howto be my own CA for my new certificates

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

howto be my own CA for my new certificates

Tomas Macek-2
We have some web servers and I want to create self signed certificates for
them.

What do I want:
- I want to create my own certification authority keys and
certificate, that will be imported to all web browsers of our employees
- I want to create certificates, that will be signed by my own
certification authority (previous step) and include them to the
apache/httpd configuration. I don't want our employees to be warned that
the certificate is not trusted (I cannot buy a REAL trusted certificate)

Reading FAQ here http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29,
reading CA.pl from openssl-perl and discussions on inet for 2 days
gave me these steps, that I already performed:

1) creating my own CA:
openssl genrsa -des3 -out ca.key 1024
openssl rsa -in ca.key -out ca.key.unsecure
mv ca.key.unsecure ca.key
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

2) creating my own server key and certification request:
openssl genrsa -des3 -out server.key 1024
openssl rsa -in server.key -out server.key.unsecure
mv server.key.unsecure server.key
openssl req -new -key server.key -out server.csr

3) signing the request by my own CA (see step 1):
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl
> server.crt

4) I have imported the ca.crt into the web browser

5) the server.key and server.crt were included to the apache/httpd
configuration

After these steps the web page looks secured and no warning appears when I
enter the page.

Question:
---------------
Do you see any bad thing about these steps or can you please recommend me
any further step in order to make things properly?

Best regards
Tomas

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: howto be my own CA for my new certificates

yyy-2
Everything seems to be fine, only for new installations it is recomended to use at least 2048 bit key
and, at least some time ago, openssl used to default to MD5 for certificate signatures,
check, if it is not the case.
 


Citējot Tomas Macek [hidden email]:
We have some web servers and I want to create self signed certificates for
them.

What do I want:
- I want to create my own certification authority keys and
certificate, that will be imported to all web browsers of our employees
- I want to create certificates, that will be signed by my own
certification authority (previous step) and include them to the
apache/httpd configuration. I don't want our employees to be warned that
the certificate is not trusted (I cannot buy a REAL trusted certificate)

Reading FAQ here http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29,
reading CA.pl from openssl-perl and discussions on inet for 2 days
gave me these steps, that I already performed:

1) creating my own CA:
openssl genrsa -des3 -out ca.key 1024
openssl rsa -in ca.key -out ca.key.unsecure
mv ca.key.unsecure ca.key
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

2) creating my own server key and certification request:
openssl genrsa -des3 -out server.key 1024
openssl rsa -in server.key -out server.key.unsecure
mv server.key.unsecure server.key
openssl req -new -key server.key -out server.csr

3) signing the request by my own CA (see step 1):
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl
> server.crt

4) I have imported the ca.crt into the web browser

5) the server.key and server.crt were included to the apache/httpd
configuration

After these steps the web page looks secured and no warning appears when I
enter the page.

Question:
---------------
Do you see any bad thing about these steps or can you please recommend me
any further step in order to make things properly?

Best regards
Tomas

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]



-- Tavs bezmaksas pasts Inbox.lv
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: howto be my own CA for my new certificates

Bernhard Fröhlich-2
In reply to this post by Tomas Macek-2
Am 04.08.2011 08:23, schrieb Tomas Macek:

> We have some web servers and I want to create self signed certificates
> for them.
>
> What do I want:
> - I want to create my own certification authority keys and
> certificate, that will be imported to all web browsers of our employees
> - I want to create certificates, that will be signed by my own
> certification authority (previous step) and include them to the
> apache/httpd configuration. I don't want our employees to be warned
> that the certificate is not trusted (I cannot buy a REAL trusted
> certificate)
>
> Reading FAQ here http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29,
> reading CA.pl from openssl-perl and discussions on inet for 2 days
> gave me these steps, that I already performed:
>
> 1) creating my own CA:
> openssl genrsa -des3 -out ca.key 1024
> openssl rsa -in ca.key -out ca.key.unsecure
> mv ca.key.unsecure ca.key
> openssl req -new -x509 -days 365 -key ca.key -out ca.crt
>
> 2) creating my own server key and certification request:
> openssl genrsa -des3 -out server.key 1024
> openssl rsa -in server.key -out server.key.unsecure
> mv server.key.unsecure server.key
> openssl req -new -key server.key -out server.csr
>
> 3) signing the request by my own CA (see step 1):
> openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAserial
> ca.srl
>> server.crt
>
> 4) I have imported the ca.crt into the web browser
>
> 5) the server.key and server.crt were included to the apache/httpd
> configuration
>
> After these steps the web page looks secured and no warning appears
> when I enter the page.
>
> Question:
> ---------------
> Do you see any bad thing about these steps or can you please recommend
> me any further step in order to make things properly?

The process looks good to me, though I'm not totally sure about step #3.
I use the "openssl ca ..." command to sign my certificates, it needs a
config file but also keeps an index file and archive structure of issued
certificates which is (IMHO) worth the work.

But, are you sure that you want to keep your CA key unprotected? I'd
advise strongly against this. Issuing server certificates should be
seldom enough to do it manually by entering a password...

One hint: You probably won't be happy with a CA certificate expiring in
one year, since all your created certificates will be considered invalid
once the CA certificates becomes invalid.
So I'm quite sure you'll want to use at least 5 years as the expiry time
for your CA, or even more if distributing the CA certificate is some work.

Hope this helps
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: howto be my own CA for my new certificates

Tomas Macek-2
In reply to this post by yyy-2
Thank you! But now I'm spending my time with another issue with this: I
cannot create certificate longer than I month:

This is my CA certificate validity:
  ...
             Not Before: Aug  3 10:07:14 2011 GMT
             Not After : Aug  2 10:07:14 2012 GMT
  ...

This is my server's certificate validity (created today):
  ...
             Not Before: Aug  4 07:27:29 2011 GMT
             Not After : Sep  3 07:27:29 2011 GMT
  ...

The server certificate was created by command:
  openssl req -new -key server.key -out server.csr -days 365

As you can see, the "-days X" did not helped...

Thank you


On Thu, 4 Aug 2011, yyy wrote:

> Everything seems to be fine, only for new installations it is recomended to use at least 2048 bit key
> and, at least some time ago, openssl used to default to MD5 for certificate signatures,
> check, if it is not the case.
>  
>
>
> Citējot Tomas Macek <[hidden email]>:
>       We have some web servers and I want to create self signed certificates for
>       them.
>
>       What do I want:
>       - I want to create my own certification authority keys and
>       certificate, that will be imported to all web browsers of our employees
>       - I want to create certificates, that will be signed by my own
>       certification authority (previous step) and include them to the
>       apache/httpd configuration. I don't want our employees to be warned that
>       the certificate is not trusted (I cannot buy a REAL trusted certificate)
>
>       Reading FAQ here http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29,
>       reading CA.pl from openssl-perl and discussions on inet for 2 days
>       gave me these steps, that I already performed:
>
>       1) creating my own CA:
>       openssl genrsa -des3 -out ca.key 1024
>       openssl rsa -in ca.key -out ca.key.unsecure
>       mv ca.key.unsecure ca.key
>       openssl req -new -x509 -days 365 -key ca.key -out ca.crt
>
>       2) creating my own server key and certification request:
>       openssl genrsa -des3 -out server.key 1024
>       openssl rsa -in server.key -out server.key.unsecure
>       mv server.key.unsecure server.key
>       openssl req -new -key server.key -out server.csr
>
>       3) signing the request by my own CA (see step 1):
>       openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl
>       > server.crt
>
>       4) I have imported the ca.crt into the web browser
>
>       5) the server.key and server.crt were included to the apache/httpd
>       configuration
>
>       After these steps the web page looks secured and no warning appears when I
>       enter the page.
>
>       Question:
>       ---------------
>       Do you see any bad thing about these steps or can you please recommend me
>       any further step in order to make things properly?
>
>       Best regards
>       Tomas
>
>       ______________________________________________________________________
>       OpenSSL Project http://www.openssl.org
>       User Support Mailing List [hidden email]
>       Automated List Manager [hidden email]
>
>
>
>
> -- Tavs bezmaksas pasts Inbox.lv
> ______________________________________________________________________ OpenSSL Project
> http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager
> [hidden email]
>
Reply | Threaded
Open this post in threaded view
|

Re: howto be my own CA for my new certificates

Alan Buxey
Hi,

> Thank you! But now I'm spending my time with another issue with this: I
> cannot create certificate longer than I month:
>
> This is my CA certificate validity:
>   ...
>              Not Before: Aug  3 10:07:14 2011 GMT
>              Not After : Aug  2 10:07:14 2012 GMT
>   ...
>
> This is my server's certificate validity (created today):
>   ...
>              Not Before: Aug  4 07:27:29 2011 GMT
>              Not After : Sep  3 07:27:29 2011 GMT
>   ...
>
> The server certificate was created by command:
>   openssl req -new -key server.key -out server.csr -days 365
>
> As you can see, the "-days X" did not helped...

check your openssl conf file  - eg /etc/pki/tls/openssl.cnf on redhat/centos

this is a place where you can specify default values for duration, using SHA1
rather than MD5, default certificate size etc etc


alan
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: howto be my own CA for my new certificates

Tomas Macek-2


On Thu, 4 Aug 2011, Alan Buxey wrote:

> Hi,
>> Thank you! But now I'm spending my time with another issue with this: I
>> cannot create certificate longer than I month:
>>
>> This is my CA certificate validity:
>>   ...
>>              Not Before: Aug  3 10:07:14 2011 GMT
>>              Not After : Aug  2 10:07:14 2012 GMT
>>   ...
>>
>> This is my server's certificate validity (created today):
>>   ...
>>              Not Before: Aug  4 07:27:29 2011 GMT
>>              Not After : Sep  3 07:27:29 2011 GMT
>>   ...
>>
>> The server certificate was created by command:
>>   openssl req -new -key server.key -out server.csr -days 365
>>
>> As you can see, the "-days X" did not helped...
>
> check your openssl conf file  - eg /etc/pki/tls/openssl.cnf on redhat/centos
>
> this is a place where you can specify default values for duration, using SHA1
> rather than MD5, default certificate size etc etc
>
>
> alan

Yes, I know about my config file /etc/pki/tls/openssl.cnf, here is it's
content:
default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = default               # use public key default MD
preserve        = no                    # keep passed DN ordering

Is it possible that the "default_crl_days= 30" causes the strange
bahaviour? If not, the "-days X" should do the job, but it doesn't. Other
text "30" is not present in the file. Setting the default_crl_days to
other value did not helped...

Tomas
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: howto be my own CA for my new certificates

Tomas Macek-2
In reply to this post by Bernhard Fröhlich-2


On Thu, 4 Aug 2011, Bernhard Fröhlich wrote:

> Am 04.08.2011 08:23, schrieb Tomas Macek:
>> We have some web servers and I want to create self signed certificates for
>> them.
>>
>> What do I want:
>> - I want to create my own certification authority keys and certificate,
>> that will be imported to all web browsers of our employees
>> - I want to create certificates, that will be signed by my own
>> certification authority (previous step) and include them to the
>> apache/httpd configuration. I don't want our employees to be warned that
>> the certificate is not trusted (I cannot buy a REAL trusted certificate)
>>
>> Reading FAQ here http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29, reading
>> CA.pl from openssl-perl and discussions on inet for 2 days gave me these
>> steps, that I already performed:
>>
>> 1) creating my own CA:
>> openssl genrsa -des3 -out ca.key 1024
>> openssl rsa -in ca.key -out ca.key.unsecure
>> mv ca.key.unsecure ca.key
>> openssl req -new -x509 -days 365 -key ca.key -out ca.crt
>>
>> 2) creating my own server key and certification request:
>> openssl genrsa -des3 -out server.key 1024
>> openssl rsa -in server.key -out server.key.unsecure
>> mv server.key.unsecure server.key
>> openssl req -new -key server.key -out server.csr
>>
>> 3) signing the request by my own CA (see step 1):
>> openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl
>>> server.crt
>>
>> 4) I have imported the ca.crt into the web browser
>>
>> 5) the server.key and server.crt were included to the apache/httpd
>> configuration
>>
>> After these steps the web page looks secured and no warning appears when I
>> enter the page.
>>
>> Question:
>> ---------------
>> Do you see any bad thing about these steps or can you please recommend me
>> any further step in order to make things properly?
>
> The process looks good to me, though I'm not totally sure about step #3. I
> use the "openssl ca ..." command to sign my certificates, it needs a config
> file but also keeps an index file and archive structure of issued
> certificates which is (IMHO) worth the work.
I have seen some users on inet using this, but configuration of
openssl.cnf is absolutely confusing for me, there are too many options and
these steps seemed to me simpler, so I have tried these steps and hoped
they will be OK.

> But, are you sure that you want to keep your CA key unprotected? I'd advise
> strongly against this. Issuing server certificates should be seldom enough to
> do it manually by entering a password...
>
> One hint: You probably won't be happy with a CA certificate expiring in one
> year, since all your created certificates will be considered invalid once the
> CA certificates becomes invalid.
> So I'm quite sure you'll want to use at least 5 years as the expiry time for
> your CA, or even more if distributing the CA certificate is some work.

Thank you Ted, sure, I will prolong the 1 year to something more... 20
years for example :-)

Tomas
Reply | Threaded
Open this post in threaded view
|

Re: howto be my own CA for my new certificates

Erwin Himawan

When you are creating a CA and issuing certificate you are building a PKI (Public Key Infrastructure).   In operating a PKI, you might want to consider crafting a certification policy, specifying the process for managing the lifecycle of your certificates, securing the CA's private key, securing the server private key, etc.  You can create a policy that meets your current security objectives.  Your policy would be a living document to accommodate your evolving security objectives. 

Also, the more certificate management features are needed, you might want to look into a PKI tool.  Certificate management tools worth to look at are OpenCA (http://www.openca.org/projects/openca/downloads.shtml),  Dogtag Certificate System (http://fedoraproject.org/wiki/Features/DogtagCertificateSystem), EJBCA (http://ejbca.sourceforge.net/).

Erwin


On Thu, Aug 4, 2011 at 4:27 AM, Tomas Macek <[hidden email]> wrote:


On Thu, 4 Aug 2011, Bernhard Fröhlich wrote:

Am 04.08.2011 08:23, schrieb Tomas Macek:
We have some web servers and I want to create self signed certificates for them.

What do I want:
- I want to create my own certification authority keys and certificate, that will be imported to all web browsers of our employees
- I want to create certificates, that will be signed by my own certification authority (previous step) and include them to the apache/httpd configuration. I don't want our employees to be warned that the certificate is not trusted (I cannot buy a REAL trusted certificate)

Reading FAQ here http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29, reading CA.pl from openssl-perl and discussions on inet for 2 days gave me these steps, that I already performed:

1) creating my own CA:
openssl genrsa -des3 -out ca.key 1024
openssl rsa -in ca.key -out ca.key.unsecure
mv ca.key.unsecure ca.key
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

2) creating my own server key and certification request:
openssl genrsa -des3 -out server.key 1024
openssl rsa -in server.key -out server.key.unsecure
mv server.key.unsecure server.key
openssl req -new -key server.key -out server.csr

3) signing the request by my own CA (see step 1):
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl
server.crt

4) I have imported the ca.crt into the web browser

5) the server.key and server.crt were included to the apache/httpd configuration

After these steps the web page looks secured and no warning appears when I enter the page.

Question:
---------------
Do you see any bad thing about these steps or can you please recommend me any further step in order to make things properly?

The process looks good to me, though I'm not totally sure about step #3. I use the "openssl ca ..." command to sign my certificates, it needs a config file but also keeps an index file and archive structure of issued certificates which is (IMHO) worth the work.

I have seen some users on inet using this, but configuration of openssl.cnf is absolutely confusing for me, there are too many options and these steps seemed to me simpler, so I have tried these steps and hoped they will be OK.


But, are you sure that you want to keep your CA key unprotected? I'd advise strongly against this. Issuing server certificates should be seldom enough to do it manually by entering a password...

One hint: You probably won't be happy with a CA certificate expiring in one year, since all your created certificates will be considered invalid once the CA certificates becomes invalid.
So I'm quite sure you'll want to use at least 5 years as the expiry time for your CA, or even more if distributing the CA certificate is some work.

Thank you Ted, sure, I will prolong the 1 year to something more... 20 years for example :-)

Tomas

Reply | Threaded
Open this post in threaded view
|

RE: howto be my own CA for my new certificates

Dave Thompson-5
In reply to this post by Alan Buxey
> From: [hidden email] On Behalf Of Alan Buxey
> Sent: Thursday, 04 August, 2011 03:54

> > Thank you! But now I'm spending my time with another issue
> with this: I
> > cannot create certificate longer than I month:
<snip>
> > The server certificate was created by command:
> >   openssl req -new -key server.key -out server.csr -days 365
> >
> > As you can see, the "-days X" did not helped...
>
> check your openssl conf file  - eg /etc/pki/tls/openssl.cnf
> on redhat/centos
>
For 'ca', use openssl.cnf. For 'x509 -req' as OP posted earlier,
use -days ON 'x509 -req' NOT ON 'req -new'.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: howto be my own CA for my new certificates

Tomas Macek-2


On Thu, 4 Aug 2011, Dave Thompson wrote:

>> From: [hidden email] On Behalf Of Alan Buxey
>> Sent: Thursday, 04 August, 2011 03:54
>
>>> Thank you! But now I'm spending my time with another issue
>> with this: I
>>> cannot create certificate longer than I month:
> <snip>
>>> The server certificate was created by command:
>>>   openssl req -new -key server.key -out server.csr -days 365
>>>
>>> As you can see, the "-days X" did not helped...
>>
>> check your openssl conf file  - eg /etc/pki/tls/openssl.cnf
>> on redhat/centos
>>
> For 'ca', use openssl.cnf. For 'x509 -req' as OP posted earlier,
> use -days ON 'x509 -req' NOT ON 'req -new'.

That was the mistake, thank you! Works!

Tomas
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]