Web servers, imap servers, smtp servers can be configured to use ssl connections and there are many other uses for ssl certificates, such as encrypting email or digitally signing documents. You don't have to pay a certificate authority, such as Verisign, because you can use the OpenSSL package to create your own certificates. I do not cover the installation of OpenSSL here and I assume you know at least how to change directories, move files, use an editor, and other basics from the command-line.
Note: The author of this page, and owner of this web site, is not to be held liable for any damage or trouble arising from following these directions. You are responsible for your own security, use, and creation of certificates.
Quick steps:
- Create a directory.
- Create two subdirectories.
- Create a database to keep track of each certificate signed.
- Make a custom config file for openssl to use.
- Create a root certificate.
- Installing the root certificate for use.
- Tips.
- Creating certificates pages.
Note: While this document covers OpenSSL under Linux, Windows-only folks can use the Win32 OpenSSL project. I found GOSSL and CertWiz, GUIs for Windows, after a quick search. I am running Red Hat Linux 8.0 and openssl 0.9.x. If you have an interal box running Apache web server with PHP and the OpenSSL libraries installed, you could also use PHPki. I would not use PHPki for creating certificates on a publicly accessable server, because your root private certificate must be installed on that server (security risk). [Note: I found it not too hard to migrate manually to PHPki after already having created some certificates from the command line. Also you must have short tags enabled in your php.ini.] Only command line steps will be covered here.
Let's call it sslcert:
mkdir sslcert
Now protect that directory so only the user you are running as (and root) can access it:
chmod 0700 sslcert
Cd into the first directory and make two subdirectories. Let's call them certs and private.
cd sslcert
mkdir certs private
3) Create a database to keep track of each certificate signed
Type:
echo '100001' >serial
touch certindex.txt
4) Make a custom config file for openssl to use
Create a file using your ASCII text editor. We will call it openssl.cnf. Here are the basics needed for this exercise (edit as needed):
# # OpenSSL configuration file. # # Establish working directory. dir = . [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial database = $dir/certindex.txt new_certs_dir = $dir/certs certificate = $dir/cacert.pem private_key = $dir/private/cakey.pem default_days = 365 default_md = md5 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 # Size of keys default_keyfile = key.pem # name of generated keys default_md = md5 # message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #------------------------- ---------------------------------- 0.organizationName = Organization Name (company) organizationalUnitName = Organizational Unit Name (department, division) emailAddress = Email Address emailAddress_max = 40 localityName = Locality Name (city, district) stateOrProvinceName = State or Province Name (full name) countryName = Country Name (2 letter code) countryName_min = 2 countryName_max = 2 commonName = Common Name (hostname, IP, or your name) commonName_max = 64 # Default values for the above, for consistency and less typing. # Variable name Value #------------------------ ------------------------------ 0.organizationName_default = My Company localityName_default = My Town stateOrProvinceName_default = State or Providence countryName_default = US [ v3_ca ] basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always [ v3_req ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash
All other certificates you create will be based off of this. Because you are not a commercial certificate authority, software may complain when they use your certificates. However you can give people one of the files, the "public" one, that will be created and they can manually import it. From then on your certificates will load just like the commercial ones.
To create, while in the 'sslcert' directory, type:
openssl req -new -x509 -extensions v3_ca -keyout \
private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf
Note the backslash (\) at the end of the first line. If your OS supports it, this is a way to type long command lines. Simply press <Enter> after it and you will be prompted to continue typing. Otherwise, leave it out and continue typing.
Note the -days 365 option. For a root certificate you may want it to last longer than one year so that you do not have to reissue it so often. I set mine to 10 years.
You will be prompted for information and a password. Do not loose this password, make sure it is a secure one, and back up the two files that are created.
The two files that are created are cacert.pem, which is the one you can give to others for import in their browsers, and cakey.pem, which will be in the private directory.
| Name Field | Explanation | Example |
|---|---|---|
| Country Name | The two-letter ISO abbreviation for your country | US = United States |
| State or Province Name | The state or province where your organization is located. Can not be abbreviated. | Georgia |
| City or Locality | The city where your organization is located. | Atlanta |
| Organization Name | The exact legal name of your organization. Do not abbreviate | SSL Secure Inc. |
| Organizational Unit | Optional for additional organization information. | Marketing |
| Common Name | Since this is your root certificate, call it something like: | Company_Name Certificate Authority |
| Email Address | The email address for the CA (who to contact) | someone@your.domain |
6) Installing the root certificate for use
See your browser's help for how to do this. For IE, go to Tools, Options, Content tab, Certificates, Import and follow the steps. Note that we called our root certificate cacert.pem. Rename this file to cacert.crt as it is an X.509 certificate. To make it easy for people to install your root certificate, cacert.crt, place it on your web site with a URL to it. When they click on it in most modern browsers, they can choose to "Open" or "Install" and it will walk them through the install steps.
Note for Mozilla and Firefox/Thuderbird users: Mozilla apps do not use MS Windows' certificate storage. If you use Mozilla, you only need to install the certificate in the browser and it will be available to the email client. If you use Firefox and Thunderbird, or just one of the two, you will need to manually import the certificate with Thunderbird. To do this, right-click the link to the certificate and choose "Save As...". Then in "Manage Certificates", access is via "Advanced" in newer versions, click the Import button.
Read up on revocation lists and how to use them. One day need to revoke the root certificate, or any other certificates, and issue a new one.
The root certificate created per the example only good for 365 days. When it expires people receive a warning message. Don't forget to remake the certificate each year, or create it for more than 1 year.
Don't forget your password for the root certificate, but do not let it fall into the wrong hands.
8) Creating certificates pages
Now you are ready to create certificates. Here are my pages covering various applications of certificates and how to make those certificates:
- For Apache and https
- Creating PKCS12 certificates
- For email signing and encryption
- For AutoCAD and signing drawings
Thanks
Followed the steps to create a PCKS12 certificate to trial signing PDF documents. Worked first time. Many thanks!
Marc
I don't get the Install Page
I attempted to run the Root Cert and it didn't work for my http://dmv-dui-attorney.com/san-bernardino-dui/ page, what gives?
Awesome tut!!!
Thanks a lot for taking the time to write this. It worked on the first try. However, others may want to migrate from md5 to sha.
Unable to create certificate
Hi, whenever I try to execute the "openssl req -new -x509 -extensions v3_ca -keyout \
private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf" command I get this error,
"Generating a 1024 bit RSA key
..........+++++
........................+++++
Writing new private key to private/cakey.pem'
private/cakey.pem: No such file or directory.
1949:error:02001002:system library: fopen:No such file or directory:bss_file.c:356:fopen('private/cakey.pem' , 'w')
1939:error:20074002:BIO routines: FILE_CTRL:system lib:bss_file.c:358"
Can anybody help me? Why does it need to open private/cakey.pem, shouldn't it write to the private folder?
I execute with root privilege. Any help would be appreciated.
If you're using win32/64,
If you're using win32/64, you don't need that backslash at the end of the first line.
You can also try to type the whole command in one line
Configuration for email certificates
Thanks for these instructions, found them really helpful. However I have found you need to change the "email_in_dn" value to yes in the configuration file if creating certificates for signing emails. Otherwise the certificate will not identify the sender's email address, and the recipient will not be able to verify that the certificate matches the sender's email address.
Hello
I'm newbie on this.
And i interested to learn.
Where this all can be done?
doesnt work
configured exactly as you said,
when going to the url, it does not use the certificate created,
off to another site
how to make sure the cert is in use??
hey,
im trying to create new certs with openssl i think. but i have a DEMOCA with all the certs.
what can i do to make sure that the raddius is running my certs?
and how do i create certs?
sorry, i am a beginner. much help needed! reply asap pls. thanks!
Re: how to make sure the cert is in use??
Try starting with:
$ openssl s_client -connect [ip_or_dns_name]:[port]
$ man s_client
Valid time in x509 Certificates is always in GMT-why
Hi,
I need a clarification. The CAcert and the client certs generated by openssl on my system has the validity time period always in GMT-5:30hrs, even though my system has a local time in IST (GMT+5:30hrs). So my doubt is, if i use the client certs in other IST timezone systems, how and will the certs be verified by the system as in valid time period?
why is that all certs are stamped with validity time in GMT only?
thanks
rajiv
SSL Cert and Key
OMG worked on this forever, then found your site and within a few short hours was able to get all my certificates and keys. One hang up was decrypting the cakey.pem. I looked at your comment section and there at the bottom was the decrypt info. Thank You, I am a self taught wannbe programmer and your site really helped.
Great job!
I followed every step and it worked I was working on this for almost 2 weeks and you just gave me the answers in 10 minutes.
By the way:
nameopt = default_ca
certopt = default_ca
is correct. There was 1 guy who said it was wrong but this works... Thank you very much man i really apreciate this.
Your sincerely,
André Boom
Not working for windows 7 w/ IE8
The instruction is very clear and helpful. I did it for my linux centOS 5.4 server. After that, it works well for clients using windows XP and IE7. However, it does not work for clients using windows vista or 7 with IE8. The clients are promped to install certificate, ... and it shows "the import was successful". When clients start a new browser to open the web site, it still displays "Certificate Error". Can somebody tell why? I also tried several other ways to create certificates, the situation is the same. Thanks!
For Windows XP, Expire date is 2/6/1974
I agree: Great instructions!
But I'm also having a problem trying to do this on Windows XP. For some reason it set the root certificate expiration date to 2/6/1974. If I view the certificate in Firefox, it shows the Create date OK but the Expire date is in the past, so it thinks the certificate has expired and will not use it.
Validity|Not Before:
3/14/2010 18:20:58 PM
(3/14/2010 23:20:58 PM GMT)
Validity|Not After:
2/6/1974 10:52:42 AM
(2/6/1974 16:52:42 PM GMT)
Oops! 36525 days is 100 years, not 10 years.
I guess the multiply function of my internal calculator isn't working today. 36525 days is 100 years, not 10 years. It worked OK once I corrected that.
Thanks!
Thank you for your help. I found the nameopt and certopt should be the following:
name_opt = ca_default
cert_opt = ca_default
Cheers!
Wait a minute. Placing
Wait a minute. Placing cacert.pem on public site might give away your private key?! Can anyone confirm this?
No it doesn't give away your
No it doesn't give away your private key. Read the manuals. You can't calculate 1 without the other
Re: Wait a minute. Placing
In the instructions above the file 'cacert.pem' is the public certificate. Try these commands once you have generated the private and public files to inspect them:
$ openssl x509 -in cacert.pem -text -noout
Within the text of the output you should see "Subject Public Key Info".
$ openssl rsa -in cakey.pem -text -noout
You will be prompted for the certificate password and see "Private-Key:" within the text of the output.
If you try to run 'openssl x509 -in cakey.pem ...' you should get an error with "Expecting: TRUSTED CERTIFICATE". If you try to run 'openssl rsa -in cacert.pem ...' you should get an error with "Expecting: ANY PRIVATE KEY". It is always good to ask these kinds of questions.
Thanks very much for your
Thanks very much for your useful tips on how to create a root certificate!
Openssl Docs
Helpful article. Thanks a lot.
-Santosh
Really Great Work!
Mr. (Ms.?) Flat Mountain:
Really, really good work on this. It isn't easy to write accurate, concise documentation like this - you've really hit the mark!
Thanks for your work; it's saved us lots of time. Lou
Serial and DB not updating
the certindex.txt isn't updating with new certs.
querie in 4 step
I don't understand the 4 step of the procedure.What did you do?
you make s cnf file named "openssl" and inside it you have an openoffice text?
It doesn't work to me!Sorry but I'm beginner....
Re: querie in 4 step
In step 4 I said to use an "ASCII text editor". This means something like vi, emacs, kwrite, etc. Everyone has their favorite text editor, so it doesn't matter which one you use to create a file with the text shown. But the file does have to be ASCII (aka "plain") text, not doc or odf or other file format. This file pre-sets a lot of options for you, so creating certificates is easier.
great.
Just great stuff here.
Thanks a lot for this clear and helpfull walkthrough.
Ed.
Wow
Great post, worked the first time...
After trying many other ways... wish I had found this one first
Thanks
helpfull article
just another comment on how helpful this article has been. thanks.
Great Work
Great Work Done................
great
this is verry well done. i hope i'll find more of your articles.
10x.
Great job...
The documentation and step by step process in these pages is awesome. Thanks for the attention to detail. This is extremely useful.
Great article .... Good work
Great article .... Good work
Feedback
Thanx!!!!!!!!!!!!!!!!! to whom it may concern
from the core of heart ,i appreciate the person who wrote this topic......
it is really a great job he did.......
provided step by step guidance as the work is done
Certificate
Thanks a lot,
This article is really very well written
It worked well.
Regards
Sachin
Very Helpful
Very helpful article, got it working fine.
Thanks for sharing!
Article
This was a well written article.
Great work!
Really nice tutorial on
Really nice tutorial on openssl certificate. One note to those who uses such a self-signed certificate for their https site, it's better to remove the pass phrase from cakey.pem so you don't have to re-enter that every time you start your https server:
openssl rsa -in cakey.pem -out cakey.pementer the pass phase that you used in step 5) and you are golden.
Request
Bonjour,
I would like to know how to use this certificate with multiple email addresses.
like my private email and my gmail one.
please reply ASAP.
Thanks
hey Its very simple.....
hey Its very simple..... Keep Signature same for all the emails...and use one browser...... It helps you for the above issue..
Thanks