|
Creating Your Own CAby Rob Flickenger, author of Linux Server Hacks02/06/2003 |
Become your own Certificate Authority, and sign your own--or others'--SSL certificates.
Well-known Certificate Authorities (such as Thawte and VeriSign) exist to serve as authoritative, trusted third-parties for authentication. They are in the business of signing SSL certificates that are used on sites that deal with sensitive information (like account numbers or passwords). If a site's SSL certificate is signed by a trusted authority, then presumably it is possible to verify the identity of a server supplying that certificate's credentials. In order to receive a certificate "blessed" by a well-known CA, you have to prove to them beyond a shadow of doubt that not only are you who you claim to be, but that you have the right to use the certificate in the way you intend to.
For example, I may be able to prove to a CA that I am really Rob Flickenger, but they probably won't issue me a signed certificate for Microsoft Corporation, as I have no rights to use that name. (Yes, they probably wouldn't do that. Not again.)
In this article, I'll show how OpenSSL is perfectly capable of generating everything you need to run your own Certificate Authority. The CA.pl utility makes the process very simple.
|
Related Reading Linux Server Hacks |
In these examples, you'll need to type your information in boldface, and enter passwords wherever appropriate (that don't echo to the screen). To establish your new Certificate Authority:
hagbard@fnord:~/certs$ /usr/local/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Using configuration from /usr/local/ssl/openssl.cnf
Generating a 1024 bit RSA private key
...............++++++
......................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Sebastopol
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Illuminatus
Enterprises, Ltd
Organizational Unit Name (eg, section) []:Administration
Common Name (eg, YOUR name) []:Hagbard Celine
Email Address []:hagbardceline1723@yahoo.comCongratulations. You're the proud owner of your very own Certificate Authority. Take a look around:
hagbard@fnord:~/certs$ ls
demoCA/
hagbard@fnord:~/certs$ cd demoCA/
hagbard@fnord:~/certs/demoCA$ ls -l
total 24
-rw-r--r-- 1 rob users 1407 Sep 8 14:12 cacert.pem
drwxr-xr-x 2 rob users 4096 Sep 8 14:12 certs/
drwxr-xr-x 2 rob users 4096 Sep 8 14:12 crl/
-rw-r--r-- 1 rob users 0 Sep 8 14:12 index.txt
drwxr-xr-x 2 rob users 4096 Sep 8 14:12 newcerts/
drwxr-xr-x 2 rob users 4096 Sep 8 14:12 private/
-rw-r--r-- 1 rob users 3 Sep 8 14:12 serialThe public key for your new Certificate Authority is contained in
cacert.pem, and the private key is in
private/cakey.pem. You can now use this private key to sign other SSL certs.
To use your CA's authority to sign SSL certs, you'll need to make a new cert
that a web server (such as Apache) can use. First, generate a private key and
certificate request (see man CA.pl or my book, Linux Server Hacks). Now
you can sign the new request with your own CA's key:
hagbard@fnord:~/certs$ openssl ca -policy policy_anything \
-out propaganda.discordia.eris.crt \
-infiles propaganda.discordia.eris.csr
Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'Texas'
localityName :PRINTABLE:'Mad Dog'
organizationName :PRINTABLE:'Discordia, Inc.'
organizationalUnitName:PRINTABLE:'Operations'
commonName :PRINTABLE:'propaganda.discordia.eris'
emailAddress :IA5STRING:'hail@discordia.eris'
Certificate is to be certified until Sep 8 22:49:26 2003 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base UpdatedNow, to use the .crt and .key with Apache + mod_ssl (or
Apache-ssl), install them as you normally would (perhaps with lines like these):
SSLCertificateFile /usr/local/apache/conf/ssl.crt/propaganda.discordia.eris.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/propaganda.discordia.eris.keyThis is all lots of fun, but what happens when a client actually connects to https://propaganda.discordia.eris/? Won't the browser throw an error about not recognizing the Certificate Authority that signed the SSL cert? Naturally. Unless, of course, you've installed your CA's public key to the client browser ahead of time. Check back for my next article (or, if you can't wait that long, check out the book).
Disclaimer: No, I honestly had nothing to do with the "Microsoft Corporation" cert snafu. But it does illustrate one of the fundamental facts of life online: It's difficult to know who to trust.
Rob Flickenger is a long time supporter of FreeNetworks and DIY networking. Rob is the author of three O'Reilly books: Building Wireless Community Networks, Linux Server Hacks, and Wireless Hacks.
O'Reilly & Associates recently released (January 2003) Linux Server Hacks.
Read sample hacks from this book on hacks.oreilly.com.
You can also look at the Table of Contents, the Index, and the Full Description of the book.
For more information, or to order the book, click here.
Return to the Linux DevCenter.
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 5 of 5.
-
Free Certificate Authority...
2003-03-04 18:25:54 anonymous2 [Reply | View]
Rather then just build my own CA, I went on to create a complete trust model to control the way things happen, people that are more trusted have additional benefits, such as longer expiries, names on email certs etc...
http://www.CAcert.org
-
IDX-PKI
2003-02-18 03:08:36 anonymous2 [Reply | View]
It can be simpler,if you manage a lot of certificates, to use an Open Source PKI like IDX-PKI http://idxpki.org
-
Other sources of info
2003-02-12 02:56:23 anonymous2 [Reply | View]
Quote from article "This is all lots of fun, but what happens when a client actually connects to https://propaganda.discordia.eris/? Won't the browser throw an error about not recognizing the Certificate Authority that signed the SSL cert? Naturally. Unless, of course, you've installed your CA's public key to the client browser ahead of time. Check back for my next article (or, if you can't wait that long, check out the book)."
Or you can just check out the linux documentation project.
SSL How-To
IDX-PKI (http://www.idealx.com/solutions/idxpki/index.en.html) can help you to build your own industrial PKI. It is already used by several corporate customers and french administrations. It's a full featured PKI that is at least as secured as the main proprietary players of this market and much more extensible (and knowable). And it is a GPLv2 software suite that costs the same from one to one million certificates... nothing but the integration work (that you can do by yourself...or with us ;-)
And I don't say that because I've been leading the developpement team for three years...
Cheers,
Sébastien Abdi IDEALX
Security Department Manager
Visit https://demo.idx-pki.com and become an Open Source PKI Guru