Self-Signed SSL certificates with your own CA Authority

Tutorial for creating self-signed SSL certificates with your own certification authority (CA).
created by on 2012-11-19

Certification Authority

First, create the directories to hold the CA certificate and related files:

sudo mkdir /etc/ssl/CA
sudo mkdir /etc/ssl/newcerts

The CA needs a few additional files to operate, one to keep track of the last serial number used by the CA, each certificate must have a unique serial number, and another file to record which certificates have been issued:

sudo sh -c "echo '01' > /etc/ssl/CA/serial"
sudo touch /etc/ssl/CA/index.txt

The third file is a CA configuration file. Though not strictly necessary, it is very convenient when issuing multiple certificates. Edit /etc/ssl/openssl.cnf, and in the [ CA_default ] change:

# Where everything is kept
dir = /etc/ssl/

# database index file.
database = $dir/CA/index.txt

# The CA certificate
certificate = $dir/certs/cacert.pem

# The current serial number
serial = $dir/CA/serial

# The private key
private_key = $dir/private/cakey.pem

Next, create the self-singed root certificate:

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

> Country Name (2 letter code) [AU]: Your Country Code (e.g. DE)
> State or Province Name (full name) [Some-State]: Your State
> Locality Name (eg, city) []: Your City
> Organization Name (eg, company) [Internet Widgits Pty Ltd]: Your Company Name
> Organizational Unit Name (eg, section) []: Your Department Name
> Common Name (e.g. server FQDN or YOUR name) []: example.com
> Email Address []: [email protected]
> A challenge password []: --Do not enter data here--
> An optional company name []: --Do not enter data here--

Now install the root certificate and key:

sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/

Generating a Certificate Signing Request (CSR)

Secure Key

openssl genrsa -des3 -out your-website.key 2048
dev123!

Insecure Key

openssl rsa -in your-website.key -out your-website.key.insecure
mv your-website.key your-website.key.secure
mv your-website.key.insecure your-website.key

Generate the CSR

openssl req -new -key your-website.key -out your-website.csr

> Country Name (2 letter code) [AU]: Your Country Code (e.g. DE)
> State or Province Name (full name) [Some-State]: Your State
> Locality Name (eg, city) []: Your City
> Organization Name (eg, company) [Internet Widgits Pty Ltd]: Your Company Name
> Organizational Unit Name (eg, section) []: Your Department Name
> Common Name (e.g. server FQDN or YOUR name) []: your-domain.com
> Email Address []: [email protected]
> A challenge password []: --Do not enter data here--
> An optional company name []: --Do not enter data here--

Sign the CSR with the custom CA

Create a certificate extension

vi your-website_extensions.txt

[ your-website_http ]
nsCertType = server
keyUsage = digitalSignature,nonRepudiation,keyEncipherment
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = @your-website_http_subject
[ your-website_http_subject ]
DNS.1 = your-domain.com

Sign the CSR

sudo openssl ca -in your-website.csr -config /etc/ssl/openssl.cnf -extfile your-website_extensions.txt -extensions your-website_http

sudo cp /etc/ssl/newcerts/01.pem your-website.crt

Copy the cert to the server

sudo cp your-website.crt /etc/ssl/certs

Useful links

Tags:
Fork allmark on GitHub