Create a Certificate Authority and Certificates with OpenSSL

THIS POST HAS BEEN DEPRECATED/SUPERSEDED

NOTE: I have written three new posts that supersede this post. Please read those instead of this page.

  1. Step 1: Create Private Certificate Authority on Linux
  2. Step 2: Generate Certificate Signing Request on Linux
  3. Step 3: Use Private Certificate Authority to Sign Certificate Signing Request on Linux

I’m keeping this post here since it may have been linked to by other places on the web.

ORIGINAL POST

This tutorial will assume that you are using Ubuntu 7.10 (Gutsy Gibbon). This tutorial has been adapted from Setting up OpenSSL to Create Certificates and OpenSSL – Community Ubuntu Documentation. I would recommend that you get the latest info from these resources as mine may be out of date. Both of them are very helpful. Besides, without them I would not have been able to create this one.

Install OpenSSL

sudo apt-get install openssl

Create Directory Structure

You need to create a directory structure to store files and also create some initial files. We will first create a main directory. I would recommend creating it under /home so that if you upgrade, you will have access to those files.

mkdir /home/ca /home/ca/private /home/ca/certs /home/ca/conf

cd /home/ca

echo '01' > serial

touch index.txt

Create Certificate Authority (CA)

sudo vim /home/ca/conf/caconfig.cnf

This file would serve as the default config file for the CA. It should look something like the following (taken from the Setting up OpenSSL resource), of course with your own settings:

#..................................
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /home/ca

serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/certs
certificate = $dir/certs/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = My Organization
localityName_default = NEW YORK
stateOrProvinceName_default = NEW YORK
countryName_default = US
emailAddress_default = email@mydomain.net
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash

Generate CA Key and Certificate

Once you have the config file created the way you want, you will have to create a root (CA) key and certificate.

You will be prompted for some questions. Those questions for which you provided the default answers in your caconfig.cnf file, you do not need to enter any other information; you may just press enter key. However, the most important thing is this: Common Name should be unique, and should be the full legal name of your organization. If you are an individual, make sure it is your name. As you create more certificates, Common Name has to be unique for each of them.

You will also have to enter a passphrase. Make sure it is long, difficult, and then keep it safe. It would be awesome if you could encrypt it as well. But whatever you do, however you save it, do not, I repeat, do not lose it.

cd /home/ca/

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config conf/caconfig.cnf

Create Server Certificate

You first have to create a key and signing request, both of which can be done in the same command. You will be prompted for some questions again, and once again you have to make sure Common Name is unique. To create a server certificate, you should always choose the full domain name of the server, or its IP address. For example, if you are creating a certificate for http://www.mydomain.net, you should enter http://www.mydomain.net as Common Name. However, if you want to use the same certificate across many domains, enter *.mydomain.net as Common Name.

I also like to name the requests, keys, and certificates after the domain I will be usig them for. So let’s say you are choosing to create a certificate for http://www.mydomain.net, then

cd /home/ca/

openssl req -new -nodes -out http://www.mydomain.net.req.pem -keyout private/www.mydomain.net.key.pem -config conf/caconfig.cnf

Next you have to sign this request to create a certificate. It will ask you to enter the passphrase chosen when creating the root key. So just enter it.

openssl ca -out certs/www.mydomain.net.cert.pem -config conf/caconfig.cnf -infiles http://www.mydomain.net.req.pem

You can use this certificate in your server applications now.

Create Client Certificate

Creating a client certificate, such as for your web browser, is similar to creating one for a server. One can use client certificates to identify clients, and also to authenticate them.

For Common Name, you should choose the name of the client. If it is an individual, their full name, or if it’s an organization then its full name. For more details, check out the details under Create Server Certificate.

cd /home/ca/

openssl req -new -nodes -out myfriend.req.pem -keyout private/myfriend.key.pem -days 365 -config conf/caconfig.cnf

Similarly, you have to sign this request with the root key. Again, details are provided under Create Server Certificate.

openssl ca -out certs/myfriend.cert.pem -days 365 -config conf/openssl.cnf -infiles myfriend.req.pem

Set up Apache 2.0 with SSL

Please read my guide titled Apache 2.0 in Ubuntu for a detailed guide.

Get Certificates from CAcert

If you do not wish to pay for certificates, check out CAcert. They are aiming to become a well-recognized CA which gives free certificates. It would be better than creating your own as it will be much more secure and you would not have to pay any money.

Hat Tips

Other very good guides and resources are: Client Authentication with SSL; subjectAltName setup;

About these ads

15 Responses to Create a Certificate Authority and Certificates with OpenSSL

  1. Alejo Ceballos says:

    Thank you very much, I had some hard time configuring it right, but in the end everything has gone fine. Just minor changes here and there.

    Now I’m going to read your “Apache 2.0 in Ubuntu” guide.

  2. Shaun says:

    Hi

    I worked through the above but should this line:

    openssl ca -out certs/myfriend.cert.pem -days 365 -config conf/openssl.cnf -infiles myfriend.req.pem

    Be this:

    openssl ca -out certs/myfriend.cert.pem -days 365 -config conf/caconfig.cnf -infiles myfriend.req.pem

    Regards

    Shaun

  3. Pingback: OpenSSL Madness (How to create keys, certificate signing requests, certificate authorities, certificates, and .pem files. Phew!) - I Am Graham

  4. Taher Elgamal says:

    Does anyone know if the known certificate authorities with root keys in the browser have actually generated their keys securely?

  5. Pingback: OpenSSL Madness (How to create keys, certificate signing requests, certificate authorities, certificates, and .pem files. Phew!) « I Am Graham

  6. hs says:

    @Shaun: I believe you are right. I haven’t updated the post because I haven’t tested your suggestion yet. I will once I have tested it.

  7. Pingback: Create a Certificate Authority and Certificates with OpenSSL « Chicago Mac/PC Support

  8. Pingback: Setting up SSL (HTTPS) on Amazon Elastic Beanstalk – Step 1 | My Blog

  9. Pingback: Setting up SSL (HTTPS) on Amazon Elastic Beanstalk – Step 1 | My Blog

  10. Anonymous says:

    hi all
    i’m trying to implement CAPWAP.in that i’m tryin to generate self signed x509 certificate and key with the support of openssl.but for fedora. can anyone help me how to generate and include it with in my code and application

  11. bhupi says:

    root@bhupi-Ideapad-Z570:/home/ca# openssl ca -out certs/myfriend.cert.pem -days 365 -config conf/openssl.cnf -infiles myfriend.req.pem
    Using configuration from conf/openssl.cnf
    error loading the config file ‘conf/openssl.cnf’
    25827:error:02001002:system library:fopen:No such file or directory:bss_file.c:126:fopen(‘conf/openssl.cnf’,’rb’)
    25827:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:129:
    25827:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197:

    how can i remove these errors………plz help me out

  12. Alamgir says:

    Hello,

    using this internal CA can we give SSL cert for another internal windows web server(IIS) which is physically different server.

    If i want to customize the certificate chain linke rootcert >intermediate cert > client cert(SSL)
    How can we do it….by open ssl internal CA.

  13. Anonymous says:

    it doesnt work ffs why you dont double-check whats public

  14. Pingback: HTTPS Using Server-Client Certificate Pair (1): Generate & Sign by OpenSSL | logIt

  15. Pingback: Creating SSL keys, CSRs, self-signed certificates, and .pem files. | Kutipan Artikel Ilmu komputer

Follow

Get every new post delivered to your Inbox.

Join 34 other followers

%d bloggers like this: