Create your own Certificate Authority (CA)
Warning Do NOT, never, ever do that to a production system!
Promised? OK! Here's the use case: you want to test your systems that have made up addresses like
awesomeserver.local and don't want to deal with certificate warnings or fancy errors that arise when you just use a self signed cert. This post is a self-reference for my convenience. There are ample other instructions out there.
Useful with a side of work
The process requires a series of steps:
- Create the private key and root certificate
- Create an intermediate key and certificate
- Create certs for your servers
- Convert them if necessary (e.g. for import in Java Keystors JKS)
- Make the public key of the root and intermediate certs available
- Import these certs in all browsers and runtimes that you will use for testing
Normal mortal users, without these imports will get scary error messages. While this doesn't deter the determined, it's good for a laugh.
We don't want old school certs, so we aim at a modern Elliptic-curve cert (Details here). Here we go:
Setting up the directory structure
mkdir -pv -m 600 /root/ca/intermediate cd /root/ca curl https://jamielinux.com/docs/openssl-certificate-authority/_downloads/root-config.txt -o openssl.cnf curl https://jamielinux.com/docs/openssl-certificate-authority/_downloads/intermediate-config.txt -o intermediate/openssl.cnf mkdir certs crl newcerts private chmod 700 private touch index.txt echo 1000 > serial cd intermediate mkdir certs crl csr newcerts private chmod 700 private touch index.txt echo 1000 > serial echo 1000 > crlnumber cd ..
You want to check the downloaded files and eventually change the path in case you have chosen to us a different one.
The Root CA
export OPENSSL_CONF=./openssl.cnf openssl ecparam -genkey -name prime256v1 -outform PEM | openssl ec -aes256 -out private/ca.key.pem chmod 400 private/ca.key.pem openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -SHA384 -extensions v3_ca -out certs/ca.cert.pem
Keep them save - remember: its on my harddrive only isn't save!!!
You want to check the file using
openssl x509 -noout -text -in certs/ca.cert.pem or on macOS just hit the space key in finder.
The intermediate CA (one or more)
Good practise is to keep the root keys save and only use them for one or more intermediate certificate(s).
This allows to delegate cert creation to multiple players and also allows to invalidate an intermediate cert if needed.
openssl ecparam -genkey -name prime256v1 -outform PEM | openssl ec -aes256 -out intermediate/private/intermediate.key.pem chmod 400 intermediate/private/intermediate.key.pem openssl req -config intermediate/openssl.cnf -new -SHA384 -key intermediate/private/intermediate.key.pem -out intermediate/csr/intermediate.csr.pem openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem chmod 444 intermediate/certs/intermediate.cert.pem openssl verify -CAfile certs/ca.cert.pem intermediate/certs/intermediate.cert.pem
The last command should return OK. Now we need to create the certificate chain.
That's the file you need to install in browsers or other key stores avoid
unknown certificate errors.
cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem chmod 444 intermediate/certs/ca-chain.cert.pem
Actual server certificates
With all the prerequisites in place we now can create server certificates. You could, to save time, create a wildcard certificate (like
*.theprojectthatshallnotbenamed.com), but that might bite you once you want to enable mutual TLS authentication. So stick to individual certs.
export SSL_DOMAIN_NAME=www.example.com openssl ecparam -genkey -name prime256v1 -outform PEM -out intermediate/private/$SSL_DOMAIN_NAME.key.pem chmod 400 intermediate/private/$SSL_DOMAIN_NAME.key.pem openssl req -config intermediate/openssl.cnf -key intermediate/private/$SSL_DOMAIN_NAME.key.pem -new -sha256 -out intermediate/csr/$SSL_DOMAIN_NAME.csr.pem openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/$SSL_DOMAIN_NAME.csr.pem -out intermediate/certs/$SSL_DOMAIN_NAME.cert.pem chmod 444 intermediate/certs/$SSL_DOMAIN_NAME.cert.pem
You need 3 files on your server system:
As usual: YMMV - make sure you read the detailed instructions