ROOT CA signed Certificate

September 15, 2021 in Web Server

How it works:

There are many CA (Certificate Authorities) around the world that they can generate a certificate for you once you provide the required information and identify that you are the owner of the domain or subdomain where you are planning to use the certificate. Most of them are providing this service for an amount money but there are also free solutions. This is something that you need to do if you want to host a service like a web site and you want that everything that is transmitted from any client to your server and vice versa will be encrypted. In the other hand the clients also need to be sure that they can access your server in a secure way. And since they are not able to check your certificate we are relying to a CA to do the job. But if you need to protect an internal website that is running inside your company, then you can become a local CA. Here is how

 

Became a local CA

issue the following command in order to create a new key that we will use later for our CA certificate.

openssl genrsa -aes256 -out CA.key 4096

You should provide a password twice and the key is ready to use.
The output should look like this:

Generating RSA private key, 4096 bit long modulus (2 primes)
…………………………………………………………………………………..++++
…………………………………………………………………………………………….++++
e is 65537 (0x010001)
Enter pass phrase for CA.key:
Verifying – Enter pass phrase for CA.key:

Now you have a file that is called CA.key and the contents should be like that:

—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,438387DEFA5FD5275315FD562F1BC0D8

GXs5bW36Ifl0PvP4VYKktVLyxzpHNTkjh+dxMCfQRp9RfKBZl6rjVqYd2hovC01o
DzqIzeVMkT7GWUw3zYUulIYqXDRALTwNa8X5cEF2qtxFQCmMNpK1uHSl761Agtqm
—many lines have been removed—
3vOqEUBD7CNFeS4lkGG4xrsZBdALEFRyPPbzpnIrDwY+jvoLDVSFy7jXncgwFEem
jiUwxpBySCKAP8oMPISlTwh+K9lJ0JgMN1TahCMkdYB8GcTud5+wR8hvl4Wc7gzM
—–END RSA PRIVATE KEY—–

Create a CA Certificate:

Now we need to create a certificate that we are going to install on all systems in our company that they will use the certificates that we are going to create with this CA certificate. So this is a root certificate that a computer is using to identify all certificates that are issued from our CA. Now you need to issue the following command and provide the password from the key we created in the previous step and answer the questions. 

openssl req -x509 -new -nodes -key CA.key -sha512 -days 365 -out CA.pem
Enter pass phrase for CA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:GR
State or Province Name (full name) [Some-State]:-
Locality Name (eg, city) []:Athens
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompanyName
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:MyCompanyName.local
Email Address []:info@MyCompanyName.local

Create an SSL certificate using our CA

Now as before we will need to create another key so we can generate a CSR file with all info about our domain and then we will use this file to issue a certificate.

Create the Key:

openssl genrsa -out allaboutlinux.local.key 4096

Create the CSR file:

openssl req -new -key allaboutlinux.local.key -out allaboutlinux.local.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:GR
State or Province Name (full name) [Some-State]:-
Locality Name (eg, city) []:Athens
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompanyName
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:allaboutlinux.local
Email Address []:info@allaboutlinux.local

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:MySecurePassword!
An optional company name []:

Create the certificate from CSR signed by the CA:

openssl x509 -req -in allaboutlinux.local.csr -CA CA.pem -CAkey CA.key -CAcreateserial -out allaboutlinux.local.crt -days 100 -sha512

Now you can use this certificate on the server side and as long as the clients already have the CA certificate they will be able to identify this certificate and any other that we will create in the future by using the same CA.