How-to create your own Certificate Authority

3-minute read

How-to create your own Certificate Authority (or the better way to get working snake oil certificates for internal use).

As I have a local owncloud installation I was searching how to create certificates which work well in Iron, Thunderbird and the owncloud client. Therefore basically I used: the how to which I found on https://niklas-rother.de/artikel/die-eigene-certificate-authority-ca/.

When I was finished I found out that Iron was still complaining about the certificate. The issue was the missing SubjectAltName in the certificate. Therefore I searched and I found the following how to explaining how to add it http://apetec.com/support/GenerateSAN-CSR.htm.

And here’s now my solution:

  1. I’ve create a folder 'ca-cert' in my root home directory and changed the owner flags with chmod 700. To prevent everyone except root from reading that folder.

  2. I changed into that directory and created a secrete key with 4096 bit for my CA

    

    

    1

    		


    $ openssl genrsa -des3 -out ca.key 4096

  3. Afterwards I’ve created the certificate for the CA which should be valid for 5 years:

    

    

    1

    		


    $ openssl req -new -x509 -days 1825 -key ca.key -out ca.crt

The following steps now need to be repeated (e.g. if you want to create a new certificate for a new server or if you want to renew a certificate when the validity date was reached).

Before we start with the certificate request and so on we need to take care about a few configurations to be made in /etc/ssl/openssl.cnf:

  1. Search for req_extensions if it’s not in you should create it. If it’s commented remove the comment. The Line must look like:

    

    

    1

    		


    req_extensions = v3_req # The extensions to add to a certificate request

  2. Afterwards search for 'v3_req'. The section should look like (Note: That the DNS.1 and IP.1 entry will be used for every certificate you create with this openssl.cnf. If you want to create multiple it makes sense to put those properties into a single file per server. I did not try how to do this.):

    

    

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

    		


    [ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]
DNS.1=server.dns1
IP.1=127.0.0.1</pre>

  3. Save your editor and close the file.

Now we can create our certificate:

  1. First we need a key for the new certificate (also with 4096 bit)

    

    

    1

    		


    $ openssl genrsa -des3 -out sid-owncloud.key 4096

  2. Now we create the signing request:

    

    

    1

    		


    $ openssl req -new -out sid-owncloud.csr -key sid-owncloud.key -config /etc/ssl/openssl.cnf

  3. This signing request can now be signed by the CA and the certificate will be created

    

    

    1

    		


    $ openssl x509 -req -days 730 -in sid-owncloud.csr -CA ../ca.crt -CAkey ../ca.key -set_serial 04 -out sid-owncloud.crt -extensions v3_req -extfile /etc/ssl/openssl.cnf

  4. At the end you might want to remove the password for the servers key files (e.g. to use it in an apache2 config):

    

    

    1

    		


    $ openssl rsa -in sid-owncloud.key -out sid-owncloud.insecure.key

  5. Now you just need to configure your servers (to use the new certificate) and clients (to trust the root CAs certificate as trusted CA).