Tuesday, July 27, 2010

Misc 44

Today I'm going to talk about setting up a Certificate Authority in Linux. I'm going to skim on the in-depth theory and instead show more of the practical side of things. First of all, to be a certificate authority, you'll need to install OpenSSL in your system. To do this, we'll install this package on a Debian system:apt-get install openssl

Now that you have the OpenSSL packages, you are ready to generate certificates. To do this, we'll need to go through these steps:
1) Create Root Certificate
2) Create Certificate Request
3) Enroll/Sign Certificate

First of all, to be a Certificate Authority, you'll need something that represents you. This comes in the form of a Root Certificate. Think of certification as a hierarchy, and this Root Certificate sits on top of the certificate chain. A root certificate comes in a pair, with a public and private key. Certificates signed by the Root's key (Private Key) can be verified by decrypting it with the Root's public key (Public Key). The "signing" action actually means encryption with a private key. To create this keypair, we'll first browse over to the SSL directory, then invoke the CA.pl script:
cd /etc/ssl/
/usr/lib/ssl/misc/CA.pl -newca

When prompted, hit ENTER to create a new Root Certificate. The private key would be stored as /etc/ssl/demoCA/cacert.pem and the public key would be stored as /etc/ssl/demoCA/private/cakey.pem. At this point, your system is considered a Certificate Authority!

Now, to create certificates for others, we'll need to create a certificate request, then sign the request using the Root Certificate's private key and package it into X.509 format. This can be done in two steps. First we'll need to create the certificate request. This request generates a public and a private key:
/usr/lib/ssl/misc/CA.pl -newreq

Note that if you're creating a certificate for a Web Server, the Common Name should be either the Web Server's FQDN or IP Address (depending on how you access it). You should have a newreq.pem in the /etc/ssl/ folder. This newreq.pem actually contains your credentials signed with your private key and an attached public key. To view the information in your request, use:
openssl req -in newreq.pem -noout -text

Now, to make this certificate valid, you must turn it into a real X.509 certificate. To do this, we'll need to sign it with the CA's private key. This is the command for it:
/usr/lib/ssl/misc/CA.pl -signCA

Now you should have three files: newreq.pem, newcert.pem and newkey.pem. Your new X.509 formatted certificate signed by the CA is in newcert.pem, and the corresponding private key is in newkey.pem. You can safely delete newreq.pem. To view the X509 certificate, use:
openssl x509 -in newcert.pem -noout -text

You can now use this key in Web Servers or any application you like. To use the certificate generated here in APache2, simply follow along this article.

Now, if you attempt to access the site, you may get a message that says that the certificate is not valid. These are the two most common reasons for that message:
1) The security certificate presented by this website was issued for a different website's address.
2) The certificate is not trusted because the issuer certificate is unknown.

If your CN doesn't match the URL of the Web Server, you will need to regenerate a new certificate. The CN MUST match the IP or domain name of the server (e.g. If you're accessing it through, then the CN must be If you are accessing it through syraxius.ath.cx, then the CN must be syraxius.ath.cx).

For the certificate to be trusted, you'll need to add it into the Trusted Root Certification Authorities store. To add the certificate to the store, simply download /etc/ssl/demoCA/cacert.pem into your computer, then rename it to .crt extension. Next, double-click on it and choose Install Certificate:

Next, you'll need to place it in the Trusted Root Certification Authorities container like this:

You should now be able to access your Web Server from Internet Explorer. For Firefox, you'll need to add the same certificate through Tools - Options - Advanced - Encryption - View Certificates - Authorities - Import:

No comments :

Post a Comment