How do I create my own Certificate Authority (CA)
Submitted by Christoph Haas on Tue, 12/16/2008 - 01:07
CA is short for Certificate Authority. A CA issues certificates for i.e. email accounts, web sites or Java applets. Actually this only expresses a trust relationship. If you trust the CA then you automatically trust all the certificates that have been issued by the CA. This article helps you set up your own tiny CA using the OpenSSL software.
Common web browsers already "ship" with a number of CAs. That means you usually trust companies like Verisign, AOL and Microsoft. (Do you really?) If you like to see which CAs are currently trusted:
- Mozilla Firefox: Edit / Preferences / Advanced / Certificates / Manage Certificaes / Authorities
- Internet Explorer: Extras / Internet options / Content / Certificates / Trusted Root CAs
Your own CA
Certificates usually do not come for free. An excellent exception is the first free CA: CaCert. Currently not all browsers have their certificate built in. Microsoft only seems to trust CAs if they pay an unrealistic amount of money - who's surprised? It is worth spreading the word since this CA is about trust instead of money.
Otherwise having a valid certificate for your server often just means that you spend money to big companies called trust centers. But perhaps you just need a certificate (i.e. for your private web server running HTTPS at home) and do not really care whether the CA is contained in other people's browsers. Then you should consider creating your own CA. The only difference is that your clients will get a warning when contacting your server that the CA is not (yet) trusted. This can be either safely ignored or you can make them install your CA's certificate. It is also a good solution if you need a company-wide CA.
First you need to to install OpenSSL. On Debian this means running apt-get install openssl. Go to the directory where you want to create the files that make up the CA. Next type: /usr/lib/ssl/misc/CA.pl -newca
The script will create a new directory named demoCA. The CA's private key (keep it safe!) and the
public key/certificate (which you may need to give to your clients) will be put there. The public certificate is the demoCA/cacert.pem file. It does not matter really what you enter into the fields. Just pick a meaningful name for the common name field so that it's clear you are looking at a CA - not a person. So name it "ACME Lasagna Certifiate Authority" instead of "Peters Blaphemic's Fun Certificate". Pick something that sounds official.
Notice: the CA has an expiry date. The default setting is one year. You may want to edit the file CA.pl and set Days to ten years.
Create a certificate
Now that you have your own CA you can create certificates for servers. That means you have to do two steps:
Your "client" creates a private key (.key) and a certificate request (.req):
You sign that request with your CA's key and create a certificate (.crt) that you send to the client:
Note: If your "client" does not send you a certificate request you can create all the necessary files for them.
To simplify things you may want to use my script makecert that you can use to quickly create new certificates for i.e. Apache SSL servers. Run it like this:
You will get three files:
- mailserver.mydomain.com.key (the client's private key)
- mailserver.mydomain.com.req (the client's certificate request)
- mailserver.mydomain.com.crt (the client's signed certificate)
The certificate request is just an intermediate file that is not necessary to run a server using that certificate. You just need the private key and the certificate .
If you like to use that certificate for an Apache web server you need to put the private key (.key) and the certificate (.crt) into the same file and call it apache.pem .
cat mailserver.mydomain.com.key mailserver.mydomain.crt > apache.pem
Sign a request
Some server create a certificate request (SAP, IIS). You will get that request as a file from the client. Use the following command on that request file:
ca -policy policy_anything -notext -in clients.server.com.req -days 3650 -out clients.server.com.crtSource: workaround.org