This article explains how to create your own Certificate Authority and create the SSL certificates signed by this authority. While there is a lot of articles which talk about how to create your own SSL certificates, in most cases they describe how to create self-signed certificates. It is simpler, but those certificates cannot be verified or tracked. Personally I prefer to create the personal Certificate Authority (CA) first and then issue the certificates from this authority. The main advantage of this approach is that you can import the certificate of your CA into your browser or your cell phone, and you won’t get any more warnings when accessing your own web site or connecting to SMTP/IMAP server as your certificate is now considered trusted. This is also necessary if you create the certificate hierarchy for your own project and want to be the only one who can issue the certificates for the users.
This post assumes you have the OpenSSL toolkit installed, and openssl command-line utility is working properly.
Creating the Certificate Authority configuration
Create the directory on your disk, and save the following configuration file there under the name ca.cnf. You can edit the parameters marked as “EDIT THOSE”, and you can change some parameters (for example, if you want your certificates to be valid for longer than one year you can change the default_days), but the defaults should be good enough for the vast majority of users
Then create the directory structure which will be used by your CA. This assumes you did not change the directory name in the configuration file above:
Generating the Certificate Authority private key and certificate
To generate the Certificate Authority with a 2048 bit private key and with the certificate which is valid for ten years (3650 days) execute the following command:
It will ask you the questions about the information which will be embedded into your CA certificate. Answer meaningfully so when you can see this certificate in your browser you wouldn’t wonder what it is about.
Once the command above is completed you should have two files: mypersonalca/certs/ca.pem and mypersonalca/private/ca.key. The key file
must be kept in secret. Anyone who gets the ca.key will be able to sign the certificates for your CA. The ca.pem file is your public CA certificate which could be imported into your browser or mobile platform to make your root CA recognizable by the device.
Now you have the CA key you can start generating and signing the certificates.
Generating the certificate
The process of getting a valid certificate consists of two phases. First the certificate is generated, and then it is signed by your CA.
The following command is used to generate the certificate and the 1024-bit private key:
This command will ask you a few questions about the certificate issuer. This information will be visible to anyone who connects to your server. If you create the SSL certificate for your web or mail server, pay special attention to the Common Name field. You must enter there the fully-qualified domain name this certificate will serve. For example, if your web server is https://mymail.example.com your common name must be mymail.example.com. You can also use the wildcard in the first part of the domain name: a certificate with the common name such as *.example.com could be used for all subdomains of the example.com. An e-mail address must also be supplied, although it doesn’t have to be valid.
Once the certificate is created it needs to be signed by your CA to be recognizable:
Now you got the pair: the signed certificate cert.pem and the corresponding private key, cert.key which you can use as needed.
Printing the certificate parameters
Once in a while you may want to peek inside a specific certificate to see what’s inside. The following command will print the content of the cert.pem certificate:
The important fields in the output are the following:
- Issuer (information about the CA which signed the certificate)
- Subject (information about the entity which uses the certificate)
- Validity (time period when the certificate is valid)
That’s it. Now you can generate the certificates signed by your own CA!
This entry was posted in Linux.