GagA// 0n D nEt

It is currently Tue Aug 21, 2018 10:15 pm

All times are UTC

Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: SSL: Creating your own CA (Certificate Authority)
PostPosted: Sun Apr 12, 2009 12:05 am 

Joined: Wed Jul 18, 2007 1:14 am
Posts: 181
This article can be considered an extension to my previous article which explains the creation of self-signed certificate. This article also includes the steps further to generate the certificate using the CA certificate/key.

In this step you'll take the place of VeriSign, Thawte, etc. You'll first build the CA key, then build the certificate itself.

The Common Name (CN) of the CA and the Server certificates must NOT match or else a naming conflict will occur and you will get errors later on. In this step, you'll provide the CA entries. In a step below, you'll provide the Server entries. In this example, I just added "CA" to the CA's CN field, to distinguish it from the Server's CN field. Use whatever schema you want, just make sure the CA and Server entries are not identical.

Common Name (CN):
Organization (O): Gagan Brahmi
Organizational Unit (OU): Gagan

Common Name (CN):
Organization (O): Gagan Brahmi
Organizational Unit (OU): Gagan

If you don't have a fully qualified domain name, you should use the IP that you'll be using to access your SSL site for Common Name (CN). But, again, make sure that something differentiates the entry of the CA's CN from the Server's CN.

Generate a key for the CA certificate

Create a secure key which will be used for creating a CA certificate.
[[email protected] ca-cert]# openssl genrsa -out ca.key 1024

Create a CA certificate using the key above:
[[email protected] ca-cert]# openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Generate the key for server certificate and a CSR (Certiificate Signing Request)

This step creates a server key, and a request that you want it signed (the .csr file) by a Certificate Authority (the one you just created in step above.)

Using the following command you can create a key for the server certificate:
[[email protected] ca-cert]# openssl genrsa -out myserver.key 1024

Now, it turn to create a csr. You need to be very watchful while creating a csr. Specially with the Common Name, it should be pointing to a fully qualified domain. You can skip putting in any password in this step. The following is the command that will create the csr:
[[email protected] ca-cert]# openssl req -new -key myserver.key -out myserver.csr

Signing the certificate using the csr

Now you need to sign the certificate using the request (csr - certificate signing request) made above.

We will be signing the certificate for 365 days. After one year you will have to do sign this again.

Note also that I set the serial number of the signed server certificate to "01". Each time you do this, especially if you do this before a previously-signed certificate expires, you'll need to change the serial key to something else -- otherwise everyone who's visited your site with a cached version of your certificate will get a browser warning message to the effect that your certificate signing authority has screwed up -- they've signed a new key/request, but kept the old serial number. There are a couple ways to rectify that. crl's (certificate revocation list) is one method, but beyond the scope of the document. Another method is for all clients which have stored the CA certificate to go into their settings and delete the old one manually. But for the purposes of this document, we'll just avoid the problem. (If you're a sysadmin of a production system and your myserver.key is compromised, you'll certainly need to worry.)

The command below does a number of things. It takes your signing request (csr) and makes a one-year valid signed server certificate (crt) out of it. In doing so, we need to tell it which Certificate Authority (CA) to use, which CA key to use, and which Server key to sign. We set the serial number to 01, and output the signed key in the file named server.crt. If you do this again after people have visited your site and trusted your CA (storing it in their browser), you might want to use 02 for the next serial number, and so on. You might create some scheme to make the serial number more "official" in appearance or makeup but keep in mind that it is fully exposed to the public in their web browsers, so it offers no additional security in itself.

Here is how the command goes:
[[email protected] ca-cert]# openssl x509 -req -days 365 -in myserver.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out myserver.crt

Examine the components using the following commands:
[[email protected] ca-cert]# openssl rsa -noout -text -in myserver.key
[[email protected] ca-cert]# openssl req -noout -text -in myserver.csr
[[email protected] ca-cert]# openssl rsa -noout -text -in ca.key
[[email protected] ca-cert]# openssl x509 -noout -text -in ca.crt

That should be it! You can now sign different ssl certificates using the CA installed on your server. Just be careful with the serial number though !!

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC

Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group