Thu. Mar 28th, 2024
creating a certificate authority

Ready to create your own self signed certificates?  First step is to crate a Certificate Authority.  It’s easy if you follow the correct steps. We’ll break this down into different sections.

Install OpenSSL

Assuming your on Linux, you will need to issue the command “sudo apt-get install openssl”.  This will install openssl on your system for you.  Now you have it installed your ready to get cracking!

Create your Certificate Authority Key

First step is to create your Certificate Authority Key.  This is fairly simple process.  Follow the steps below:

  1. Change directory to the location you want create your Certificate Authority Key. Henceforth known as your SSL directory
  2. Enter the command “openssl” this will open the openssl command problem to make it easier to enter the commands.
  3. Enter the command “genrsa -out rootCA.key 2048“.  This will create a 2048 bit Key, much more secure than the 1024, but not as secure as the 4096.  Increasing to 4096 will create additional work on each machine encoding/decoding against that key.
  4. Now you need to sign your Certificate Authority key, enter this command: “req -x509 -new -nodes -key rootCA.key -sha256 -days 1095 -out rootCA.pem” Fill out the questions your prompted to complete.Certificate Authority
  5. You need to keep your rootCA.key file safe, this is the key to keeping your Certificate Authority trustworthy.
  6. You now have a rootCA.pem this is the file you pass around to add your Certificate Authority to browsers.

Create an Intermediate Certificate Authority Key

You crate an Intermediate Certificate Authority Key to do the bulk of your signing.  This allows you to keep your Certificate Authority Key secure and seldom used.  Thus if the Intermediate Certificate Authority Key is compromised you can revoke it, and generate a new one.

  1. Change directory to your SSL directory
  2. Enter the command “openssl” this will open the openssl command problem to make it easier to enter the commands.
  3. Enter the command “genrsa -out rootIntCA.key 2048“.  This will create a 2048 bit Key, again much more secure than the 1024, but not as secure as the 4096.  Increasing to 4096 will create additional work on each machine encoding/decoding against that key.
  4. Next enter the command “req -new -key rootIntCA.key -out rootIntCA.csr“.  You will be given the same prompts as before, however this time you need to complete it terms of the device your creating the Key for.  One extremely important step, is the “Common Name (e.g. server FQDN or YOUR name)” prompt, must be the hostname you see in your browser if your creating a key for SSL in the browser.  If it’s a Fully Qualified Domain Name, or an IP address that is the value you need to enter into this field.  Otherwise it will not work.
  5. Finally it’s time to sign the key, use this command “x509 -req -in rootIntCA.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -sha256 -days 730 -out rootIntCA.pem“.  This will create a certificate that is valid for 2 years (730 days).
  6. Now you have your key hostname.key
  7. Now you have your certificate hostname.crt

Create Keys for devices

Now your ready to start creating keys for devices.  This follows a process that is very similar to creating the CA key above.

  1. Change directory to your SSL directory
  2. Enter the command “openssl” this will open the openssl command problem to make it easier to enter the commands.
  3. Enter the command “genrsa -out hostname.key 2048“.  This will create a 2048 bit Key, again much more secure than the 1024, but not as secure as the 4096.  Increasing to 4096 will create additional work on each machine encoding/decoding against that key.
  4. Next enter the command “req -new -key hostname.key -out hostname.csr“.  You will be given the same prompts as before, however this time you need to complete it terms of the device your creating the Key for.  One extremely important step, is the “Common Name (e.g. server FQDN or YOUR name)” prompt, must be the hostname you see in your browser if your creating a key for SSL in the browser.  If it’s a Fully Qualified Domain Name, or an IP address that is the value you need to enter into this field.  Otherwise it will not work.
  5. Finally it’s time to sign the key, use this command “x509 -req -in hostname.csr -CA rootIntCA.pem -CAkey rootIntCA.key -CAcreateserial -out hostname.crt -days 730  -sha256“.  This will create a certificate that is valid for 2 years (730 days).
  6. Now you have your key hostname.key
  7. Now you have your certificate hostname.crt

Create a Key/Certificate for your email ID

  1. Change directory to your SSL directory
  2. Enter the command “openssl” this will open the openssl command problem to make it easier to enter the commands.
  3. Enter the command “genrsa -out username.key 2048“.  This will create a 2048 bit Key, again much more secure than the 1024, but not as secure as the 4096.  Increasing to 4096 will create additional work on each machine encoding/decoding against that key.
  4. Next enter the command “req -new -key username.key -out username.csr“.  You will be given the same prompts as before, however this time you need to complete it terms of the device your creating the Key for.  One extremely important step, is the “Common Name (e.g. server FQDN or YOUR name)” prompt, must be your name. Also the Email Address field must be set to your email address. Otherwise it will not work.
  5. Finally it’s time to sign the key, use this command “pkcs12 -export -out username.p12 -days 365 -inkey username.key -in username.crt -chain -CAfile rootIntCA.crt“.
  6. Now you have your key username.key
  7. Now you have your certificate username.p12

By Jeffery Miller

I am known for being able to quickly decipher difficult problems to assist development teams in producing a solution. I have been called upon to be the Team Lead for multiple large-scale projects. I have a keen interest in learning new technologies, always ready for a new challenge.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d