Creating a Certificate Authority in OpenSSL

Why use a Certificate Authority?

When using self-signed certificates in web applications, web browsers will issue a security warning when visiting these applications. To prevent the display of these warnings, we need to install the certificate of the web application in our web browser.

If we will be using many self-signed certificates, it will be a very cumbersome process to manage the installation of each certificate in our web browser. It would therefore be much easier to setup a Certificate Authority, install its self-signed certificate in the web browser and then issue certificates signed by the Certificate Authority – that way we minimize the administration burden of installing each and every self-signed certificate.

When we issue a new certificate signed by our Certificate Authority, it is automatically trusted since we implicitly trust the Certificate Authority.

Configuring the Certificate Authority

To create a Certificate Authority area called CA, which would store all files related to the Certificate Authority, we execute the following command in a “root” shell.

mkdir -p /etc/ssl/CA

Changes to CA.pl

The CA.pl file is a script used to manage certificates related to the Certificate Authority, which is located in the /usr/lib/ssl/misc directory.

To define the default validity period of a certificate, we set a value for the variable $DAYS. The default value is set to 365 days; we set this value to 3650 days, or 10 years.

$DAYS="-days 3650";     # 10 years

To define the default validity period of the Certificate Authority certificate, we set a value for the variable $CADAYS. The default value is set to 1095 days; we set this value to 5475 days, or 15 years.

$CADAYS="-days 5475";   # 15 years

To define the location of the Certificate Authority files, we set a value for the variable $CATOP. The default value is set to ./demoCA; we set this value to /etc/ssl/CA.

$CATOP="/etc/ssl/CA";

Changes to CA.sh

The CA.sh file is a script used to manage certificates related to the Certificate Authority, which is located in the /usr/lib/ssl/misc directory.

To define the default validity period of a certificate, we set a value for the variable DAYS. The default value is set to 365 days; we set this value to 3650 days, or 10 years.

if [ -z "$DAYS" ] ; then DAYS="-days 3650" ; fi # 10 years

To define the default validity period of the Certificate Authority certificate, we set a value for the variable CADAYS. The default value is set to 1095 days; we set this value to 5475 days, or 15 years.

CADAYS="-days 5475"     # 15 years

To define the location of the Certificate Authority files, we set a value for the variable CATOP. The default value is set to ./demoCA; we set this value to /etc/ssl/CA.

if [ -z "$CATOP" ] ; then CATOP=/etc/ssl/CA ; fi

Changes to openssl.cnf

The openssl.cnf file is a configuration file containing the default configuration settings for certificates, which is located in the /etc/ssl directory.

To define the location of the Certificate Authority files, we set a value for the variable dir. The default value is set to ./demoCA; we set this value to /etc/ssl/CA.

dir             = /etc/ssl/CA           # Where everything is kept

To define the default validity period of a certificate, we set a value for the variable default_days. The default value is set to 365 days; we set this value to 3650 days, or 10 years.

default_days    = 3650                  # how long to certify for

Creating our Certificate Authority

To create a self-signed certificate for use in our Certificate Authority, we execute the following command in a “root” shell.

/usr/lib/ssl/misc/CA.pl -newca

During the creation of the certificate, we are prompted for the following information

  • PEM pass phrase;
  • Country;
  • State;
  • City;
  • Organizational Name;
  • Organizational Unit Name;
  • Common Name; and
  • Email Address.

When prompted to "Enter pass phrase for /etc/ssl/CA/private/cakey.pem:", enter the PEM pass phrase supplied earlier. For the Common Name, we should choose a meaningful name and possibly include “Certificate Authority”.

Creating a PKCS12 version of the Certificate Authority certificate

Some systems require the certificate to be in pkcs12 format. To create the Certificate Authority certificate in pkcs12 format, we execute the following command in a “root” shell.

openssl pkcs12 -export -in /etc/ssl/CA/cacert.pem -inkey /etc/ssl/CA/private/cakey.pem -out /etc/ssl/CA/cacert.p12

When prompted to "Enter pass phrase for /etc/ssl/CA/private/cakey.pem:", enter the PEM pass phrase supplied earlier.

Advertisements

One thought on “Creating a Certificate Authority in OpenSSL

Comments are closed.