Creating a Certificate Authority
Revoking a Certificate
Self-signed SSL certificates
Self-signed SSL certificates are the easiest way to get your SSL server working. However unless you take some action to prevent it, this is at the cost of security:
- The first time the client connects to the server, it sees the certificate and asks the user whether to trust it. The user of course doesn't really bother verifying the certificate's fingerprint, so a man-in-the-middle attack can easily bypass all the SSL security, steal the user's password and so on.
- If the client was lucky enough not to get attacked the first time it connected, the following connections will be secure as long as the client had permanently saved the certificate. Some clients do this, while others have to be manually configured to accept the certificate.
The only way to be fully secure is to import the SSL certificate to client's (or operating system's) list of trusted CA certificates prior to first connection. See SSL/CertificateClientImporting how to do it for different clients.
Creating your on CA
Create the SSL Environment
mkdir -m 0755 myCA mkdir -m 0755 myCA/private mkdir -m 0755 myCA/certs mkdir -m 0755 myCA/newcerts mkdir -m 0755 myCA/crl cd myCA cp /etc/pki/tls/openssl.cnf openssl.my.cnf chmod 0600 openssl.cnf touch index.txt echo '01' > serial
Create The CA Key/Cert
First we need to create a CA Cert to sign the different server keys and to distribute.
openssl req -config openssl.my.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825
And correct the permissions
chmod 0400 private/myca.key
Create a Server Key/Cert
First create the Key and CSR file.
openssl req -config openssl.my.cnf -new -nodes -keyout private/<server_name>.key -out <server_name>.csr -days 365
Next sign the CSR file with your CA Key.
openssl ca -config openssl.my.cnf -policy policy_anything -out certs/<server_name>.crt -infiles <server_name>.csr