Certificate Authority (CA) with OpenSSL

Posted by chris on Mon 13 Oct 2008 at 22:46

When you need to run a website (https), mail (ssl/tls) or similar over an encrypted link - you need an SSL certificate. This article will explain some of the choices involved, and how to run your own certificate authority (CA).

Use a certificate signed by a certificate authority (CA)
- will work out of the box for your users
- All CAs that are recognized by browsers by default are commercial
  - costs money ($150 a year or so)
  - will need to be renewed every year or two
Generate your own self-signed certificate
- free
- will require a user approval
- can be scary for the unexperienced user

Example dialog from Firefox 3 with
a self-signed certificate

So - what's the difference between these certificates?

A commercial certificate is signed by a certificate authority (CA). By signing this they are saying that they believe that you are who you say you are. The browser/application has a list of trusted CA certificates and can check - when the connection is made it will check the signature against this list of trusted CAs.

A self-signed certificate (one that you generate) will need to be installed in all browsers/applications you are going to use it with OR the users will have to approve the certificate each time they visit the site. In addition - when it falls due for renewal - you will have to re-install the certificate on all locations.

Wouldn't it be nice if we could be our own CA?

Well - luckily for us we can. The user will still have to install the CA certificate - but - these generally run for a lot longer than normal certificates (10, 15, 20 years) and - any new certificates issued using the same CA will be recognised as valid.

Overview

In this article we will examine the following

Setting up the CA software from OpenSSL
Generating the CA certificate
Generating CSR (certificate signing request)
Signing a CSR to generate a signed certificate

Setting up

CA.pl and CA.sh

OpenSSL on debian comes with two files that make the job of being a CA much easier. Both live in /usr/lib/ssl/misc - CA.pl and CA.sh

These scripts do the same thing - it's just that one is written in perl - one is a shell script.

In etch - CA.pl has one setting that CA.sh is missing (when generating the CA certificate CA.pl adds -extensions v3_ca to the call - CA.sh in etch is missing this although I believe it to be fixed for lenny). For this reason - we will use CA.pl

However - we need to setup CA.pl and openssl (/etc/ssl/openssl.cnf) before we can use them properly.

Setup

By default - CA.pl (and CA.sh for that matter) together with openssl.cnf are set up so that everything happens in the local directory - with the CA store in ./demoCA. This isn't so very useful. So - let's make some decisions.

Our CA certificate will have a life of 10 years
Our SSL certificates will have a life of 2 years
We will store the CA information in /etc/ssl/ca (alongside the other ssl files).

To do this we need to change both CA.pl and openssl.cnf.

Changes to CA.pl

Locate the variables at the top - DAYS and CADAYS. Change these lines to look like:


    $DAYS="-days 730";     # 2 year
    $CADAYS="-days 3650";  # 10 years

A little further down you will find the variable $CATOP. Change this line to look like:


    $CATOP="/etc/ssl/ca";

One more change - the default CA certificates key is 1024 bits RSA. I would like 2048.

So - search down to print "Making CA certificate ...\n";. The line after that needs changing from

system ("$REQ -new -keyout " .

system ("$REQ -newkey rsa:2048 -keyout " .

Changes to openssl.cnf

The first change must match the $CATOP variable from CA.pl - we need to change the dir variable so that it looks like

dir = /etc/ssl/ca

We should also set the default number of days to match $DAYS:

default_days = 730

I personally also change default_bits to 2048

default_bits = 2048

Finally - and this is optional - you can edit any value in the [ req_distinguished_name ] section that ends 'default' - to change the defaults to match your needs. When generating certificates you will be prompted to enter - so these can always be overwritten - but here you can set the ones you use most often.

Generating the CA certificate and storage area

Run the following:

/usr/lib/ssl/misc/CA.pl -newca

Press return for the CA certificate file name
It will ask for A PEM pass phrase - choose a good one - this protects your CA certificate's key
It will ask for certificate details (country etc) - enter whatever is appropriate for you
It will then try to create the certificate with the newly signed key (using the openssl.cnf config) - you will have to give the password you entered above

Your new cacert.pem file is now in /etc/ssl/ca/cacert.pem and can be distributed for installation in browsers etc.

Generating certificates

This goes through the following process:

Generate a certificate request
Send this for signing
Receive the signed certificate
Install it

Of course - as your own CA you will be sending it to yourself and signing it yourself.

Generating a certificate request

/usr/lib/ssl/misc/CA.pl -newreq

This will prompt you for the certificate details. The vital point is that the CN of the certificate must be the domain name of the site you wish to secure. You can use *.example.com for a wildcard certificate (everything under example.com).

This will generate a newkey.pem and a newreq.pem. newkey.pem you need to keep for later - newreq.pem you would send off for signing - in this case to yourself - but you could also use it for purchasing a real certificate.

Signing a certificate request

Given a newreq.pem in the current working directory run

/usr/lib/ssl/misc/CA.pl -sign

This will sign the request and generate a newcert.pem with the signed certificate. You will have to enter the password for your CA key which you supplied when creating the CA key, certificate and store.

Installing the certificates

The installation will depend on what software you are using. You will need the newkey.pem and newcert.pem - rename them to something useful - like domainname.key and domainname.cert.

Some software will not accept the extra information in the certificate file - you can strip out everything apart from the lines -----BEGIN CERTIFICATE----- up to and including -----END CERTIFICATE-----.

Note - your certicate's key has a passphrase assigned during the -newreq phase. If you want your software to autostart this won't work - since it prompts for the password. To remove a passphrase:

openssl rsa -in newkey.pem -out newkey.nopass.pem

This will prompt you one last time and then generate a non-passphrase key file that you can use instead.

¹ There is a community site at http://www.cacert.org/ dedicated to providing signed certificates for free. However - the CAcert.org root certificate (their CA certificate) is not installed in browsers by default - and would need to be installed by your users. However - this may be good enough for you.

Re: Certificate Authority (CA) with OpenSSL

Posted by Anonymous (77.81.xx.xx) on Mon 13 Oct 2008 at 23:28

I'd be curious about tips on how to maintain a list of generated cerificates and publish revocation lists, I noticed some fields for CRL URLs, but i couldn't find any ready to use package for a public CA.

I'd love to create a company-wide CA that has it's certificate installed by default on all machines and use certificates everywhere appropriate, but the perspective of maintaining those is pretty scary without some examples.

Contribute

Current Poll

Recent Weblogs

More Weblogs

Debian Administration

System Administration Tips and Resources