As discussed in the previous article in this series, the disadvantage with our own certificates is that web browsers will complain loudly about these possibly unsafe certificates. In this article we will improve on this by becoming our own Certificate Authority. This involves generating a special “root” certificate, and giving users the option of importing that certificate into the list of trusted Certificate Authorities.
Surprisingly, generating the files we need to become an (unofficial) Certificate Authority is easier than generating a standard certificate. It only involves only two steps:
- Create a password-protected encryption key.
- Create the certificate.
The command lines below have been split over several lines for readability.
$ openssl genrsa -passout env:CAPASS -des3 -out authority.key 2048
This invocation of the genrsa subcommand generates a 2048-bit private encryption key using the RSA algorithm. The encryption key is then encrypted with the DES3 algoritm, using the password contained in the CAPASS environment variable. Since this is the key that all security will rely on, we do not create an unprotected version. Since it is only used for signing, having to enter it manually is not much of a problem.
$ openssl req -new -x509 -days 36500 -passin env:CAPASS -subj '/C=SE/ST=root_ca_cert/L=Lund/O=Svensk Datorutveckling' -key authority.key -out authority.cert
Previously we used this command to create and sign our new certificate:
$ openssl x509 -req -days 36500 -in certificate-signing-request.csr -out certificate.cert -signkey rsa-private-key-without-password.key
To sign instead with our root CA, we use:
$ openssl x509 -req -days 36500 -in certificate-signing-request.csr -out certificate.cert -passin env:CAPASS -CA authority.cert -CAkey authority.key -CAcreateserial
Gone is the “-signkey” option. Instead we specify the key and the certificate of our root CA. The -CAcreateserial option creates a serial-number file. It is used to give each signed certificate a unique serial number. The file name is derived from the name of the root CA certificate file, but with a .srl suffix. In this example, authority.cert becomes authority.srl. This option should only be used once. Next time, run the command without it:
$ openssl x509 -req -days 36500 -in certificate-signing-request.csr -out certificate.cert -passin env:CAPASS -CA authority.cert -CAkey authority.key
To actually take advantage of the extra work, users must import “authority.cert” into their browsers, in some browser-dependent way. Once that is done, the browser will implicitly trust any certificate signed by our Certification Authority (root CA).
You can reach me by email at “lars dash 7 dot sdu dot se” or by telephone +46 705 189090