Making a self-signed TLS certificate: Difference between revisions

From ThinkServer
>Samthecrazyman
m Small format changes
Added preliminary Let's Encrypt statements
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
Sending data over the internet unencrypted means anybody with the right tools can see this data. Making a certificate means that you can then encrypt the data. This means that the data is no longer readable to anybody that doesn't have the certificate. This guide will show you how to make a certificate authority, sign and make an SSL certificate ready to be used by your web server.
Sending data over the internet unencrypted means anybody with the right tools can see this data. Making a certificate means that you can then encrypt the data. This means that the data is no longer readable to anybody that doesn't have your certificate. This guide will show you how to make a certificate authority, sign and make an TLS certificate ready to be used by your web server.


==What you need to know==
Due to the way the encryption landscape has changed on the internet, we will be creating a ECDSA certificate. EC stands for Elliptic Curve and uses prime number curves which allow smaller key sizes for the same amount or better protection than the larger traditional key sizes. As of TLS 1.3, ECDSA is the only supported key exchange method and is now widely supported so is highly recommended over RSA.


* You will be making a self-signed certificate. This will make all browsers through up an error. This is OK and can usually be avoided in the future by using an exception.
SSL is now deprecated and disabled on most modern browsers and servers. There are lists of vulnerability in everything but the latest TLS versions. Recommended versions are TLS v1.2 (now widely supported) and TLS v1.3 (Newer and more secure, support is gaining way. Supported on =>[[openSUSE Leap 15.2]]). We refer to SSL as TLS as this protocol replaced SSL and is supported by most browsers and is now what is used by default.
* To make it easier, it is suggested to make all the certificates in a dedicated folder somewhere that you have easy access to, for example in your home folder. This will avoid permission problems.
 
* If your making a certificate without a password, the resulting certificate must be kept in a safe place. If this certificate is '''EVER''' disclosed, any data can be decrypted from the server and you must revoke the certificate.
We used to use self-signed certificates on the server as it was not cost effective to buy an TLS certificate each year on the server. [https://letsencrypt.org/ Let's Encrypt] allow us to make fully trusted certificates for our domain using a small script program called [https://github.com/acmesh-official/acme.sh <code>acme.sh</code>] which we now use as it more than fulfils our needs. We use <code>acme.sh</code> as it allows us to create ECC certificates which Let's Encrypt <code>certbot</code> would not allow us to do. A limitation is that certificates only last 3 months, but this is for security.
* Many of the fields when making a certificate authority or server certificate are dated. The ones marked '''(OPTIONAL)''' don't have to be filled in.
 
* If copying from the terminal code boxes on this page, there is no need to type the '#', this is where the prompt to type starts on a terminal prompt.
== Creating a signed certificate with Let's Encrypt and <code>acme.sh</code> ==


==Creating a certificate authority==
TBD


A certificate authority allows you to sign the SSL certificate with some data about yourself and the server. This is created before making the certificate. If you install this certificate authority onto a web browser, it will then accept your certificate as trusted.
== Creating a self-signed certificate ==
* Open a terminal window.
* Make a key for the certificate authority. You can choose your cipher by changing the '-aes256' option to your choice. A list of ciphers is available [[OpenSSL ciphers|here]]. Type the following:


  # openssl genrsa -aes256 -out ca.key 4096
=== What you need to know ===


* Choose and type a password when asked, then retype it for verification. Remember this password for later.
* You will be making a self-signed certificate. All browsers through up an error. This is OK and can usually be avoided in the future by using an exception.
* Make the certificate authority certificate. You can change the number of days the certificate is valid for by changing the '-days 365' option. Type the following:
* To make it easier, it is suggested to make all the certificates in a dedicated folder somewhere that you have easy access to, for example in your home folder. This will avoid permission problems.
* If your making a certificate with a private key without a password, the resulting certificate must be kept in a safe place. If this private key is '''EVER''' disclosed, anyone can use your certificate and pose as you. The newest versions of Apache only allow www and root users to read the key folder by default. If the private key is believed to be compromised, you should immediately revoke affected certificates and generate new certificates with a new private key.
* Many of the fields when making a certificate authority or server certificate are dated. The ones marked '''(OPTIONAL)''' don't have to be filled in.


  # openssl req -new -x509 -days 365 -key ca.key -out ca.crt
=== Create an elliptic curve private key ===


* You will be asked for the password you used to make the key earlier. Type it in when asked.
* Open a terminal window.
* Type in a Country code when asked (GB for England).
* Type the following into the terminal:
* Type in a State or Provence (or County in England) when asked. '''(OPTIONAL)'''
* Type in a Locality (a town) when asked. '''(OPTIONAL)'''
* Type in an Organisation name when asked. '''(OPTIONAL)'''
* Type in an Organisation unit when asked. '''(OPTIONAL)'''
* Type in a Common name when asked. This is a very important field. Contrary to what the program says, this is not for your name, but the name of the certificate authority. Thinking ahead here, it must not match the common name you want to use for your server certificate. If you want to use similar names for both (for example, in my case 'hpserver' for the server certificate), it is advisable to append CA to the end of the common name you are using for the certificate authority (hpserver CA). If you do duplicate the names, you will '''NOT''' be able to create server certificate.
* Type in an e-mail address when asked. This is the e-mail address people will contact you on if there is a problem with the certificates. Make sure you type an address you would access often enough.
* After pushing enter on the last option, you will be back at the terminal. Your CA certificate is now ready!


==Creating a server certificate==
  # openssl ecparam -genkey -name prime384v1 -out key.pem


* Make a server key. You can choose your cipher by changing the '-aes256' option to your choice. A list of ciphers is available [[OpenSSL ciphers|here]]. Type the following:
* '''NOTE:''' This is the private key that must be kept safe. If anyone gets hold of this, they will be able to decrypt your data.


  # openssl genrsa -aes256 -out server.key 4096
=== Creating a Certificate Signing Request (CSR) ===


* Choose and type a password when asked, then retype it for verification. Remember this password for later.
A certificate signing request combines the private key and some information to fill out the certificate with and makes a public key out of this information. Type the following into the terminal:
* Make a server certificate. This is similar to making a certificate authority certificate. You can change the number of days the certificate is valid for by changing the '-days 365' option. Type the following:


   # openssl req -new -key server.key -out server.csr
   openssl req -new -key key.pem -out csr.pem


* You will be asked for the password you used to make the key earlier. Type it in when asked.
You will be presented with some options to fill out:
* Type in a Country code when asked (GB for England).
* Type in a Country code when asked (GB for England).
* Type in a State or Provence (or County in England) when asked. '''(OPTIONAL)'''
* Type in a State or Provence (or County in England) when asked. '''(OPTIONAL)'''
* Type in a Locality (a town) when asked. '''(OPTIONAL)'''
* Type in a Locality (a town or city) when asked. '''(OPTIONAL)'''
* Type in an Organisation name when asked. '''(OPTIONAL)'''
* Type in an Organisation name (or company name) when asked. If left blank, it will be filled with 'Internet Widgets Pty.'. '''(OPTIONAL)'''
* Type in an Organisation unit when asked. '''(OPTIONAL)'''
* Type in an Organisation unit (or department within company) when asked. '''(OPTIONAL)'''
* Type in a Common name when asked (remember this must be different from the CA common name as explained earlier or it will fail later!)
* Type in a Common name when asked. This is is usually a FQDN, but can be what you usually how you access the page by (IP address, hostname, or FQDN).
* Type in an e-mail address when asked.
* Type in an e-mail address when asked. This is the e-mail address people will contact you on if there is a problem with the certificates. Make sure you type an address you would access often enough.
* You will be asked two extra options:
* Type a challenge password (this will stop the private key being accessible, but is not required. If going for simplicity, don't type a password). '''(OPTIONAL)'''
** A challenge password '''(OPTIONAL)'''
* Type an optional company name (this is an extra attribute and isn't required). '''(OPTIONAL)'''
** A company name '''(OPTIONAL)'''
* After pushing enter on the last option, you will be back at the terminal. Your server certificate is now ready!
 
== Signing the server certificate with your certificate authority ==
 
* Change the '-set_serial 01' option if you already have a certificate with the same serial number. If you use the same serial number as a certificate already in use or expired, it will cause a serious exception and the web browser will not let you proceed further until this is fixed on the server. Think ahead now! Type the following into the terminal:


  # openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
As a side note, a challenge password can be used while the certificate is in storage and stripped off when used for the server for security.


* Type in your password for the certificate authority key when asked.
=== Creating the certificate ===
* When returned to the terminal, your server certificate is now signed by the certificate authority.


== Removing the password from the server key ==
With the private key and the certificate signing request we made earlier, we can now make the certificate. Type the following into the terminal:


The next options will stop Apache asking for the server key password every time your computer restarts or you restart the Apache service. You do not have to do this step, it is your choice and is entirely optional. Remember though, if your server key is then disclosed without a password, your encryption can be decrypted by anybody with the tools - treat the server key with great care!
openssl req -x509 -days 365 -rand /dev/random -key key.pem -in csr.pem -out cert.pem


* Type the following:
* If that command blocks and takes too long, try using <code>urandom</code> instead of random. It may be worth the wait as <code>/dev/random</code> is considered to have better random data but may take a long time to gather enough random data to be useful.


  # openssl rsa -in server.key -out server.key.insecure
* No more than a year (365 years) validity is recommended as browsers are starting to not accept any certificates issued recently that have more than a year validity. This does not affect older certificates already issued.


* Type in your server key password when asked.
=== Securing Apache the with certificate created ===
* The key without a password has the ''insecure'' extension to its file name. The ''insecure'' extension should be removed when it is being implemented on the server.


== See also ==
See the following article:


* [[Securing Apache with an SSL/TLS certificate]]
[[Apache HTTP Server#HTTPS.2FTLS|HTTPS/TLS in Apache HTTP Server article]]
* [[OpenSSL ciphers]]


== External Links ==
== External Links ==


Thank you so much to the creators of this page:
https://msol.io/blog/tech/create-a-self-signed-ecc-certificate/ - Thanks for the information, your site helped us change over to ECDSA!
 
http://www.tc.umn.edu/~brams006/selfsign.html
 
It would not have been possible to write this article or secure my own server without it! :-)

Latest revision as of 01:29, 13 June 2021

Sending data over the internet unencrypted means anybody with the right tools can see this data. Making a certificate means that you can then encrypt the data. This means that the data is no longer readable to anybody that doesn't have your certificate. This guide will show you how to make a certificate authority, sign and make an TLS certificate ready to be used by your web server.

Due to the way the encryption landscape has changed on the internet, we will be creating a ECDSA certificate. EC stands for Elliptic Curve and uses prime number curves which allow smaller key sizes for the same amount or better protection than the larger traditional key sizes. As of TLS 1.3, ECDSA is the only supported key exchange method and is now widely supported so is highly recommended over RSA.

SSL is now deprecated and disabled on most modern browsers and servers. There are lists of vulnerability in everything but the latest TLS versions. Recommended versions are TLS v1.2 (now widely supported) and TLS v1.3 (Newer and more secure, support is gaining way. Supported on =>openSUSE Leap 15.2). We refer to SSL as TLS as this protocol replaced SSL and is supported by most browsers and is now what is used by default.

We used to use self-signed certificates on the server as it was not cost effective to buy an TLS certificate each year on the server. Let's Encrypt allow us to make fully trusted certificates for our domain using a small script program called acme.sh which we now use as it more than fulfils our needs. We use acme.sh as it allows us to create ECC certificates which Let's Encrypt certbot would not allow us to do. A limitation is that certificates only last 3 months, but this is for security.

Creating a signed certificate with Let's Encrypt and acme.sh

TBD

Creating a self-signed certificate

What you need to know

  • You will be making a self-signed certificate. All browsers through up an error. This is OK and can usually be avoided in the future by using an exception.
  • To make it easier, it is suggested to make all the certificates in a dedicated folder somewhere that you have easy access to, for example in your home folder. This will avoid permission problems.
  • If your making a certificate with a private key without a password, the resulting certificate must be kept in a safe place. If this private key is EVER disclosed, anyone can use your certificate and pose as you. The newest versions of Apache only allow www and root users to read the key folder by default. If the private key is believed to be compromised, you should immediately revoke affected certificates and generate new certificates with a new private key.
  • Many of the fields when making a certificate authority or server certificate are dated. The ones marked (OPTIONAL) don't have to be filled in.

Create an elliptic curve private key

  • Open a terminal window.
  • Type the following into the terminal:
 # openssl ecparam -genkey -name prime384v1 -out key.pem
  • NOTE: This is the private key that must be kept safe. If anyone gets hold of this, they will be able to decrypt your data.

Creating a Certificate Signing Request (CSR)

A certificate signing request combines the private key and some information to fill out the certificate with and makes a public key out of this information. Type the following into the terminal:

 openssl req -new -key key.pem -out csr.pem

You will be presented with some options to fill out:

  • Type in a Country code when asked (GB for England).
  • Type in a State or Provence (or County in England) when asked. (OPTIONAL)
  • Type in a Locality (a town or city) when asked. (OPTIONAL)
  • Type in an Organisation name (or company name) when asked. If left blank, it will be filled with 'Internet Widgets Pty.'. (OPTIONAL)
  • Type in an Organisation unit (or department within company) when asked. (OPTIONAL)
  • Type in a Common name when asked. This is is usually a FQDN, but can be what you usually how you access the page by (IP address, hostname, or FQDN).
  • Type in an e-mail address when asked. This is the e-mail address people will contact you on if there is a problem with the certificates. Make sure you type an address you would access often enough.
  • Type a challenge password (this will stop the private key being accessible, but is not required. If going for simplicity, don't type a password). (OPTIONAL)
  • Type an optional company name (this is an extra attribute and isn't required). (OPTIONAL)

As a side note, a challenge password can be used while the certificate is in storage and stripped off when used for the server for security.

Creating the certificate

With the private key and the certificate signing request we made earlier, we can now make the certificate. Type the following into the terminal:

openssl req -x509 -days 365 -rand /dev/random -key key.pem -in csr.pem -out cert.pem
  • If that command blocks and takes too long, try using urandom instead of random. It may be worth the wait as /dev/random is considered to have better random data but may take a long time to gather enough random data to be useful.
  • No more than a year (365 years) validity is recommended as browsers are starting to not accept any certificates issued recently that have more than a year validity. This does not affect older certificates already issued.

Securing Apache the with certificate created

See the following article:

HTTPS/TLS in Apache HTTP Server article

External Links

https://msol.io/blog/tech/create-a-self-signed-ecc-certificate/ - Thanks for the information, your site helped us change over to ECDSA!