| I l@ve RuBoard |
|
Hack 94 Creating Your Own CA
Become your own Certificate Authority, and sign your own (or others') SSL certs Well-known Certificate Authorities (such as Thawte/VeriSign) exist to serve as an authoritative, trusted third-party for authentication. They are in the business of signing SSL certificates that are used on sites deal with sensitive information (such as account numbers or passwords). If a site's SSL certificate is signed by a trusted authority, then presumably it is possible to verify the identity of a server supplying that cert's credentials. In order to receive a certificate "blessed" by a well known CA, you have to prove to them beyond a shadow of doubt that not only are you who you claim to be, but that you have the right to use the certificate in the way you intend. For example, I may be able to prove to a CA that I am really Rob Flickenger, but they probably won't issue me a signed cert for Microsoft Corporation, as I have no rights to use that name. Yes, they probably wouldn't do that. Not again. OpenSSL is perfectly capable of generating everything you need to run your own Certificate Authority. The CA.pl utility makes the process very simple. In these examples, you'll need to type anything in boldface, and enter passwords wherever appropriate (that don't echo to the screen.) To establish your new Certificate Authority: hagbard@fnord:~/certs$ /usr/local/ssl/misc/CA.pl -newca CA certificate filename (or enter to create) Making CA certificate ... Using configuration from /usr/local/ssl/openssl.cnf Generating a 1024 bit RSA private key ...............++++++ ......................................++++++ writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Sebastopol Organization Name (eg, company) [Internet Widgits Pty Ltd]:Illuminatus Enterprises, Ltd Organizational Unit Name (eg, section) []:Administration Common Name (eg, YOUR name) []:Hagbard Celine Email Address []:hagbardceline1723@yahoo.com Congratulations. You're the proud owner of your very own Certificate Authority. Take a look around: hagbard@fnord:~/certs$ ls demoCA/ hagbard@fnord:~/certs$ cd demoCA/ hagbard@fnord:~/certs/demoCA$ ls -l total 24 -rw-r--r-- 1 rob users 1407 Sep 8 14:12 cacert.pem drwxr-xr-x 2 rob users 4096 Sep 8 14:12 certs/ drwxr-xr-x 2 rob users 4096 Sep 8 14:12 crl/ -rw-r--r-- 1 rob users 0 Sep 8 14:12 index.txt drwxr-xr-x 2 rob users 4096 Sep 8 14:12 newcerts/ drwxr-xr-x 2 rob users 4096 Sep 8 14:12 private/ -rw-r--r-- 1 rob users 3 Sep 8 14:12 serial The public key for your new Certificate Authority is contained in cacert.pem, and the private key is in private/cakey.pem. You can now use this private key to sign other SSL certs. To use your CA's authority to sign SSL certs, you'll need to make a new cert that a web server (such as Apache) can use. First, generate a private key and certificate request, as shown in [Hack #93]. Now you can sign the new request with your own CA's key: hagbard@fnord:~/certs$ openssl ca -policy policy_anything \ -out propaganda.discordia.eris.crt \ -infiles propaganda.discordia.eris.csr Using configuration from /usr/local/ssl/openssl.cnf Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'Texas' localityName :PRINTABLE:'Mad Dog' organizationName :PRINTABLE:'Discordia, Inc.' organizationalUnitName:PRINTABLE:'Operations' commonName :PRINTABLE:'propaganda.discordia.eris' emailAddress :IA5STRING:'hail@discordia.eris' Certificate is to be certified until Sep 8 22:49:26 2003 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Now to use the .crt and .key with Apache + mod_ssl (or Apache-ssl), install them as you normally would (perhaps with lines like these): SSLCertificateFile /usr/local/apache/conf/ssl.crt/propaganda.discordia.eris.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/propaganda.discordia.eris.key This is all lots of fun, but what happens when a client actually connects to https://propaganda.discordia.eris/? Won't the browser throw an error about not recognizing the Certificate Authority that signed the SSL cert? Naturally. Unless, of course, you've installed your CA's public key to the client browser ahead of time. See the next hack if you'd like to do that. 94.1 See also:
Disclaimer: no, I honestly had nothing to do with the Microsoft Corporation cert snafu. But it does illustrate one of the fundamental facts of life online: it's difficult to know who to trust.  |
| I l@ve RuBoard |
|
