You are viewing...

Need a Self Signed Certificate and/or Certificate Authority for your Server?

Updated on December 20, 2012 at the 19th hour
Posted under:

DISCLAIMER: All views are considered my own and you should not draw any conclusions on associates.

You probably heard of https or secure browsing. Facebook, Google, Microsoft, and many other companies use it. You also probably want to make your own web site and "secure" your connections. Well, it's pretty darn easy. Self signed certificates are useful in your development servers though public facing web sites should generate a certificate from a known certificate authority.

There are two ways to go about creating certificates. You can create a single certificate for easy usage or you can get more complicated and create your own Certificate Authority, so you can sign your certificates for intranet purposes (i.e. you want to generate certificates for other people in your organization with your signature).

NOTE: This assumes you are using linux. If you are a Windows user, then you'll need to use '-config "C:\opensslDIRNAMEHER\openssl.conf"' in your openssl req command.

Creating your Certificate Authority (CA)


Skip this section if you don't want a CA. It takes extra work to manage this guy.

First off, you shouldn't need this if you don't have multiple servers/clients where you want to sign certificates on behalf of an organization. In this section, we'll generate a CA and a server certificate signed by the CA and the server private key.

UPDATE: I used to have some steps, but now I recommend visiting the below link.

Follow the steps here instead: http://www.g-loaded.eu/2005/11/10/be-your-own-ca/

Straightfoward approach

Create a directory called EX_CA (or whatever you want).

Create subdirectories: private, newcerts, certs, crl

Copy openssl.conf into EX_CA.

Create two files in EX_CA: index.txt and serial (put 01 in serial)

Make sure you are in the root directory (EX_CA). Generate the certificate and key for the authority.
openssl req -config openssl.my.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825

Now we need to modify the config we just copied. Refer to the link above.

Create a certificate signing request
openssl req -config openssl.my.cnf -new -nodes -keyout private/server.key -out server.csr -days 365

Sign the certificate
openssl ca -config openssl.my.cnf -policy policy_anything -out certs/server.crt -infiles server.csr

Delete the certificate signing request file and we are done.

Creating a Self Signed Certificate


For a self signed certificate, we first want to generate a private key to sign the certificate against.

openssl genrsa -des3 -out normsoven.key 4096


Then we'll want to request a new certificate signing request with the private key. You may repeat this step to generate multiple certificates with the same key.

openssl req -new -nodes -key normsoven.key -out normsoven.csr


Now you'll want to generate a certificate from your signing request for consumption of about 3 years.

openssl x509 -req -days 1001 -in normsoven.csr -signkey normsoven.key -out normsoven.crt

  • Make sure when you are asked for the common name that you put the domain name/name of virtual host.

Done!

Strip Password from Private Key


Now, we want to strip the private key of the password you had to add because your web server is likely to complain about it.

openssl rsa -in normsoven.key -out normsoven.key.insecure
mv normsoven.key normsoven.key.secure
mv normsoven.key.insecure normsoven.key

Apache Config


At this point, I'm going to use Apache Web Server as an example of attaching your certificate. If you are a Windows user, you have an httpd-ssl.conf in your conf/extra folder for an example of how to enable SSL. Anyway, here are variables you want to focus on in the httpd.conf or your virtual host config file:

ServerName normsoven
SSLCertificateFile "path/to/certdir/normsoven.crt"
SSLCertificateKeyFile "path/to/keydir/normsoven.key"


NOTE: Make sure your keys and certificates are not contained anywhere inside your document root. Chaos and madness will ensue if you decide to use this in a production server because you didn't want to pay for one from a trusted authority.

Read more here: Creating Certificate Authorities and self-signed SSL certificates <-- Amazing source!
You just read "Need a Self Signed Certificate and/or Certificate Authority for your Server?". Please share if you liked it!
You can read more recent posts here.