Debian Tutorials » openssl

Create your private certificate authority (CA)

admin — Fri, 29 Aug 2008 22:54:24 +0000

Creating a private CA can be useful if you have a lot of services encrypting data for internal use but don't need the domain to be verified by a public CA like Verisign, Thawte etc. By importing the CA to all computers that will use these services users won't get the a popup in IE and Firefox saying that the certificate is invalid.

1. Create a CA certificate

Create a private key for your CA:

openssl genrsa -des3 -out ca.key 4096

You will need to enter passphrase, this password will be used everytime you sign a certificate with this CA

Make sure unauthorized users don't get access to your private key:

chmod 700 ca.key

Create the certificate, this will be shown as the top level certificate when you have signed other certificates so choose expiration day and the certificate contents carefully. All signed certificates will expirate if the top level certificate expires so you may want to choose a few years here

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Here is a sample of input values:

Enter pass phrase for ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:Debian Tutorials Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:Debian Tutorials CA Email Address []:

Common name will be shown when users are displaying details about the certificate

2. Create a certificate request

Create a private key:

openssl genrsa -des3 -out secure.debiantutorials.net.key 4096

Replace secure.debiantutorials.net by your domain name

Create the certificate request

openssl req -new -key secure.debiantutorials.net.key -out secure.debiantutorials.net.csr

Make sure you put your domain name in the "Common Name" field

3. Sign the certificate with your CA certificate

You will need to provide the certificate request here and the CA key

openssl x509 -req -days 365 -in secure.debiantutorials.net.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out secure.debiantutorials.net.crt

4. Remove password from key (optional)

If using the certificate with Apache, Postfix or other services you may need to replace the password in your private key so that the service can start without user interaction

openssl rsa -in secure.debiantutorials.net.key -out secure.debiantutorials.net.key.insecure mv secure.debiantutorials.net.key secure.debiantutorials.net.key.secure mv secure.debiantutorials.net.key.insecure secure.debiantutorials.net.key

Set permissions on the keys

chmod 700 secure.debiantutorials.net.key chmod 700 secure.debiantutorials.net.key.secure

Request and install SSL using Apache2 and OpenSSL

admin — Sun, 17 Feb 2008 23:27:49 +0000

First we'll need to create a certificate signing request (CSR) containing the certificate application info and a private key. Make sure you don't expose you're private key (test.com.key) to the public or the safety of the encrypted information could be compromised.

mkdir /etc/apache2/ssl cd /etc/apache2/ssl openssl req -new -nodes -keyout test.com.key -out test.com.csr

Answer the questions with information about you/your company and the domain that will be validated. Make sure you use a fully qualified domain name (FQDN) in the common name section. When the certificate has been issued you can access the encrypted web by visiting https://FQDN. You can safely skip the extra attributes.

Now you can submit the CSR to your favorite certificate authority for validation. test.com.csr should read something like this (pico test.com.csr):

Here is a short list of popular certificate authorities:

Verisign
Thawte
GlobalSign
Comodo

When you have received your certificate from your certificate authority we'll need to enable it in Apache. Create a file that will contain the certificate and paste your new certificate (pico test.com.crt):

-----BEGIN CERTIFICATE----- MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCAAhAF UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAUAMF8xCzAJBgNlVTMSAw (.......) E+cFEpf0WForA+eRP6XraWw8rTN8102zGrcJgg4P6XVS4l39+l5aCEGGbauLP5W6 K99c42ku3QrlX2+KeDi+xBG2cEIsdSiXeQS/16S36ITclu4AADEAAAAAAAAA -----END CERTIFICATE-----

Make sure the certificate and private key are only readable by root:

chmod 400 test.com.key test.com.crt

Download the CA root certificate. You can find CA certificates for the authorities mentioned above here:

Verisign -> http://www.verisign.com/support/verisign-intermediate-ca/
Thawte -> http://www.thawte.com/roots/index.html
Globalsign -> http://secure.globalsign.net/cacert/
Comodo -> https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=1&pcid=0&nav=0

In this example we'll download RapidSSL CA certificate:

wget http://www.rapidssl.com/cps/rapidssl_01.cer

Configure apache to use this certificate to encrypt data (pico /etc/apache2/sites-enabled/000-default). Add these lines somewhere outside your Virtualhost entry:

DocumentRoot {docroot} SSLEngine on SSLCertificateFile /etc/apache2/ssl/test.com.crt SSLCertificateKeyFile /etc/apache2/ssl/test.com.key SSLCACertificateFile /etc/apache2/ssl/rapidssl_01.cer

Restart apache

/etc/init.d/apache2 restart

Now you should be able to access https://FQDN.