From MattWiki
Jump to navigation Jump to search

Certificate Authority

Creating a Certificate Authority

Revoking a Certificate

Self-signed SSL certificates

Self-signed SSL certificates are the easiest way to get your SSL server working. However unless you take some action to prevent it, this is at the cost of security:

  • The first time the client connects to the server, it sees the certificate and asks the user whether to trust it. The user of course doesn't really bother verifying the certificate's fingerprint, so a man-in-the-middle attack can easily bypass all the SSL security, steal the user's password and so on.
  • If the client was lucky enough not to get attacked the first time it connected, the following connections will be secure as long as the client had permanently saved the certificate. Some clients do this, while others have to be manually configured to accept the certificate.

The only way to be fully secure is to import the SSL certificate to client's (or operating system's) list of trusted CA certificates prior to first connection. See SSL/CertificateClientImporting how to do it for different clients.

Creating your on CA

Create the SSL Environment

mkdir -m 0755 myCA
mkdir -m 0755 myCA/private
mkdir -m 0755 myCA/certs
mkdir -m 0755 myCA/newcerts
mkdir -m 0755 myCA/crl
cd myCA
cp /etc/pki/tls/openssl.cnf
chmod 0600 openssl.cnf
touch index.txt
echo '01' > serial

Create The CA Key/Cert

First we need to create a CA Cert to sign the different server keys and to distribute.

openssl req -config -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825

And correct the permissions

chmod 0400 private/myca.key

Create a Server Key/Cert

First create the Key and CSR file.

openssl req -config -new -nodes -keyout private/<server_name>.key -out <server_name>.csr -days 365

Next sign the CSR file with your CA Key.

openssl ca -config -policy policy_anything -out certs/<server_name>.crt -infiles <server_name>.csr