From MattWiki

Certificate Authority[edit | edit source]

Creating a Certificate Authority[edit | edit source]

Revoking a Certificate[edit | edit source]

Self-signed SSL certificates[edit | edit source]

Self-signed SSL certificates are the easiest way to get your SSL server working. However unless you take some action to prevent it, this is at the cost of security:

  • The first time the client connects to the server, it sees the certificate and asks the user whether to trust it. The user of course doesn't really bother verifying the certificate's fingerprint, so a man-in-the-middle attack can easily bypass all the SSL security, steal the user's password and so on.
  • If the client was lucky enough not to get attacked the first time it connected, the following connections will be secure as long as the client had permanently saved the certificate. Some clients do this, while others have to be manually configured to accept the certificate.

The only way to be fully secure is to import the SSL certificate to client's (or operating system's) list of trusted CA certificates prior to first connection. See SSL/CertificateClientImporting how to do it for different clients.

Creating your on CA[edit | edit source]

Create the SSL Environment[edit | edit source]

mkdir -m 0755 myCA
mkdir -m 0755 myCA/private
mkdir -m 0755 myCA/certs
mkdir -m 0755 myCA/newcerts
mkdir -m 0755 myCA/crl
cd myCA
cp /etc/pki/tls/openssl.cnf
chmod 0600 openssl.cnf
touch index.txt
echo '01' > serial

Create The CA Key/Cert[edit | edit source]

First we need to create a CA Cert to sign the different server keys and to distribute.

openssl req -config -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825

And correct the permissions

chmod 0400 private/myca.key

Create a Server Key/Cert[edit | edit source]

First create the Key and CSR file.

openssl req -config -new -nodes -keyout private/<server_name>.key -out <server_name>.csr -days 365

Next sign the CSR file with your CA Key.

openssl ca -config -policy policy_anything -out certs/<server_name>.crt -infiles <server_name>.csr