{"id":1690,"date":"2015-02-10T18:02:42","date_gmt":"2015-02-10T18:02:42","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=1690"},"modified":"2015-02-10T12:17:51","modified_gmt":"2015-02-10T12:17:51","slug":"openssl-self-signed-certificates-becoming-a-root-ca","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=1690","title":{"rendered":"OpenSSL – Self Signed Certificates \/ Becoming a Root CA"},"content":{"rendered":"

Following on <\/strong>from the brief personal aide-memoir: OpenSSL – Generate CSR and Test x509 Certificate<\/a>, this post contains the recipe to generate a self-signed certificate and use this as a CA, to sign other certificates. This is because the term \u201cSelf signed certificate\u201d is really incorrect, the proper phrase ought to be \u201cBeing your own Certificate Authority\u201d, (or CA)
\n– You have the \u201croot key\u201d
\n– And you can \u201csign\u201d other certificates
\n
\nWhy Self-Signed Certificates?<\/strong>
\n– It is free. Any linux box that has openssl installed includes everything you need
\n– Provides encryption, but no \u201cverification\u201d
\n– Closed systems. Sometimes you want to keep others out. Ex. LDAP \/w \u201crequire ssl\u201d<\/p>\n

STEP 1 Create the CA’s key pair:<\/strong>
\nC:\\openssl\\bin>openssl genrsa -out keys\/CA.key 1024
\nLoading 'screen' into random state - done
\nGenerating RSA private key, 1024 bit long modulus
\n.........++++++
\n.............................++++++
\ne is 65537 (0x10001)<\/code><\/p>\n

C:\\openssl\\bin><\/p>\n

Step 2: The CA needs its own \u201ccertificate\u201d (This is the \u201cwidely published\u201d \u201croot certificate\u201d)<\/strong>
\nopenssl req -new -x509 -days 3650 -key CA.key -out CA.crt<\/code>
\nNote that the \u201cname\u201d is the CA’s name, not a valid DNS name.<\/p>\n

C:\\openssl\\bin>mkdir certs<\/code><\/p>\n

C:\\openssl\\bin>openssl req -new -x509 -days 3650 -key keys\/CA.key -out certs\/CA.
\ncrt
\nLoading ‘screen’ into random state – done
\nYou are about to be asked to enter information that will be incorporated
\ninto your certificate request.
\nWhat you are about to enter is what is called a Distinguished Name or a DN.
\nThere are quite a few fields but you can leave some blank
\nFor some fields there will be a default value,
\nIf you enter ‘.’, the field will be left blank.
\n—–
\nCountry Name (2 letter code) [AU]:EN
\nState or Province Name (full name) [Some-State]:Surrey
\nLocality Name (eg, city) []:East Horsley
\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Daren Matthews
\nOrganizational Unit Name (eg, section) []:Daren Matthews
\nCommon Name (eg, YOUR name) []:Daren Matthews CA
\nEmail Address []:daren@domain.com<\/p>\n

C:\\openssl\\bin>dir certs
\nVolume in drive C has no label.
\nVolume Serial Number is 00B5-C395<\/p>\n

Directory of C:\\openssl\\bin\\certs<\/p>\n

28\/08\/2012 17:27<\/p>\n

.
\n28\/08\/2012 17:27 ..
\n28\/08\/2012 17:27 1,419 CA.crt
\n1 File(s) 1,419 bytes
\n2 Dir(s) 103,123,685,376 bytes free<\/p>\n

C:\\openssl\\bin><\/p>\n

Step 3: Create the private key for the server.<\/strong> (The \u201cserver\u201d being the web server.)
\nUse the usual method to generate a public\/private key pair:
\nopenssl genrsa -out server.key 1024<\/code><\/p>\n

Step 4: Create a \u201cCertificate Signing Request\u201d<\/strong>
\nopenssl req -new -key server.key -out server.csr<\/code>
\nThis will ask you for the \u201cname\u201d of the machine. You MUST use the DNS name.<\/p>\n

Step 5: \u201cSign\u201d the certificate.<\/strong>
\nopenssl x509 -req -days 3650 -CA CA.crt -CAkey CA.key -set_serial 01 -in server.csr -out server.crt<\/code><\/p>\n

C:\\openssl\\bin>dir certs
\nVolume in drive C has no label.
\nVolume Serial Number is 00B5-C395<\/p>\n

Directory of C:\\openssl\\bin\\certs<\/p>\n

28\/08\/2012 17:27<\/p>\n

.
\n28\/08\/2012 17:27 ..
\n28\/08\/2012 17:27 1,419 CA.crt
\n1 File(s) 1,419 bytes
\n2 Dir(s) 103,123,095,552 bytes free<\/p>\n

C:\\openssl\\bin>dir csr
\nVolume in drive C has no label.
\nVolume Serial Number is 00B5-C395<\/p>\n

Directory of C:\\openssl\\bin\\csr<\/p>\n

28\/08\/2012 15:57<\/p>\n

.
\n28\/08\/2012 15:57 ..
\n28\/08\/2012 15:57 741 server.csr
\n1 File(s) 741 bytes
\n2 Dir(s) 103,123,095,552 bytes free<\/p>\n

C:\\openssl\\bin><\/p>\n

C:\\openssl\\bin>dir keys
\nVolume in drive C has no label.
\nVolume Serial Number is 00B5-C395<\/p>\n

Directory of C:\\openssl\\bin\\keys<\/p>\n

28\/08\/2012 17:20<\/p>\n

.
\n28\/08\/2012 17:20 ..
\n28\/08\/2012 17:20 887 CA.key
\n28\/08\/2012 15:22 887 server.key
\n2 File(s) 1,774 bytes
\n2 Dir(s) 103,123,095,552 bytes free<\/p>\n

C:\\openssl\\bin><\/p>\n

Example:<\/code><\/p>\n

openssl x509 -req -days 3650 -CA \\openssl\\bin\\certs\\CA.crt -CAkey \\openssl\\bin\\keys\\CA.key -set_serial 01 -in \\openssl\\bin\\csr\\server.csr -out \\openssl\\bin\\certs\\server.crt
\nLoading ‘screen’ into random state – done
\nSignature ok
\nsubject=\/C=EN\/ST=Surrey\/L=East Horsley\/O=Daren Matthews\/OU=Daren Matthews\/CN=Dar
\nen Matthews\/emailAddress=daren@domain.com
\nGetting CA Private Key<\/p>\n

C:\\openssl\\bin><\/p>\n

Now that we have created our own self signed certificate:<\/strong>
\n– Always get the certificate error popup \u2013 just click OK
\n– Accept the certificate forever \u2013 no more popup.
\n– Install the \u201croot certificate\u201d \u2013 no popups for any certificate signed by this CA.<\/p>\n

How to install a CA certificate into a browser:<\/strong><\/p>\n

The usual way is to send the DER encoded certificate to the browser as MIME type application\/x-x509-ca-cert, for example by clicking on an appropriate link. On MSIE certain extensions such as .der or .cacert may also work, or you can import the certificate using the certificate import wizard.<\/p>\n

You can convert a certificate to DER form using the command:
\n openssl x509 -in ca.pem -outform DER -out ca.der<\/code><\/p>\n

NOTE: Occasionally someone may suggest using a command such as:
\nopenssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem<\/code><\/p>\n

DO NOT DO THIS! This command will give away your CAs private key and reduces its security to zero: allowing anyone to forge certificates in whatever name they choose.<\/p>\n

For more detailed information<\/strong>, refer to the SSL Certificates and Encoding<\/a> post<\/p>\n","protected":false},"excerpt":{"rendered":"

Following on from the brief personal aide-memoir: OpenSSL – Generate CSR and Test x509 Certificate, this post contains the recipe to generate a self-signed certificate and use this as a CA, to sign other certificates. This is because the term \u201cSelf signed certificate\u201d is really incorrect, the proper phrase ought to be \u201cBeing your own […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[13],"tags":[62,56],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1690"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1690"}],"version-history":[{"count":8,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1690\/revisions"}],"predecessor-version":[{"id":2114,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1690\/revisions\/2114"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1690"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1690"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1690"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}