Be your own Certificate Authority

This how-to describes to create your own CA certificate and sign your own certificates.

Create the CA Certificate and Key

su -
mkdir -m 0755 \
CA \
CA/private \
CA/certs \
CA/newcerts \
CA/crl
cd CA
cp /etc/ssl/openssl.cnf .
chmod 600 index.txt serial openssl.cnf

Aanpassing in openssl.cnf
default_md = sha256
default_bits = 2048
dir = . # Where everything is kept
certificate = $dir/certs/myca.crt # The CA certificate
private_key = $dir/private/myca.key # The private key

openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825

chmod 400 private/myca.key

Generate a Certificate Request

openssl req -config openssl.cnf -new -nodes -keyout private/server.key -out server.csr -days 365

Fill in server name at Common Name (eg, YOUR name) []:www.onsleven.com

chmod 400 private/server.key

Sign the Certificate Request

openssl ca -config openssl.cnf -policy policy_anything -out certs/server.crt -infiles server.csr

rm server.csr

Verify the certificate

openssl x509 -subject -issuer -enddate -noout -in certs/server.crt
openssl verify -purpose sslserver -CAfile certs/myca.crt certs/server.crt

Apache herstarten

cp /etc/apache2/cacert.pem /etc/apache2/cacert.pem.orig
cp /etc/apache2/privkey.pem /etc/apache2/privkey.pem.orig

cp /root/CA/certs/server.crt /etc/apache2/cacert.pem
cp /root/CA/private/server.key /etc/apache2/privkey.pem

/etc/init.d/apache2 restart

Importeer CA in browser

take /root/CA/certs/myca.crt and import it into your browser.

References

http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
http://www.eclectica.ca/howto/ssl-cert-howto.php