in SSL

Create your own certificate authority

Why to create your own certificate authority?

Recently I start using my own cloud service storage owncloud to replace dropbox in some scenarios. I wanted to access to my documents throw SSL and for that reason I start checking how to self sign a certificate. Afterwards I realized that I also wanted to protect other websites with my SSL and I decided to create my own Certificate Authority CA. The main reason to create the Certificate Authority is to have only one certificate to install on my devices instead of each of the multiple certificates.

Setting up certification Authority

  1. First, create the directories to hold the CA certificate and related files:

    sudo mkdir /etc/ssl/CA
    sudo mkdir /etc/ssl/newcerts

     

  2. The CA needs a few additional files to operate, one to keep track of the last serial number used by the CA, each certificate must have a unique serial number, and another file to record which certificates have been issued:

    sudo sh -c "echo '01' > /etc/ssl/CA/serial"
    sudo touch /etc/ssl/CA/index.txt

     

  3. The third file is a CA configuration file. Though not strictly necessary, it is very convenient when issuing multiple certificates. Edit/etc/ssl/openssl.cnf, and in the [ CA_default ] change:

    dir             = /etc/ssl/             # Where everything is kept
    database        = $dir/CA/index.txt     # database index file.
    certificate     = $dir/certs/cacert.pem # The CA certificate
    serial          = $dir/CA/serial        # The current serial number
    private_key     = $dir/private/cakey.pem# The private key

     

  4. Next, create the self-singed root certificate:

    openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

    You will then be asked to enter the details about the certificate.

  5. Now install the root certificate and key:

    sudo mv cakey.pem /etc/ssl/private/
    sudo mv cacert.pem /etc/ssl/certs/

Create and sign your domain certificate

Now you have you Certificat Authority setup you are ready to start signing certificates, but we need to create one.traditionrolex.com

  1. Create the domain key
    openssl genrsa -des3 -out www.yourdomain.com.key 2048
    Generating RSA private key, 2048 bit long modulus
    .......................................+++
    ...................................................+++
    e is 65537 (0x10001)
    Enter pass phrase for www.yourdomain.com.key:
    Verifying - Enter pass phrase for www.yourdomain.com.key:

    On this step only a pass phrase is asked.

  2. Create a pass phrase free key for apache
    openssl rsa -in www.yourdomain.com.key -out www.yourdomain.com.key.apache
    Enter pass phrase for www.yourdomain.com.key:
    writing RSA key
    

  3. Now we have a pass phrase free key for apache but we still have to create CSR. During this procedure we will be asked for few details to be filled.
    openssl req -new -key www.yourdomain.com.key.apache -out www.yourdomain.com.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:UK
    State or Province Name (full name) [Some-State]:Scotland
    Locality Name (eg, city) []:Edinburgh
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Domain
    Organizational Unit Name (eg, section) []:
    Common Name (e.g. server FQDN or YOUR name) []:www.yourdomain.com
    Email Address []:info@yourdomain.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

    The Organization Name  must be the same than the Certification Authority. You should enter your domain name on the Common Name  and leave the A challenge password  empty.

  4. Now you have the www.yourdomain.com.csr  ready to be signed
    openssl ca -in www.yourdomain.com.csr -config /etc/ssl/openssl.cnf
    Using configuration from /etc/ssl/openssl.cnf
    Enter pass phrase for /etc/ssl/CA/cakey.pem:
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 4 (0x4)
            Validity
                Not Before: Aug 15 15:42:49 2015 GMT
                Not After : Aug 14 15:42:49 2016 GMT
            Subject:
                countryName               = UK
                stateOrProvinceName       = Scotland
                organizationName          = Your Domain
                commonName                = www.yourdomain.com
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    A4:C3:42:40:F9:13:01:A0:53:23:11:09:1E:78:AD:3A:A9:16:8C:05
                X509v3 Authority Key Identifier: 
                    keyid:49:70:E8:09:7C:04:9B:6A:A8:9A:0D:3A:84:53:E3:D8:73:6E:AF:09
    
    Certificate is to be certified until Aug 14 15:42:49 2016 GMT (365 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    [ ... ]
    Data Base Updated

    You certificate it is already signed and ready to go. Next steps are to config apache to serve your website throw SSL. Please note the Serial Number because you will need this number in order to setup Apache.

Setup HTTPS on Apache 2.4

I am using Apache with virtual host so I am going to cover only how to setup 1 virtual host with an SSL on Apache.

  1. First you need to enable apache SSL
    a2enmod ssl
  2. Setting up the VirutalHost
    <VirtualHost *:443>
        ServerName www.yourdomain.com
        SSLEngine on
        SSLCertificateFile /etc/ssl/newcerts/04.pem
        SSLCertificateKeyFile /etc/ssl/keys/www.yourdomain.com.key.apache
        SSLCertificateChainFile /etc/ssl/CA/cacert.pem
        SSLProtocol All -SSLv2 -SSLv3
        ServerName www.yourdomain.com
        DocumentRoot /var/www/vhosts/wwww.yourdomain.com
        <Directory /var/www/vhosts/wwww.yourdomain.com>
            allow from all
            Options +Indexes
            AllowOverride all
        </Directory>
    </VirtualHost>

    SSLCertificateFile it is the number we noted on the step 4 during the certificate creation.

  3. Check and restart apache
    root@server:~# apachectl configtest
    Syntax OK
    
    root@server:~# apachectl graceful

    Now you should be able to browse www.yourdomain.com using SSL. Your browser will send you a warning but this will be removed if you install your certification authority certificate.

Interesting links: Certificate authorityUbuntu server certificate guide

Write a Comment

Comment