- Published on : 14 February 2015 at 18:46 UTC
If you have a Linux server or a VPS (virtual machine on the Internet) and want to secure multiple services (web, mail, ...), it becomes very interesting to use a certification authority. With this certification authority, you can simply import the certificate of your CA in the "trusted authorities" list of your devices (computers, smartphones, ...) so that all your certificates are considered as emanating from a recognized authority.
Tutorial tested on Ubuntu 12.04 and Debian 7.7.0.
- OpenSSL installation
- Create the certification authority (CA)
- Create a certificate signing request (CSR)
- Create a certificate from the signing request
- Securing Apache with the SSL certificate
- Test the configuration
- Import the certificate of the authority in Linux PC
- Import the certificate of the authority in Windows PCs
- Revoke a certificate
- Create the revocation list (CRL)
- Make the revocation list available from the web
- Test of the revocation
For safety, do an update of the packages list.
Then, install the "openssl" package.
apt-get install openssl
To edit the information that OpenSSL will use to create the CA, modify the "/etc/ssl/openssl.cnf" file.
In this file, you can change the duration of validity of certificates that you sign.
For example : 10 years (3650 days).
default_days = 3650
Change the size of the key used. For information : Geotrust request certificates in 2048 bits.
default_bits = 2048
Thus, the information of your Certification Authority. Including the following :
# Country code. countryName_default = US # The state or province. Personally, I have set the country to protect my privacy. stateOrProvinceName_default = United States # The name of your organization (or the name of your website if you wish). 0.organizationName_default = InformatiWeb # In the "[ usr_cert ]", add the following line: crlDistributionPoints=URI:http://www.informatiweblan.net/ca-crl.crl # Doc : https://www.openssl.org/docs/apps/x509v3_config.html#crl_distribution_points_
Finally, create your certification authority using the "CA.sh" script of OpenSSL.
cd /usr/lib/ssl/misc/ sudo ./CA.sh -newca
During the creation of the certification authority, the script will ask you :
- A password to protect the private key of the CA.
- Information to be given in the certificate of the authority
Note : The common name to specify when creating the CA is the name of your Certification Authority.
... writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ... Country Name (2 letter code) [BE]: State or Province Name (full name) [Belgium]: Locality Name (eg, city) : Organization Name (eg, company) [InformatiWeb]: Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) :InformatiWeb CA Email Address : Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : ...
In the "/usr/lib/ssl/misc/demoCA" folder that was created by this script, you will find all the files about your Certificate Authority.
Whose certificate of the authority : "cacert.pem".
ls -l /usr/lib/ssl/misc/demoCA/
total 40 -rw-r--r-- 1 root root 4309 fév 11 16:14 cacert.pem -rw-r--r-- 1 root root 972 fév 11 16:14 careq.pem drwxr-xr-x 2 root root 4096 fév 11 16:14 certs drwxr-xr-x 2 root root 4096 fév 11 16:14 crl -rw-r--r-- 1 root root 94 fév 11 16:14 index.txt -rw-r--r-- 1 root root 21 fév 11 16:14 index.txt.attr -rw-r--r-- 1 root root 0 fév 11 16:14 index.txt.old drwxr-xr-x 2 root root 4096 fév 11 16:14 newcerts drwxr-xr-x 2 root root 4096 fév 11 16:14 private -rw-r--r-- 1 root root 17 fév 11 16:14 serial
To take a common example, we will request a certificate that will have these specifications :
- Valid for 10 years
- Valid for all subdomains (unless the domain)
- Private key without password protection to prevent that Apache request it at startup (or reboot in case of problems)
openssl req -new -nodes -keyout /etc/ssl/private/www-key.pem -out /tmp/www-req.pem -days 3650
As earlier, information will be requested.
For this information, you must specify "*.domain.net" for the common name because it's this value that the browser will check.
Note : To generate a valid certificate for the domain only, specify "domain.net" for the common name.
Generating a 2048 bit RSA private key ............+++ ..........+++ writing new private key to 'www-key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [BE]: State or Province Name (full name) [Belgium]: Locality Name (eg, city) : Organization Name (eg, company) [InformatiWeb]: Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) :*.informatiweblan.net Email Address : Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
Finally, use the signing request to sign the certificate.
cd /usr/lib/ssl/misc/ openssl ca -out /etc/ssl/certs/www-cert.pem -infiles /tmp/www-req.pem
Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 92:41:c8:a0:fa:43:33:f6 Validity Not Before: Feb 11 15:30:52 2015 GMT Not After : Feb 8 15:30:52 2025 GMT Subject: countryName = BE stateOrProvinceName = Belgium organizationName = InformatiWeb commonName = *.informatiweblan.net X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 9E:24:79:43:C8:90:6E:9E:52:4A:80:8C:35:32:92:AC:66:CD:20:F6 X509v3 Authority Key Identifier: keyid:10:44:64:86:EB:FE:F1:52:10:8A:0B:EF:2C:49:EE:DC:F0:1C:B3:2F Certificate is to be certified until Feb 8 15:30:52 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated