Be Your Own Certificate Authority

2018-10-01

Apparently I work in network security. This means it’s high time I figure out all this certificate malarky. I’ve maintained SSL-protected web sites before and, thus, had some contact with the openssl command. However, all these .key, .pem and .csr files have confused me. So, I thought I’d sit down and document all the bits and pieces required to stand up your own root certificate authority (CA) certificate and document what all the commands mean along the way.

These steps assume that you have a secured CA computer A as well as one or more web servers, B etc.

Values:

Root CA

The root CA key and certificate constitute the root of your trust hierarchy. You will only generate these materials once. From these materials, you can then generate an arbitrary number of derived certificates for individual web sites.

Root CA private key

You must provide a secure, secret passphrase for this private key. Run the following command on A:

openssl genrsa -des3 -out rootca.key 2048

Notes:

Root CA certificate

Run the following command on A:

openssl req \
    -x509 \
    -new \
    -nodes \
    -key rootca.key \
    -sha256 \
    -days 1825 \
    -subj "/C=US/ST=Washington/L=Bothell/O=Richard Cook CA/CN=rcook.org/emailAddress=rcook@rcook.org" \
    -out rootca.pem

Notes:

Server

These steps generate a certificate that allows one or more derived, or subsidiary, web servers to securely identify themselves to clients by deriving trust from the root CA we set up previously. The following steps will refer to a given web server as B.

Server private key

Run the following command on B:

openssl genrsa -out myserver.key 2048

Notes:

Server certificate-signing request (CSR)

Run the following command on B:

openssl req \
    -new \
    -key myserver.key \
    -subj "/C=US/ST=Washington/L=Bothell/O=myserverdns Services/CN=myserverdns/emailAddress=rcook@rcook.org" \
    -out myserver.csr

Notes:

Signing configuration file

Run the following command on A:

cat << EOF > myserver.cnf
authorityKeyIdentifier = keyid, issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = myserverdns
EOF

Notes:

Server certificate

Run the following command on A:

openssl x509 \
    -req \
    -in myserver.csr \
    -CA rootca.pem \
    -CAkey rootca.key \
    -CAcreateserial \
    -out myserver.crt \
    -days 1825 \
    -sha256 \
    -extfile myserver.cnf

Notes:

Install root CA certificate in Chrome

Tags: OpenSSL, Certificates

All content © 2018 Richard Cook. All rights reserved.