Certification Authority
First, create the directories to hold the CA certificate and related files:
sudo mkdir /etc/ssl/CA
sudo mkdir /etc/ssl/newcerts
The CA needs a few additional files to operate, one to keep track of the last serial number used by the CA, each certificate must have a unique serial number, and another file to record which certificates have been issued:
sudo sh -c "echo '01' > /etc/ssl/CA/serial"
sudo touch /etc/ssl/CA/index.txt
The third file is a CA configuration file. Though not strictly necessary, it is very convenient when issuing multiple certificates. Edit /etc/ssl/openssl.cnf, and in the [ CA_default ] change:
# Where everything is kept
dir = /etc/ssl/
# database index file.
database = $dir/CA/index.txt
# The CA certificate
certificate = $dir/certs/cacert.pem
# The current serial number
serial = $dir/CA/serial
# The private key
private_key = $dir/private/cakey.pem
Next, create the self-singed root certificate:
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
> Country Name (2 letter code) [AU]: Your Country Code (e.g. DE)
> State or Province Name (full name) [Some-State]: Your State
> Locality Name (eg, city) []: Your City
> Organization Name (eg, company) [Internet Widgits Pty Ltd]: Your Company Name
> Organizational Unit Name (eg, section) []: Your Department Name
> Common Name (e.g. server FQDN or YOUR name) []: example.com
> Email Address []: [email protected]
> A challenge password []: --Do not enter data here--
> An optional company name []: --Do not enter data here--
Now install the root certificate and key:
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/
Generating a Certificate Signing Request (CSR)
Secure Key
openssl genrsa -des3 -out your-website.key 2048
dev123!
Insecure Key
openssl rsa -in your-website.key -out your-website.key.insecure
mv your-website.key your-website.key.secure
mv your-website.key.insecure your-website.key
Generate the CSR
openssl req -new -key your-website.key -out your-website.csr
> Country Name (2 letter code) [AU]: Your Country Code (e.g. DE)
> State or Province Name (full name) [Some-State]: Your State
> Locality Name (eg, city) []: Your City
> Organization Name (eg, company) [Internet Widgits Pty Ltd]: Your Company Name
> Organizational Unit Name (eg, section) []: Your Department Name
> Common Name (e.g. server FQDN or YOUR name) []: your-domain.com
> Email Address []: [email protected]
> A challenge password []: --Do not enter data here--
> An optional company name []: --Do not enter data here--
Sign the CSR with the custom CA
Create a certificate extension
vi your-website_extensions.txt
[ your-website_http ]
nsCertType = server
keyUsage = digitalSignature,nonRepudiation,keyEncipherment
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = @your-website_http_subject
[ your-website_http_subject ]
DNS.1 = your-domain.com
Sign the CSR
sudo openssl ca -in your-website.csr -config /etc/ssl/openssl.cnf -extfile your-website_extensions.txt -extensions your-website_http
sudo cp /etc/ssl/newcerts/01.pem your-website.crt
Copy the cert to the server
sudo cp your-website.crt /etc/ssl/certs
Useful links
- Tutorial - Be your own Certificate Authority (CA)
- Ubuntu - CSR
- Ubuntu - Certification Authority
- Article explaining how to create a self signed multidomain (SAN) certificate
- Article explaining how to convert a CRT/PEM Certificate into a PFX/P12 Certificate
- How To: Convert SSL Certificates to Different Formats
- Article Explaining how to install an SSL Certificate on a IIS7
- Ubuntu - How to install a root certificate