.crt -infiles server.csr | ||
rm server.csr</pre> | rm server.csr</pre> | ||
== Verify the certificate == | == Verify the certificate == | ||
<pre>openssl x509 -subject -issuer -enddate -noout -in certs/server.crt | <pre>openssl x509 -subject -issuer -enddate -noout -in certs/server.crt | ||
openssl verify -purpose sslserver -CAfile certs/myca.crt certs/server.crt</pre> | openssl verify -purpose sslserver -CAfile certs/myca.crt certs/server.crt</pre> | ||
== Bounce Apache == | == Bounce Apache == | ||
Replace the old certifcates with your new certificates<br> | Replace the old certifcates with your new certificates<br> | ||
<pre>cp /etc/apache2/cacert.pem /etc/apache2/cacert.pem.orig | <pre>cp /etc/apache2/cacert.pem /etc/apache2/cacert.pem.orig | ||
cp /etc/apache2/privkey.pem /etc/apache2/privkey.pem.orig | cp /etc/apache2/privkey.pem /etc/apache2/privkey.pem.orig | ||
cp /root/CA/certs/server.crt /etc/apache2/cacert.pem | cp /root/CA/certs/server.crt /etc/apache2/cacert.pem | ||
cp /root/CA/private/server.key /etc/apache2/privkey.pem</pre> | cp /root/CA/private/server.key /etc/apache2/privkey.pem</pre> | ||
Restart the Apache webserver<br> | Restart the Apache webserver<br> | ||
<pre>/etc/init.d/apache2 restart</pre> | <pre>/etc/init.d/apache2 restart</pre> | ||
== Importeer CA in browser == | == Importeer CA in browser == | ||
| Line 53: | Line 51: | ||
== References == | == References == | ||
*http://openssl.org/ | *http://openssl.org/ | ||
*http://www.g-loaded.eu/2005/11/10/be-your-own-ca/ | *http://www.g-loaded.eu/2005/11/10/be-your-own-ca/ | ||
*http://www.eclectica.ca/howto/ssl-cert-howto.php<br> | *http://www.eclectica.ca/howto/ssl-cert-howto.php<br> | ||
*http://www.top20toolbar.com/misc/codesigncert.htm<br> | *http://www.top20toolbar.com/misc/codesigncert.htm<br> | ||
Revision as of 06:50, 17 August 2011
Why not be your own Certificate Authority !?
This how-to describes how to generate your own CA certificate and generate and sign your own certificates.
Generate a CA Certificate and Key
Become the root user
su - mkdir -m 0755 CA CA/private CA/certs CA/newcerts CA/crl cd CA cp /etc/ssl/openssl.cnf . chmod 600 index.txt serial openssl.cnf
Modify the following parameters in the just copied file openssl.cnf
default_md = sha256 default_bits = 2048 dir = . # Where everything is kept certificate = $dir/certs/myca.crt # The CA certificate private_key = $dir/private/myca.key # The private key
Generate your CA certificate
openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825
Keep your password and key safe!
chmod 400 private/myca.key
Generate a Certificate Request
Generate your B3 server certificate.
Fill in your B3 server name when asked the question: Common Name (eg, YOUR name) []:
openssl req -config openssl.cnf -new -nodes -keyout private/server.key -out server.csr -days 365
Keep the key safe
chmod 400 private/server.key
Sign the Certificate Request
openssl ca -config openssl.cnf -policy policy_anything -out certs/server.crt -infiles server.csr rm server.csr
Verify the certificate
openssl x509 -subject -issuer -enddate -noout -in certs/server.crt openssl verify -purpose sslserver -CAfile certs/myca.crt certs/server.crt
Bounce Apache
Replace the old certifcates with your new certificates
cp /etc/apache2/cacert.pem /etc/apache2/cacert.pem.orig cp /etc/apache2/privkey.pem /etc/apache2/privkey.pem.orig cp /root/CA/certs/server.crt /etc/apache2/cacert.pem cp /root/CA/private/server.key /etc/apache2/privkey.pem
Restart the Apache webserver
/etc/init.d/apache2 restart
Importeer CA in browser
Import the CA certificate, this is file /root/CA/certs/myca.crt, into the browser of your choice.