Creating a web-site certificate: Part 2

As discussed in the previous article in this series, the disadvantage with our own certificates is that web browsers will complain loudly about these possibly unsafe certificates. In this article we will improve on this by becoming our own Certificate Authority. This involves generating a special “root” certificate, and giving users the option of importing that certificate into the list of trusted Certificate Authorities.


Using a password-protected private key
PDF Image LaTeX source

Surprisingly, generating the files we need to become an (unofficial) Certificate Authority is easier than generating a standard certificate. It only involves only two steps:

  • Create a password-protected encryption key.
  • Create the certificate.

The command lines below have been split over several lines for readability.

$ openssl genrsa -passout env:CAPASS
                 -des3
                 -out authority.key 2048

This invocation of the genrsa subcommand generates a 2048-bit private encryption key using the RSA algorithm. The encryption key is then encrypted with the DES3 algoritm, using the password contained in the CAPASS environment variable. Since this is the key that all security will rely on, we do not create an unprotected version. Since it is only used for signing, having to enter it manually is not much of a problem.

$ openssl req  -new
               -x509
               -days 36500
               -passin  env:CAPASS
               -subj '/C=SE/ST=root_ca_cert/L=Lund/O=Svensk Datorutveckling'
               -key authority.key
               -out authority.cert

Using an unprotected private key
PDF Image LaTeX source

Previously we used this command to create and sign our new certificate:

$ openssl x509 -req
               -days    36500
               -in      certificate-signing-request.csr
               -out     certificate.cert
               -signkey rsa-private-key-without-password.key

To sign instead with our root CA, we use:

$ openssl x509 -req
               -days   36500
               -in     certificate-signing-request.csr
               -out    certificate.cert
               -passin env:CAPASS
               -CA     authority.cert
               -CAkey  authority.key
               -CAcreateserial

Gone is the “-signkey” option. Instead we specify the key and the certificate of our root CA. The -CAcreateserial option creates a serial-number file. It is used to give each signed certificate a unique serial number. The file name is derived from the name of the root CA certificate file, but with a .srl suffix. In this example, authority.cert becomes authority.srl. This option should only be used once. Next time, run the command without it:

$ openssl x509 -req
               -days   36500
               -in     certificate-signing-request.csr
               -out    certificate.cert
               -passin env:CAPASS
               -CA     authority.cert
               -CAkey  authority.key

To actually take advantage of the extra work, users must import “authority.cert” into their browsers, in some browser-dependent way. Once that is done, the browser will implicitly trust any certificate signed by our Certification Authority (root CA).

You can reach me by email at “lars dash 7 dot sdu dot se” or by telephone +46 705 189090

View source for the content of this page.