How to setup CA (certificate authority)

If you want a full-blown official SSL certificate for your site, you can buy it from commercial companies like Thawte< or VeriSign<, or request free certificate from CAcert< or StartSSL< (the latter, BTW, has its root certificate by default added in Internet Explorer and Firefox). However, the cheapest and fastest option is to run an own certificate authority. Here we go!

Setup CA directory and initial contents

cd /etc/pki
mkdir -p ca/private
chmod 700 ca/private
rm -rf CA
ln -s ca CA
cd ca
echo 1001 > ca.srl
mkdir crl certs newcerts
touch index.txt crl.pem<

Create configuration files for requests and CA signing

cat > ca.conf
cat > req.conf
chmod 600 ca.conf req.conf<

Edit ca.conf  (section [root_ca_distinguished_name]) and req.conf  (section [req_distinguished_name], default values) and substitute your parameters:

countryName         = RU
stateOrProvinceName = Moscow
localityName        = Moscow
0.organizationName  = Our Dom Msk
name                = Our Dom
emailAddress        = [email protected]<

In CA configuration also substitute

commonName             = Our Dom CA
organizationalUnitName = Certificate Authority<

Create signing script

cat > /etc/pki/ca/auto-sign
chmod 700 /etc/pki/ca/auto-sign<

Create private key and self-signed certificate

$ openssl genrsa -des3 -out private/ca.key 2048
Enter pass phrase for private/ca.key: pass123

<
$ openssl req -new -key private/ca.key -x509 -days 3652 -out ca.crt -config ca.conf
Enter pass phrase for private/ca.key: pass123<

Create text annotation, DER encoding and fingerprint of the certificate

openssl x509 -in ca.crt -text > ca.txt.crt
openssl x509 -inform PEM -outform DER -in ca.crt -out ca.der
openssl x509 -fingerprint -sha1 -noout -in ca.crt > ca.fgp<

Proceed to sections mentioned as "Related links" to configure SSL in web, mail or other services.

 

Вложения