How to Create Root Certificate Authority (CA) and Self Signed Certificate

Tags: , , , , , June 18, 2016 9:47 AM

Goal

Make client application such as web browser to trust our self signed certificate, so we can use any custom domain in development or internal network.

Generate Root CA

The first is to generate private key for our Certificate Authority (CA). Command below will generate RSA based private key 2048 bits key size. 

$ mkdir self-root-ca && cd self-root-ca
$ openssl genrsa -out myRootCA.key
Generating RSA private key, 2048 bit long modulus
.................+++
................+++
e is 65537 (0x10001)
$ chmod 0600 myRootCA.key

Command above will produce a file called myRootCA.key. The chmod command will make sure that only super user and the creator of the key able to read the file.

Next we will create the root certificate which last for 1024 days (around 3 years). It will produce a file called myRootCA.crt. This is the file that you need to put on workstation or client application.

$ openssl req -x509 -new -nodes -key myRootCA.key \
-sha256 -days 1024 -out myRootCA.crt \
-subj "/C=ID/ST=Bali/L=Badung/O=My Company Inc./OU=IT Security/CN=My Root CA/emailAddress=me@rioastamal.net"

To prevent interactive prompt we use -subj arguments.

  • C: Country Id
  • ST: State/Province
  • L: Location/City
  • O: Organization name
  • OU: Organization Unit name
  • CN: Common Name
  • emailAddress: Email address of person who responsible for this certificate

Verify the certificate to make sure the generated file is correct.

$ openssl x509 -in myRootCA.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10646048622805375477 (0x93be5cd137d9d9f5)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=ID, ST=Bali, L=Badung, O=My Company Inc., OU=IT Security, CN=My Root CA/emailAddress=me@rioastamal.net
        Validity
            Not Before: Jun 18 01:04:46 2016 GMT
            Not After : Apr  8 01:04:46 2019 GMT
[..... SNIP .....]

Every time you need to generate new self certificate, you should use these two files myRootCA.key and myRootCA.crt as the Certificate Authority to sign.

Generate Self Signed Certificate for Domain mycooldomain.local

Create a private key for certificate that we want to generate. It will produce a file called mycooldomain.local.key.

$ openssl genrsa -out mycooldomain.local.key 2048
Generating RSA private key, 2048 bit long modulus
.................................................................+++
........+++
e is 65537 (0x10001)
$ chmod 0600 mycooldomain.local.key

Second step is to generate the Certificate Signing Request (CSR). The most important thing when creating CSR is the Common Name. This option is used to specify the hostname which this certificate should be issued.

openssl req -new -key mycooldomain.local.key \
-out mycooldomain.local.csr \
-subj "/C=ID/ST=Bali/L=Badung/O=My Company Inc./OU=My Cool Department/CN=mycooldomain.local/emailAddress=me@rioastamal.net"

The last step is to generate signed certificate by using the CSR we just created in addition with the keys from the root CA.

$ openssl x509 -req -in mycooldomain.local.csr \
-CA myRootCA.crt -CAkey myRootCA.key -CAcreateserial \
-out mycooldomain.local.crt -days 730 -sha256
Signature ok
subject=/C=ID/ST=Bali/L=Badung/O=My Company Inc./OU=My Cool Department/CN=mycooldomain.local/emailAddress=me@rioastamal.net
Getting CA Private Key

Command above will produce a file called mycooldomain.local.crt. You can use this file and mycooldomain.local.key in server application like Apache or Nginx.

Testing the Certificate

Import the Root CA into the Firefox

Once the root certificate imported into the Firefox, it will trust all the certificate that signed using the root CA including our mycooldomain.local

  1. Open Menu (Edit) > Preference
  2. Choose Advance
  3. Choose Certificates tab
  4. Click View Certificates
  5. Choose Authorities tab
  6. Click Imports...
  7. Locate myRootCA.crt
  8. Put check mark on all the options
  9. Click OK

Using the Self Signed Certificate on Apache

We will create new virtual host for domain mycooldomain.local. Run all these commands as root.

Enable SSL module

$ sudo a2enmod ssl
$ sudo service apache2 restart

Create the virtual host file. Hit CTRL-D to finish writing the contents when using tee command. Change the path according where you store the certificate file.

$ cd /etc/apache2/sites-available
$ sudo tee 002-mycooldomain.local.conf > /dev/null
<VirtualHost *:443>
        ServerName mycooldomain.local

        SSLEngine on 
        SSLCertificateFile /home/astadev/Documents/self-root-ca/mycooldomain.local.crt
        SSLCertificateKeyFile /home/astadev/Documents/self-root-ca/mycooldomain.local.key
        
        DocumentRoot /home/astadev/Documents/self-root-ca/htdocs
        <Directory /home/astadev/Documents/self-root-ca/htdocs>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Require all granted
        </Directory>
</VirtualHost>
$ sudo a2ensite 002-mycooldomain.local.conf
$ sudo service apache2 reload

If you don't have DNS server than just add mycooldomain.local into /etc/hosts. Try to visit https://mycooldomain.local, Firefox will says that this site is verified by My Company Inc.

 

References

Share on Facebook Twitter

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)