Securing traffic on various apps in organizations or even in a small home lab is very important to protect passwords and other critical information floating on LAN or WiFi. Let us build a handy CA in simple steps to generate own certificates which can be used in internal applications.
Before this you may also like to read IT security basics and Self Signed SSL certificates.
Create a directory to place your Certificate authority (CA) files
mkdir /etc/myca
Generate Key pair for CA using DES3 encryption and 2048 key size. You can choose other encryption algorithms and key size as well
openssl genrsa -des3 -out myca.key 2048
Generating RSA private key, 2048 bit long modulus
....+++++
...................................+++++
e is 65537 (0x010001)
Enter pass phrase for myca.key: <--Enter password for CA key pair
Verifying - Enter pass phrase for myca.key: <--Re-enter password for CA key pair
Create CA certificate using above CA key, Let us do it with 10 years validity
openssl req -new -x509 -days 3650 -key myca.key -out myca.crt
Enter pass phrase for myca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:HR
Locality Name (eg, city) []:GGN
Organization Name (eg, company) [Internet Widgits Pty Ltd]:your_org_name
Organizational Unit Name (eg, section) []:HomeUnits
Common Name (e.g. server FQDN or YOUR name) []:your_ca_site
Email Address []:
List CA key and certificate files, you must keep secure backup of these files.
ls -l
total 8
-rw-r--r-- 1 root root 1310 Feb 2 08:51 myca.crt
-rw------- 1 root root 1743 Feb 2 08:50 myca.key
Now the CA is ready, let us use above CA to sign the CSR requests
Generate key pair for some application or server, such as webserver
openssl genrsa -out myserver.key 2048
Generating RSA private key, 2048 bit long modulus
........+++++
..................+++++
e is 65537 (0x010001)
Generate certificate request (CSR) file for above keys
openssl req -new -out myserver.csr -key myserver.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:HR
Locality Name (eg, city) []:GGN
Organization Name (eg, company) [Internet Widgits Pty Ltd]:your_org
Organizational Unit Name (eg, section) []:some_department
Common Name (e.g. server FQDN or YOUR name) []:your_website
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <---leave blank for non-interactive use of certificate
An optional company name []:
Now using our CA verify and sign server certificate for above CSR
openssl x509 -req -in myserver.csr -CA /etc/myca/myca.crt -CAkey /etc/myca/myca.key -CAcreateserial -out myserver.crt -days 3650
Signature ok
subject=C = IN, ST = HR, L = GGN, O = your_org, OU = myserver, CN = your_website
Getting CA Private Key
Enter pass phrase for /etc/myca/myca.key: <--Enter password used for CA key pair
Now your certificate is ready for use. You can use key and certificate (crt) files in respective application.
ls -l
total 16
-rw-r--r-- 1 root root 1180 Feb 2 09:12 myserver.crt
-rw-r--r-- 1 root root 989 Feb 2 09:07 myserver.csr
-rw------- 1 root root 1679 Feb 2 09:04 myserver.key