Be your own CA

From BubbaWiki
Revision as of 06:42, 17 August 2011 by Melle Visser (talk | contribs)
Jump to navigation Jump to search

Be your own Certificate Authority

This how-to describes to create your own CA certificate and sign your own certificates.


Create the CA Certificate and Key

Become the root user

su -
mkdir -m 0755 CA CA/private CA/certs CA/newcerts CA/crl
cd CA
cp /etc/ssl/openssl.cnf .
chmod 600 index.txt serial openssl.cnf 

Modify the following parameters in the just copied file openssl.cnf

default_md = sha256
default_bits = 2048
dir = . # Where everything is kept
certificate = $dir/certs/myca.crt # The CA certificate
private_key = $dir/private/myca.key # The private key

Create your CA certificate

openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825

Keep your password and key safe!

chmod 400 private/myca.key 

Generate a Certificate Request

Create your B3 server certificate.

Fill in your B3 server name when asked the question: Common Name (eg, YOUR name) []:

openssl req -config openssl.cnf -new -nodes -keyout private/server.key -out server.csr -days 365

Keep the key safe

chmod 400 private/server.key

Sign the Certificate Request

openssl ca -config openssl.cnf -policy policy_anything -out certs/server.crt -infiles server.csr
rm server.csr

Verify the certificate

openssl x509 -subject -issuer -enddate -noout -in certs/server.crt
openssl verify -purpose sslserver -CAfile certs/myca.crt certs/server.crt

Bounce Apache

Replace the old certifcates with your new certificates

cp /etc/apache2/cacert.pem /etc/apache2/cacert.pem.orig
cp /etc/apache2/privkey.pem /etc/apache2/privkey.pem.orig

cp /root/CA/certs/server.crt /etc/apache2/cacert.pem
cp /root/CA/private/server.key /etc/apache2/privkey.pem

Restart the Apache webserver

/etc/init.d/apache2 restart

Importeer CA in browser

Import the CA certificate, this is file /root/CA/certs/myca.crt, into the browser of your choice.

References