Some Overview
Well, if you are here, then I suppose you know something (or everything) about the cryptographic protocol TLS (its predecessor is SSL). This guide will illustrate, how you can issue self-signed certificates – signed by your OWN Certificate Authority!
OK wait!? Why do that???? Well are you maybe familiar with this?
Pretty annoying! Besides that, there might be cases where some web-application needs to utilize TLS but with a certificate from a “known” CA. So having only self-signed certificates is not enough!
So, you can either buy a overpriced SSL certificate from a CA (certificate authority) or get those errors/warnings! Well not quite! Here is you 3rd option – the green option!
The Green Option
I call it “the green option” since we are going to get rid of this ugly, red, crossed-out https from your browser! Before we go through the steps, lets first see (recall) the role of the CA. Here is an overview:
The usual case
The figure above shows the role of a Certificate Authority (CA) in the interaction between a server and some client.
When a client connects to our server from his/her browser, the browser receives the server’s certificate as part of the initial handshake. The server’s certificate has been signed by some CA. The browser contains the public keys of several trusted CAs. The browser will also – as part of the handshake with the server – examine the received certificate, locate the appropriate public key and verify the signature in the certificate with it.
If no appropriate trusted public key is found or if the signature verification failed (for some other reason), the browser will notify the client. If however, the certificate signature has been verified, the client can be assured that he/she is connected to a verified server and the communication between the server and the client will proceed.
Our case
In our case, the above general idea doesn’t change! The only difference is that, since we are NOT a trusted organization ourselves that issues certificates, i.e. a certificate issuer, the client needs to explicitly trust our own CA! To achieve that, the client needs to receive the trusted Root Certificate of our CA and add it to his trusted list.
The Steps
OpenSSL is all you need to create your own private certificate authority and to create self-signed certificates. The process we are going to follow is the following:
Step 1: Root Certificate
To create the CA’s Root Certificate we need to:
- Create the private Root Key (with password or password-less)
- Self-sign the root certificate with the key
Create the private Root Key:
# Create a 2048 bit password-less key openssl genrsa -out rootCA.key 2048 # Protect it with a password using -des3 openssl genrsa -des3 -out rootCA.key 2048
The standard key sizes are 1024, 2048, and to a much lesser extent, 4096. We choose 2048, which is what most people use now. Note that the bigger the key size is, the more computationally intensive it is!
The Root Key must be well guarded! It is strictly private!
Create Root Certificate
We are going to self-sign the root certificate. You can fill the information to your liking/preferences. Nothing important to note here.
# Create the Root Certificate valid for 1024 days openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:NL State or Province Name (full name) [Some-State]:South Holland Locality Name (eg, city) []:Rotterdam Organization Name (eg, company) [Internet Widgits Pty Ltd]:TurluCode Organizational Unit Name (eg, section) []:IT Common Name (eg, YOUR name) []:SSL/TLS Guide Email Address []:turlucode@turlucode.com
Once done, you will have created the Root Certificate of your CA, called rootCA.pem . Note that this certificate is valid for 1024 days.
Step 2: Server’s Certificate
To create now a certificate for your server using your own CA you need to:
- Create a private key
- Use the private key and the key of the CA to sign the certificate
Create Server’s private key
As before:
# Create a 2048 bit password-less key openssl genrsa -out server.key 2048 # Protect it with a password using -des3 openssl genrsa -des3 -out server.key 2048
Once the key is created, you’ll generate the certificate signing request.
# Create signing request openssl req -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:NL State or Province Name (full name) [Some-State]:South Holland Locality Name (eg, city) []:Rotterdam Organization Name (eg, company) [Internet Widgits Pty Ltd]:TurluCode Organizational Unit Name (eg, section) []:IT Common Name (eg, YOUR name) []:<THIS IS IMPORTANT! USE URL or IP> Email Address []:turlucode@turlucode.com
Important! At this field: Common Name (eg, YOUR name) []: use the URL of your web-application or the server’s IP.
Create Server’s certificate
Now use the above key and the CA’s private key to self-sign the server’s certificate:
# Create the Server's Certificate valid for 500 days openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 500
This creates a signed certificate called server.crt which is valid for 500 days. You can now install server.key and server.crt in your server.
Step 3: Send Root Certificate to Clients
This is the final but very important step of our green option! You now need to install and basically trust you newly created CA!
Instructions how to install/trust CA
Ubuntu:
- Copy your CA rootCA.pem to /usr/local/share/ca-certificates/
- then, update CA store: sudo update-ca-certificates
OR
- Rename the rootCA.pem to rootCA.crt and copy it to: /etc/ssl/certs
Arch Linux:
- Rename the rootCA.pem to rootCA.crt and copy it to: /etc/ca-certificates/trust-source/anchors/
- Run: sudp trust extract-compat