Creating a Certificate Authority (CA) can be useful. Save money on intranet sites by not having to pay for certificate registration for each internal web server. The internal CA cert needs to be installed in the browser. First though OpenSSL needs to be configured.
Edit /etc/ssl/openssl.cnf and make the following adjustments.
default_ca = RootCA Change [ CA_default ] to [ RootCA ] dir = /path/to/store/RootCA new_certs_dir = $dir/newcerts default_md = sha1 certificate = $dir/certs/cacert.pem Adjust values under [ req_distinguished_name ] to fit your company
A central directory strucutre is needed to store the certificates issues by the internal CA. The certificate authority will store each certificate based on a generated serial number. The serial number is simply an incremented number stored in /path/to/store/RootCA/serial. The file is initially seeded with 01. Once cert 01 has been generated OpenSSL will increment the serial file.
# mkdir /path/to/store/RootCA # cd /path/to/store/RootCA # mkdir certs newcerts crl private # touch index.txt # echo "01" > serial
SSL encryption depends on large prime numbers and random data to generate keys. Generate some random seed data for building the RootCA private key. The following command generates 1024 bytes of base64 encoded pseudo random data.
# openssl rand -base64 1024 > /path/to/store/RootCA/private/.rand
Time to generate the private key. This creates a 2048 bit triple DES (DES3) encrypted private key. Use a very secure password for this key.
# openssl genrsa -des3 -out private/cakey.pem -rand private/.rand 2048 1390 semi-random bytes loaded Generating RSA private key, 2048 bit long modulus ......................................................+++ ......................+++ e is 65537 (0x10001) Enter pass phrase for private/cakey.pem: Verifying - Enter pass phrase for private/cakey.pem:
Generate the certificate with OpenSSL. Create a certificate valid for 5 years based on the private key and store it in the certs directory. This is the file that will be published to browsers later on.
# openssl req -new -x509 -days 1827 -key private/cakey.pem -out certs/cacert.pem Enter pass phrase for private/cakey.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Georgia Locality Name (eg, city) :Atlanta Organization Name (eg, company) [Internet Widgits Pty Ltd]:Higherpass Organizational Unit Name (eg, section) :Cert Authority Common Name (eg, YOUR name) :higherpass.com Email Address :firstname.lastname@example.org
Setup the certs in the CA storage directories.
# cd /path/to/store/RootCA/certs # cp cacert.pem 00.pem # ln -s 00.pem `openssl x509 -hash -noout -in 00.pem`.0
Create a key signed the new RootCA.
# cd /path/to/store/RootCA # touch index.txt
Renegerate fresh random data:
# rm /path/to/store/RootCA/private/.rand # openssl rand -base64 1024 > /path/to/store/RootCA/private/.rand
Generate the private key
# openssl genrsa -out server.key.pem -rand private/.rand 2048 1390 semi-random bytes loaded Generating RSA private key, 2048 bit long modulus ............+++ ...................+++ e is 65537 (0x10001)[;P:] Generate certificate signing request: [;/P:]
# openssl req -new -key server.key.pem -out server.req.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Georgia Locality Name (eg, city) :Atlanta Organization Name (eg, company) [Internet Widgits Pty Ltd]:Higherpass Organizational Unit Name (eg, section) :SSL Common Name (eg, YOUR name) :ssl.higherpass.com Email Address :email@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
Sign the certificate request with the RootCA certificate. This will generate a certificate that when combined with the RootCA certificate installed in the browser will allow browsing SSL websites without popups unsigned/unknown SSL certificates.
# openssl ca -name RootCA -in server.req.pem -out server.cert.pem Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for /root/RootCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Aug 8 22:28:13 2009 GMT Not After : Aug 8 22:28:13 2010 GMT Subject: countryName = US stateOrProvinceName = Georgia organizationName = Higherpass organizationalUnitName = SSL commonName = ssl.higherpass.com emailAddress = firstname.lastname@example.org X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 2D:F1:87:CD:B0:B7:88:6E:F1:9B:54:84:94:9B:6D:E2:B3:7D:07:87 X509v3 Authority Key Identifier: keyid:D0:B0:60:1A:9D:C7:F5:7E:48:5E:2F:A6:D0:88:D4:F7:7D:72:C7:78 Certificate is to be certified until Aug 8 22:28:13 2010 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Copy the certificate into the RootCA storage directories. Also setup a symlink to the key from the keys hash.
# mv newcerts/01.pem certs/ # cd certs # ln -s 01.pem `openssl x509 -hash -noout -in 01.pem`.0