Setting up a basic CA for development certificate issuance via OpenSSL is fairly simple, but most of the tutorials available online don’t show every step. This guide attempts to be as clear as possible, but if you spot anything that could use more explanation don’t hesitate to leave a comment.
If you don’t have a copy of OpenSSL on your machine, download it now. Linux and OS X users should already have it on their systems, but Windows users can get the latest binaries here. Please note that if you are running a version of OpenSSL prior to 0.9.8 that signing the same CSR multiple times will cause an error (due to lack of support for unique_subject=no). RHEL4 ships with 0.9.7a.
Creating a Self-Signed Root Certificate
First we must create a signing cert (a certificate with basicConstraints set to CA:True) for use. This will write out a privkey.pem file (base64 encoded RSA private key) as well as a root.cer file containing the self-signed public key with a 3650 day validity period.
openssl req -newkey rsa:2048 -days 3650 -x509 -nodes -out root.cer
You will see output in the following form. Fill in the fields as you desire. Example choices are filled in below.
Generating a 2048 bit RSA private key ............................................+++ .................................................+++ writing new private key to 'privkey.pem' ---- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ---- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:Illinois Locality Name (eg, city) [Newbury]:Chicago Organization Name (eg, company) [My Company Ltd]:My Company Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:My Development CA Email Address []:
Setting Up a Custom Openssl.conf
Create a new file named “myca.conf” save the following configuration into it substituting the proper private key, certificate (public key), and new_certs_dir (random temp dir) paths. On Windows if you choose to use backslash delimited paths, please note that you will need to escape the backslashes with an additional backslash (e.g. C:pathtocert becomes C:\path\to\cert).
[ ca ] default_ca = myca [ crl_ext ] # issuerAltName=issuer:copy #this would copy the issuer name to altname authorityKeyIdentifier=keyid:always [ myca ] new_certs_dir = /tmp unique_subject = no certificate = /path/to/root.cer database = /path/to/certindex private_key = /path/to/privkey.pem serial = /path/to/serialfile default_days = 365 default_md = sha1 policy = myca_policy x509_extensions = myca_extensions [ myca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress = optional organizationName = supplied organizationalUnitName = optional [ myca_extensions ] basicConstraints = CA:false subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always keyUsage = digitalSignature,keyEncipherment extendedKeyUsage = serverAuth crlDistributionPoints = URI:http://path.to.crl/myca.crl
You will also need to create empty files located at /path/to/certindex and /path/to/serialfile. For the serialfile add “000a” (without the quotes) as a hexadecimal seed for the serial number.
Create a CSR and Issue A Cert
We now have our CA infrastructure configured so let’s create a CSR (certificate signing request) and issue our first certificate.
openssl req -newkey rsa:1024 -nodes -out ourdomain.csr -keyout ourdomain.key
This will write out a req.key and req.csr after you choose the fields you desire. If you are setting up a serverAuth certificate the common name should be the FQDN of your server. You can also leave the challenge password blank.
Generating a 1024 bit RSA private key ..........++++++ ..................++++++ writing new private key to 'req.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:Illinois Locality Name (eg, city) [Newbury]:Chicago Organization Name (eg, company) [My Company Ltd]:End Entity, Inc. Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:www.examplefqdn.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Now we’re ready to issue the certificate! We will let our configuration file do most of the heavy lifting. Just specify the path to the config and the path for the output certificate.
openssl ca -batch -config /path/to/myca.conf -notext -in req.csr -out /path/to/ourdomain.cer
Your certificate should now be written to the path you specified. To verify the contents of the certificate:
openssl x509 -noout -text -in /path/to/ourdomain.cer
Browser Trust Configuration
To be trusted a certificate must have a root at the top of its chain inside the certificate store of whatever client you are attempting to use. This means you will need to import your self-signed public key (root.cer) into the store. While each browser/OS is different, let’s demonstrate via Firefox 3.
-
- Go to the preferences, choose advanced, click the encryption tab, then click “view certificates”.
-
- Click the authorities tab and then click import…
-
- Choose which options you plan to use the cert for. Check at least “identify web sites”.
-
- Your certificate is now trusted. You can see it under the Organization name you chose for your root certificate.
Hi,
I was trying self signed root certificate as per your instructions…
but i got some error when i tried creating certificate using command:
openssl ca -batch -config /Users/gautham/myca.conf -notext -in req.csr -out /Users/gautham/ourdomain.cer
Error:
Using configuration from /Users/gautham/myca.conf
wrong number of fields on line 1 (looking for field 6, got 1, ” left)
Please Reply regarding this if you have any idea..
Thanks and Regards,
Gautham
This error is caused when your certindex file is not completely empty. Check inside the file and if there is any char (including a space) remove it and save. On linux you can just remove the existing file and touch a new one.
hi, I know you can create a regular self signed certificate without having to roll your own CA and signing the certificate with it. I am wondering you need to roll your CA and signing the SAN certificate request yourself. Can you not just roll a self signed SAN certificate without having to sign it with your custom CA? thanks.
hi ,
i am also receiving the same error,
where is the file : certindex file located , i didnt find the file.
pls help me
thanks,
Satish
Paul, thanks for the tutorial. This has been by far the biggest help. I am running into one issue however. The instructions above require you to create a csr and a key. However, in Exchange 2010 (and 2010), the CSR is created for you by Exchange Server. Is there a way to use the Exchange csr to generate a key? I’m at a standstill as Exchange doesn’t see my cert as valid.
Thanks!