Setup your own self signed Certificate Authority (CA)
Posted by danielMar 12
How to be your own Certificate Authority(CA) with self signed certificates
This is a hands on tutorial on how you can setup your own Certificate Authority(CA) for internal network use. Once the CA certs are setup, you will generate certificate request(CSR) for your clients and sign them with your CA certs to create SSL certs for your internal network use. If you import your CA certs to your browser, you will be able to visit all internal sites using https without any browser warning, as long as the certs the your internal services are using are signed by your internal CA.
*Demo – Own CA for the home.net internal domain
1. Prepare certificate environment and default parameters to use when creating CSR –
# mkdir /etc/ssl/CA # mkdir /etc/ssl/newcerts # sh -c "echo '100000' > /etc/ssl/CA/serial" # touch /etc/ssl/CA/index.txt # cat /etc/ssl/openssl.cnf dir = /etc/ssl # Where everything is kept database = $dir/CA/index.txt # database index file. certificate = $dir/certs/home_cacert.pem # The CA certificate serial = $dir/CA/serial # The current serial number private_key = $dir/private/home_cakey.pem # The private key default_days = 1825 # how long to certify for default_bits = 2048 countryName_default = US stateOrProvinceName_default = California 0.organizationName_default = Home Ltd
2. Create self signed root certificate and install the root certificate and key –
# openssl req -new -x509 -extensions v3_ca -keyout home_cakey.pem -out home_cacert.pem -days 3650 # mv home_cakey.pem /etc/ssl/private/ # mv home_cacert.pem /etc/ssl/certs/
3. Generate a CSR for the domain you want to issue a certificate –
# openssl genrsa -des3 -out home_server.key 2048 # openssl rsa -in home_server.key -out server.key.insecure # mv server.key server.key.secure # mv server.key.insecure server.key
4. Create the CSR now and generate a CA signed certificate –
# openssl req -new -key server.key -out server.csr # openssl ca -in server.csr -config /etc/ssl/openssl.cnf
Directory structure after signing and issuing certificates –
# ls -l /etc/ssl/CA/ total 24 -rw-r--r-- 1 root root 444 Aug 29 18:20 index.txt -rw-r--r-- 1 root root 21 Aug 29 18:20 index.txt.attr -rw-r--r-- 1 root root 21 Aug 29 18:16 index.txt.attr.old -rw-r--r-- 1 root root 328 Aug 29 18:18 index.txt.old -rw-r--r-- 1 root root 7 Aug 29 18:20 serial -rw-r--r-- 1 root root 7 Aug 29 18:19 serial.old # ls -l /etc/ssl/newcerts/ total 32 -rw-r--r-- 1 root root 4612 Aug 29 16:24 100000.pem -rw-r--r-- 1 root root 4613 Aug 29 16:51 100001.pem -rw-r--r-- 1 root root 4574 Aug 29 17:50 100002.pem -rw-r--r-- 1 root root 4619 Aug 29 18:20 100003.pem # cat /etc/ssl/CA/index.txt V 190828202443Z 100000 unknown /C=US/ST=California/O=Home Ltd/OU=Home/CN=www.home.net/emailAddress=daniel@home.net V 190828205127Z 100001 unknown /C=US/ST=California/O=Home Ltd/OU=Home/CN=wiki.home.net/emailAddress=daniel@home.net V 190828215006Z 100002 unknown /C=US/ST=California/O=Home Ltd/CN=home.net/emailAddress=daniel@home.net V 190828222038Z 100003 unknown /C=US/ST=California/O=Home Ltd/OU=Home/CN=homevm.home.net/emailAddress=daniel@home.net # cat /etc/ssl/CA/serial 10411A
Now that you have your certificate, in this example /etc/ssl/certs/home_cacert.pem, you can import it to your web client such as a web browser, LDAP client etc.
References –
https://help.ubuntu.com/12.04/serverguide/certificates-and-security.html
No comments
You must be logged in to post a comment.