Web servers, imap servers, smtp servers can be configured to use ssl connections and there are many other uses for ssl certificates, such as encrypting email or digitally signing documents. You don't have to pay a certificate authority, such as Verisign, because you can use the OpenSSL package to create your own certificates. I do not cover the installation of OpenSSL here and I assume you know at least how to change directories, move files, use an editor, and other basics from the command-line.
Note: The author of this page, and owner of this web site, is not to be held liable for any damage or trouble arising from following these directions. You are responsible for your own security, use, and creation of certificates.
- Create a directory.
- Create two subdirectories.
- Create a database to keep track of each certificate signed.
- Make a custom config file for openssl to use.
- Create a root certificate.
- Installing the root certificate for use.
- Creating certificates pages.
Note: While this document covers OpenSSL under Linux, Windows-only folks can use the Win32 OpenSSL project. I found GOSSL and CertWiz, GUIs for Windows, after a quick search. I am running Red Hat Linux 8.0 and openssl 0.9.x. If you have an interal box running Apache web server with PHP and the OpenSSL libraries installed, you could also use PHPki. I would not use PHPki for creating certificates on a publicly accessable server, because your root private certificate must be installed on that server (security risk). [Note: I found it not too hard to migrate manually to PHPki after already having created some certificates from the command line. Also you must have short tags enabled in your php.ini.] Only command line steps will be covered here.
Let's call it sslcert:
Now protect that directory so only the user you are running as (and root) can access it:
chmod 0700 sslcert
Cd into the first directory and make two subdirectories. Let's call them certs and private.
mkdir certs private
echo '100001' >serial
Create a file using your ASCII text editor. We will call it openssl.cnf. Here are the basics needed for this exercise (edit as needed):
# # OpenSSL configuration file. # # Establish working directory. dir = . [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database = $dir/certindex.txt new_certs_dir = $dir/certs certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = md5 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #------------------------- ---------------------------------- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value #------------------------ ------------------------------ 0.organizationName_default = My Company localityName_default = My Town stateOrProvinceName_default = State or Providence countryName_default = US [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash
All other certificates you create will be based off of this. Because you are not a commercial certificate authority, software may complain when they use your certificates. However you can give people one of the files, the "public" one, that will be created and they can manually import it. From then on your certificates will load just like the commercial ones.
To create, while in the 'sslcert' directory, type:
openssl req -new -x509 -extensions v3_ca -keyout \
private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf
Note the backslash (\) at the end of the first line. If your OS supports it, this is a way to type long command lines. Simply press <Enter> after it and you will be prompted to continue typing. Otherwise, leave it out and continue typing.
Note the -days 365 option. For a root certificate you may want it to last longer than one year so that you do not have to reissue it so often. I set mine to 10 years.
You will be prompted for information and a password. Do not loose this password, make sure it is a secure one, and back up the two files that are created.
The two files that are created are cacert.pem, which is the one you can give to others for import in their browsers, and cakey.pem, which will be in the private directory.
|Country Name||The two-letter ISO abbreviation for your country||US = United States|
|State or Province Name||The state or province where your organization is located. Can not be abbreviated.||Georgia|
|City or Locality||The city where your organization is located.||Atlanta|
|Organization Name||The exact legal name of your organization. Do not abbreviate||SSL Secure Inc.|
|Organizational Unit||Optional for additional organization information.||Marketing|
|Common Name||Since this is your root certificate, call it something like:||Company_Name Certificate Authority|
|Email Address||The email address for the CA (who to contact)||email@example.com|
See your browser's help for how to do this. For IE, go to Tools, Options, Content tab, Certificates, Import and follow the steps. Note that we called our root certificate cacert.pem. Rename this file to cacert.crt as it is an X.509 certificate. To make it easy for people to install your root certificate, cacert.crt, place it on your web site with a URL to it. When they click on it in most modern browsers, they can choose to "Open" or "Install" and it will walk them through the install steps.
Note for Mozilla and Firefox/Thuderbird users: Mozilla apps do not use MS Windows' certificate storage. If you use Mozilla, you only need to install the certificate in the browser and it will be available to the email client. If you use Firefox and Thunderbird, or just one of the two, you will need to manually import the certificate with Thunderbird. To do this, right-click the link to the certificate and choose "Save As...". Then in "Manage Certificates", access is via "Advanced" in newer versions, click the Import button.
Read up on revocation lists and how to use them. One day need to revoke the root certificate, or any other certificates, and issue a new one.
The root certificate created per the example only good for 365 days. When it expires people receive a warning message. Don't forget to remake the certificate each year, or create it for more than 1 year.
Don't forget your password for the root certificate, but do not let it fall into the wrong hands.
Now you are ready to create certificates. Here are my pages covering various applications of certificates and how to make those certificates: