Making a self-signed TLS certificate

From ThinkServer
Revision as of 03:15, 1 March 2012 by >Samthecrazyman (Small format changes)

Sending data over the internet unencrypted means anybody with the right tools can see this data. Making a certificate means that you can then encrypt the data. This means that the data is no longer readable to anybody that doesn't have the certificate. This guide will show you how to make a certificate authority, sign and make an SSL certificate ready to be used by your web server.

What you need to know

  • You will be making a self-signed certificate. This will make all browsers through up an error. This is OK and can usually be avoided in the future by using an exception.
  • To make it easier, it is suggested to make all the certificates in a dedicated folder somewhere that you have easy access to, for example in your home folder. This will avoid permission problems.
  • If your making a certificate without a password, the resulting certificate must be kept in a safe place. If this certificate is EVER disclosed, any data can be decrypted from the server and you must revoke the certificate.
  • Many of the fields when making a certificate authority or server certificate are dated. The ones marked (OPTIONAL) don't have to be filled in.
  • If copying from the terminal code boxes on this page, there is no need to type the '#', this is where the prompt to type starts on a terminal prompt.

Creating a certificate authority

A certificate authority allows you to sign the SSL certificate with some data about yourself and the server. This is created before making the certificate. If you install this certificate authority onto a web browser, it will then accept your certificate as trusted.

  • Open a terminal window.
  • Make a key for the certificate authority. You can choose your cipher by changing the '-aes256' option to your choice. A list of ciphers is available here. Type the following:
 # openssl genrsa -aes256 -out ca.key 4096
  • Choose and type a password when asked, then retype it for verification. Remember this password for later.
  • Make the certificate authority certificate. You can change the number of days the certificate is valid for by changing the '-days 365' option. Type the following:
 # openssl req -new -x509 -days 365 -key ca.key -out ca.crt
  • You will be asked for the password you used to make the key earlier. Type it in when asked.
  • Type in a Country code when asked (GB for England).
  • Type in a State or Provence (or County in England) when asked. (OPTIONAL)
  • Type in a Locality (a town) when asked. (OPTIONAL)
  • Type in an Organisation name when asked. (OPTIONAL)
  • Type in an Organisation unit when asked. (OPTIONAL)
  • Type in a Common name when asked. This is a very important field. Contrary to what the program says, this is not for your name, but the name of the certificate authority. Thinking ahead here, it must not match the common name you want to use for your server certificate. If you want to use similar names for both (for example, in my case 'hpserver' for the server certificate), it is advisable to append CA to the end of the common name you are using for the certificate authority (hpserver CA). If you do duplicate the names, you will NOT be able to create server certificate.
  • Type in an e-mail address when asked. This is the e-mail address people will contact you on if there is a problem with the certificates. Make sure you type an address you would access often enough.
  • After pushing enter on the last option, you will be back at the terminal. Your CA certificate is now ready!

Creating a server certificate

  • Make a server key. You can choose your cipher by changing the '-aes256' option to your choice. A list of ciphers is available here. Type the following:
 # openssl genrsa -aes256 -out server.key 4096
  • Choose and type a password when asked, then retype it for verification. Remember this password for later.
  • Make a server certificate. This is similar to making a certificate authority certificate. You can change the number of days the certificate is valid for by changing the '-days 365' option. Type the following:
 # openssl req -new -key server.key -out server.csr
  • You will be asked for the password you used to make the key earlier. Type it in when asked.
  • Type in a Country code when asked (GB for England).
  • Type in a State or Provence (or County in England) when asked. (OPTIONAL)
  • Type in a Locality (a town) when asked. (OPTIONAL)
  • Type in an Organisation name when asked. (OPTIONAL)
  • Type in an Organisation unit when asked. (OPTIONAL)
  • Type in a Common name when asked (remember this must be different from the CA common name as explained earlier or it will fail later!)
  • Type in an e-mail address when asked.
  • You will be asked two extra options:
    • A challenge password (OPTIONAL)
    • A company name (OPTIONAL)
  • After pushing enter on the last option, you will be back at the terminal. Your server certificate is now ready!

Signing the server certificate with your certificate authority

  • Change the '-set_serial 01' option if you already have a certificate with the same serial number. If you use the same serial number as a certificate already in use or expired, it will cause a serious exception and the web browser will not let you proceed further until this is fixed on the server. Think ahead now! Type the following into the terminal:
 # openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
  • Type in your password for the certificate authority key when asked.
  • When returned to the terminal, your server certificate is now signed by the certificate authority.

Removing the password from the server key

The next options will stop Apache asking for the server key password every time your computer restarts or you restart the Apache service. You do not have to do this step, it is your choice and is entirely optional. Remember though, if your server key is then disclosed without a password, your encryption can be decrypted by anybody with the tools - treat the server key with great care!

  • Type the following:
 # openssl rsa -in server.key -out server.key.insecure
  • Type in your server key password when asked.
  • The key without a password has the insecure extension to its file name. The insecure extension should be removed when it is being implemented on the server.

See also

External Links

Thank you so much to the creators of this page:

http://www.tc.umn.edu/~brams006/selfsign.html

It would not have been possible to write this article or secure my own server without it! :-)