Why to create your own certificate authority?
Recently I start using my own cloud service storage owncloud to replace dropbox in some scenarios. I wanted to access to my documents throw SSL and for that reason I start checking how to self sign a certificate. Afterwards I realized that I also wanted to protect other websites with my SSL and I decided to create my own Certificate Authority CA. The main reason to create the Certificate Authority is to have only one certificate to install on my devices instead of each of the multiple certificates.
Setting up certification Authority
First, create the directories to hold the CA certificate and related files:
sudo mkdir /etc/ssl/CA sudo mkdir /etc/ssl/newcerts
The CA needs a few additional files to operate, one to keep track of the last serial number used by the CA, each certificate must have a unique serial number, and another file to record which certificates have been issued:
sudo sh -c "echo '01' > /etc/ssl/CA/serial" sudo touch /etc/ssl/CA/index.txt
The third file is a CA configuration file. Though not strictly necessary, it is very convenient when issuing multiple certificates. Edit/etc/ssl/openssl.cnf, and in the [ CA_default ] change:
dir = /etc/ssl/ # Where everything is kept database = $dir/CA/index.txt # database index file. certificate = $dir/certs/cacert.pem # The CA certificate serial = $dir/CA/serial # The current serial number private_key = $dir/private/cakey.pem# The private key
Next, create the self-singed root certificate:
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
You will then be asked to enter the details about the certificate.
Now install the root certificate and key:
sudo mv cakey.pem /etc/ssl/private/ sudo mv cacert.pem /etc/ssl/certs/
Create and sign your domain certificate
Now you have you Certificat Authority setup you are ready to start signing certificates, but we need to create one.
- Create the domain key
openssl genrsa -des3 -out www.yourdomain.com.key 2048 Generating RSA private key, 2048 bit long modulus .......................................+++ ...................................................+++ e is 65537 (0x10001) Enter pass phrase for www.yourdomain.com.key: Verifying - Enter pass phrase for www.yourdomain.com.key:
On this step only a pass phrase is asked.
- Create a pass phrase free key for apache
openssl rsa -in www.yourdomain.com.key -out www.yourdomain.com.key.apache Enter pass phrase for www.yourdomain.com.key: writing RSA key
- Now we have a pass phrase free key for apache but we still have to create CSR. During this procedure we will be asked for few details to be filled.
openssl req -new -key www.yourdomain.com.key.apache -out www.yourdomain.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:UK State or Province Name (full name) [Some-State]:Scotland Locality Name (eg, city) :Edinburgh Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Domain Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) :www.yourdomain.com Email Address :firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
The Organization Name must be the same than the Certification Authority. You should enter your domain name on the Common Name and leave the A challenge password empty.
- Now you have the www.yourdomain.com.csr ready to be signed
openssl ca -in www.yourdomain.com.csr -config /etc/ssl/openssl.cnf Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for /etc/ssl/CA/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4 (0x4) Validity Not Before: Aug 15 15:42:49 2015 GMT Not After : Aug 14 15:42:49 2016 GMT Subject: countryName = UK stateOrProvinceName = Scotland organizationName = Your Domain commonName = www.yourdomain.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: A4:C3:42:40:F9:13:01:A0:53:23:11:09:1E:78:AD:3A:A9:16:8C:05 X509v3 Authority Key Identifier: keyid:49:70:E8:09:7C:04:9B:6A:A8:9A:0D:3A:84:53:E3:D8:73:6E:AF:09 Certificate is to be certified until Aug 14 15:42:49 2016 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y [ ... ] Data Base Updated
You certificate it is already signed and ready to go. Next steps are to config apache to serve your website throw SSL. Please note the Serial Number because you will need this number in order to setup Apache.
Setup HTTPS on Apache 2.4
I am using Apache with virtual host so I am going to cover only how to setup 1 virtual host with an SSL on Apache.
- First you need to enable apache SSL
- Setting up the VirutalHost
<VirtualHost *:443> ServerName www.yourdomain.com SSLEngine on SSLCertificateFile /etc/ssl/newcerts/04.pem SSLCertificateKeyFile /etc/ssl/keys/www.yourdomain.com.key.apache SSLCertificateChainFile /etc/ssl/CA/cacert.pem SSLProtocol All -SSLv2 -SSLv3 ServerName www.yourdomain.com DocumentRoot /var/www/vhosts/wwww.yourdomain.com <Directory /var/www/vhosts/wwww.yourdomain.com> allow from all Options +Indexes AllowOverride all </Directory> </VirtualHost>
SSLCertificateFile it is the number we noted on the step 4 during the certificate creation.
- Check and restart apache
root@server:~# apachectl configtest Syntax OK root@server:~# apachectl graceful
Now you should be able to browse www.yourdomain.com using SSL. Your browser will send you a warning but this will be removed if you install your certification authority certificate.
Interesting links: Certificate authority, Ubuntu server certificate guide