Home > Security > OpenSSL – Self Signed Certificates / Becoming a Root CA

OpenSSL – Self Signed Certificates / Becoming a Root CA

February 10th, 2015

Following on from the brief personal aide-memoir: OpenSSL – Generate CSR and Test x509 Certificate, this post contains the recipe to generate a self-signed certificate and use this as a CA, to sign other certificates. This is because the term “Self signed certificate” is really incorrect, the proper phrase ought to be “Being your own Certificate Authority”, (or CA)
– You have the “root key”
– And you can “sign” other certificates

Why Self-Signed Certificates?
– It is free. Any linux box that has openssl installed includes everything you need
– Provides encryption, but no “verification”
– Closed systems. Sometimes you want to keep others out. Ex. LDAP /w “require ssl”

STEP 1 Create the CA’s key pair:
C:\openssl\bin>openssl genrsa -out keys/CA.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
.........++++++
.............................++++++
e is 65537 (0x10001)

C:\openssl\bin>

Step 2: The CA needs its own “certificate” (This is the “widely published” “root certificate”)
openssl req -new -x509 -days 3650 -key CA.key -out CA.crt
Note that the “name” is the CA’s name, not a valid DNS name.

C:\openssl\bin>mkdir certs

C:\openssl\bin>openssl req -new -x509 -days 3650 -key keys/CA.key -out certs/CA.
crt
Loading ‘screen’ into random state – done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:EN
State or Province Name (full name) [Some-State]:Surrey
Locality Name (eg, city) []:East Horsley
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Daren Matthews
Organizational Unit Name (eg, section) []:Daren Matthews
Common Name (eg, YOUR name) []:Daren Matthews CA
Email Address []:daren@domain.com

C:\openssl\bin>dir certs
Volume in drive C has no label.
Volume Serial Number is 00B5-C395

Directory of C:\openssl\bin\certs

28/08/2012 17:27

.
28/08/2012 17:27 ..
28/08/2012 17:27 1,419 CA.crt
1 File(s) 1,419 bytes
2 Dir(s) 103,123,685,376 bytes free

C:\openssl\bin>

Step 3: Create the private key for the server. (The “server” being the web server.)
Use the usual method to generate a public/private key pair:
openssl genrsa -out server.key 1024

Step 4: Create a “Certificate Signing Request”
openssl req -new -key server.key -out server.csr
This will ask you for the “name” of the machine. You MUST use the DNS name.

Step 5: “Sign” the certificate.
openssl x509 -req -days 3650 -CA CA.crt -CAkey CA.key -set_serial 01 -in server.csr -out server.crt

C:\openssl\bin>dir certs
Volume in drive C has no label.
Volume Serial Number is 00B5-C395

Directory of C:\openssl\bin\certs

28/08/2012 17:27

.
28/08/2012 17:27 ..
28/08/2012 17:27 1,419 CA.crt
1 File(s) 1,419 bytes
2 Dir(s) 103,123,095,552 bytes free

C:\openssl\bin>dir csr
Volume in drive C has no label.
Volume Serial Number is 00B5-C395

Directory of C:\openssl\bin\csr

28/08/2012 15:57

.
28/08/2012 15:57 ..
28/08/2012 15:57 741 server.csr
1 File(s) 741 bytes
2 Dir(s) 103,123,095,552 bytes free

C:\openssl\bin>

C:\openssl\bin>dir keys
Volume in drive C has no label.
Volume Serial Number is 00B5-C395

Directory of C:\openssl\bin\keys

28/08/2012 17:20

.
28/08/2012 17:20 ..
28/08/2012 17:20 887 CA.key
28/08/2012 15:22 887 server.key
2 File(s) 1,774 bytes
2 Dir(s) 103,123,095,552 bytes free

C:\openssl\bin>

Example:

openssl x509 -req -days 3650 -CA \openssl\bin\certs\CA.crt -CAkey \openssl\bin\keys\CA.key -set_serial 01 -in \openssl\bin\csr\server.csr -out \openssl\bin\certs\server.crt
Loading ‘screen’ into random state – done
Signature ok
subject=/C=EN/ST=Surrey/L=East Horsley/O=Daren Matthews/OU=Daren Matthews/CN=Dar
en Matthews/emailAddress=daren@domain.com
Getting CA Private Key

C:\openssl\bin>

Now that we have created our own self signed certificate:
– Always get the certificate error popup – just click OK
– Accept the certificate forever – no more popup.
– Install the “root certificate” – no popups for any certificate signed by this CA.

How to install a CA certificate into a browser:

The usual way is to send the DER encoded certificate to the browser as MIME type application/x-x509-ca-cert, for example by clicking on an appropriate link. On MSIE certain extensions such as .der or .cacert may also work, or you can import the certificate using the certificate import wizard.

You can convert a certificate to DER form using the command:
openssl x509 -in ca.pem -outform DER -out ca.der

NOTE: Occasionally someone may suggest using a command such as:
openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem

DO NOT DO THIS! This command will give away your CAs private key and reduces its security to zero: allowing anyone to forge certificates in whatever name they choose.

For more detailed information, refer to the SSL Certificates and Encoding post

Categories: Security Tags: ,
Comments are closed.