in SSL

Create your own certificate authority

Why to create your own certificate authority?

Recently I start using my own cloud service storage owncloud to replace dropbox in some scenarios. I wanted to access to my documents throw SSL and for that reason I start checking how to self sign a certificate. Afterwards I realized that I also wanted to protect other websites with my SSL and I decided to create my own Certificate Authority CA. The main reason to create the Certificate Authority is to have only one certificate to install on my devices instead of each of the multiple certificates.

Setting up certification Authority

  1. First, create the directories to hold the CA certificate and related files:

    sudo mkdir /etc/ssl/CA
    sudo mkdir /etc/ssl/newcerts


  2. The CA needs a few additional files to operate, one to keep track of the last serial number used by the CA, each certificate must have a unique serial number, and another file to record which certificates have been issued:

    sudo sh -c "echo '01' > /etc/ssl/CA/serial"
    sudo touch /etc/ssl/CA/index.txt


  3. The third file is a CA configuration file. Though not strictly necessary, it is very convenient when issuing multiple certificates. Edit/etc/ssl/openssl.cnf, and in the [ CA_default ] change:

    dir             = /etc/ssl/             # Where everything is kept
    database        = $dir/CA/index.txt     # database index file.
    certificate     = $dir/certs/cacert.pem # The CA certificate
    serial          = $dir/CA/serial        # The current serial number
    private_key     = $dir/private/cakey.pem# The private key


  4. Next, create the self-singed root certificate:

    openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

    You will then be asked to enter the details about the certificate.

  5. Now install the root certificate and key:

    sudo mv cakey.pem /etc/ssl/private/
    sudo mv cacert.pem /etc/ssl/certs/

Create and sign your domain certificate

Now you have you Certificat Authority setup you are ready to start signing certificates, but we need to create one.

  1. Create the domain key
    openssl genrsa -des3 -out 2048
    Generating RSA private key, 2048 bit long modulus
    e is 65537 (0x10001)
    Enter pass phrase for
    Verifying - Enter pass phrase for

    On this step only a pass phrase is asked.

  2. Create a pass phrase free key for apache
    openssl rsa -in -out
    Enter pass phrase for
    writing RSA key

  3. Now we have a pass phrase free key for apache but we still have to create CSR. During this procedure we will be asked for few details to be filled.
    openssl req -new -key -out
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) [AU]:UK
    State or Province Name (full name) [Some-State]:Scotland
    Locality Name (eg, city) []:Edinburgh
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Domain
    Organizational Unit Name (eg, section) []:
    Common Name (e.g. server FQDN or YOUR name) []
    Email Address []
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

    The Organization Name  must be the same than the Certification Authority. You should enter your domain name on the Common Name  and leave the A challenge password  empty.

  4. Now you have the  ready to be signed
    openssl ca -in -config /etc/ssl/openssl.cnf
    Using configuration from /etc/ssl/openssl.cnf
    Enter pass phrase for /etc/ssl/CA/cakey.pem:
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 4 (0x4)
                Not Before: Aug 15 15:42:49 2015 GMT
                Not After : Aug 14 15:42:49 2016 GMT
                countryName               = UK
                stateOrProvinceName       = Scotland
                organizationName          = Your Domain
                commonName                =
            X509v3 extensions:
                X509v3 Basic Constraints: 
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                X509v3 Authority Key Identifier: 
    Certificate is to be certified until Aug 14 15:42:49 2016 GMT (365 days)
    Sign the certificate? [y/n]:y
    1 out of 1 certificate requests certified, commit? [y/n]y
    [ ... ]
    Data Base Updated

    You certificate it is already signed and ready to go. Next steps are to config apache to serve your website throw SSL. Please note the Serial Number because you will need this number in order to setup Apache.

Setup HTTPS on Apache 2.4

I am using Apache with virtual host so I am going to cover only how to setup 1 virtual host with an SSL on Apache.

  1. First you need to enable apache SSL
    a2enmod ssl
  2. Setting up the VirutalHost
    <VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/ssl/newcerts/04.pem
        SSLCertificateKeyFile /etc/ssl/keys/
        SSLCertificateChainFile /etc/ssl/CA/cacert.pem
        SSLProtocol All -SSLv2 -SSLv3
        DocumentRoot /var/www/vhosts/
        <Directory /var/www/vhosts/>
            allow from all
            Options +Indexes
            AllowOverride all

    SSLCertificateFile it is the number we noted on the step 4 during the certificate creation.

  3. Check and restart apache
    root@server:~# apachectl configtest
    Syntax OK
    root@server:~# apachectl graceful

    Now you should be able to browse using SSL. Your browser will send you a warning but this will be removed if you install your certification authority certificate.

Interesting links: Certificate authorityUbuntu server certificate guide

Write a Comment