HomeHowTo › Creating a Certification Authority and a Server Certificate on Ubuntu

Creating a Certification Authority and a Server Certificate on Ubuntu

The following steps will walk you through the creation of your own CA, which is necessary to sign certificates. Signed certificates can then be used for SSL-protected webservers or for authentication. The good thing is that you don’t have to pay any fees for self-signed certificates. There is however a disadvantage: since your CA’s root certificate is not publicly known, browsers will show a warning if someone opens your website. The client has to install your root certificate to get rid of this warning and automatically trust all certificates signed by your CA.

Info: This howto is based on Ubuntu 12.04 and describes a manual way of creating certificates. There are also graphical solutions like TinyCA which allow you to do all this without typing any commands. I roughly described how to use TinyCA in this article.

 

1. Setting Up The Certification Authority (CA)

Before you start, make sure to have openssl installed. This however should be the case by default on Ubuntu.

 

1. Preparations

[cce_bash line_numbers=’false’]
# Become root
sudo -i

# Create a directory for the CA and switch to it
mkdir /root/ca
cd /root/ca

# Create some (necessary) directories
mkdir newcerts certs crl private requests

# Get a copy of the standard SSL configuration
cp /etc/ssl/openssl.cnf ./config.txt

# Create some necessary files
touch index.txt
echo ’01’ > serial
[/cce_bash]

 

2. Generate the CA’s Private Key

Now that all the files and folders are prepared, the CA’s private key can be generated:

[cce_bash line_numbers=’false’]
openssl genrsa -des3 -out private/cakey.pem 4096
[/cce_bash]

The output should look like this:

[cce line_numbers=’false’]
root@acidx:~/ca# openssl genrsa -des3 -out private/cakey.pem 4096
Generating RSA private key, 4096 bit long modulus
…………++
……………………………………………………………………….++
e is 65537 (0x10001)
Enter pass phrase for private/cakey.pem:
Verifying – Enter pass phrase for private/cakey.pem:
[/cce]

 

3. Create the CA Root Certificate

To create the certificate, enter:

[cce_bash line_numbers=’false’]
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 -set_serial 0
[/cce_bash]

The output should look like this:

[cce line_numbers=’false’]
root@acidx:~/ca# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 -set_serial 0
Enter pass phrase for private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bremen
Locality Name (eg, city) []:Bremen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:AcidX Corporation
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:AcidX CA
Email Address []:admin@acidx.net
[/cce]

 

4. Edit the Config File

In the config.txt file the following changes are necessary:

[ CA_default ] section

[cce_bash line_numbers=’false’]
dir = /root/ca # Where everything is kept
default_days = 3650 # how long to certify for
[/cce_bash]

[ policy_match ] section

[cce_bash line_numbers=’false’]
stateOrProvinceName = supplied
organizationName = supplied
[/cce_bash]

 

2. Limit Access Rights

Make sure that only root can access the CA folder and especially the private key.

[cce_bash line_numbers=’false’]
chmod -R 600 /root/ca
[/cce_bash]

 

3. Certification Sign Request (CSR)

Now that the CA is set up, it is ready to sign certification requests. To create a CSR, type:

[cce_bash line_numbers=’false’]
cd /root/ca/requests
openssl genrsa -des3 -out webserverkey.pem 2048
openssl req -new -key webserverkey.pem -out webservercert.csr -days 3650
[/cce_bash]

The output should look like:

[cce line_numbers=’false’]
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bremen
Locality Name (eg, city) []:Bremen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:AcidX Corporation
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:webserver.acidx.net
Email Address []:admin@acidx.net
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
[/cce]

 

4. Sign the CSR

To sign the CSR, type:

[cce_bash line_numbers=’false’]
openssl ca -in webservercert.csr -out webservercert.pem -config /root/ca/config.txt
[/cce]

Now you can use the webservercert.pem certificate to secure your webserver. A copy of it is automatically kept in the newcerts folder. The cacert.pem would be your root certificate which should be installed by your clients.

9 Comments.[ Leave a comment ]

  1. Thank you for this simple howto. Using this and a cisco doc, I was able to create and self-sign 2 certificates for my routers, which are then using those certs to secure a vpn tunnel.

    Rob.

  2. HI,

    I’m getting the following error. Do you have any idea why?

    Error opening Private Key tomcat.pem
    3074210056:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen(‘tomcat.pem’,’r’)
    3074210056:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
    unable to load Private Key

    Thanks.

  3. Which command results in that error? Are you executing the command as root?

  4. Hi how do you install cacert.pem onto a client? in my situation I am using WIndows, so any help with this in as much detail or if you have any easy-to-follow links would be good. Thanks.

  5. On Windows 7 it can be installed as follows:
    – Press [Winkey]+[R], type “mmc” and hit Enter
    – Press [Ctrl]+[M] to add a new Snap-In
    – Add the “Certificates” Snap-In
    – Select “My User Account” if you want to install the certificate for the current user only or select “Computer Account” if you want to install it for all users
    – In the Snap-In go to “Trusted Root Certification Authorities” –> “Certificates”
    – Click on menu “Action” –> “All Tasks” –> “Import”
    – Select your cacert.pem (in the file selection dialogue you have to set the dropdown box to “All files (*.*)”)

  6. I am getting this
    ###openssl ca -in webservercert.csr -out webservercert.pem -config /root/ca/config.txt

    Using configuration from /root/ca/config.txt
    Error opening CA private key ca/private/cakey.pem
    140461848409760:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen(‘ca/private/cakey.pem’,’r’)
    140461848409760:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:

  7. Is the “dir” entry in config.txt correct (should be /root/ca) and does the private key exist at the expected location (/root/ca/private/cakey.pem)?

  8. Yes, I too am seeing the same errors –
    I am getting this
    ###openssl ca -in webservercert.csr -out webservercert.pem -config /root/ca/config.txt

    Using configuration from /root/ca/config.txt
    Error opening CA private key ca/private/cakey.pem
    140461848409760:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen(‘ca/private/cakey.pem’,’r’)
    140461848409760:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:

    ANd yes, I’ve already confirmed that the “dir” entry in config.txt correct (should be /root/ca) and does the private key exist at the expected location (/root/ca/private/cakey.pem)

  9. Hello,

    This is a great tutorial got me up the road a lot further than I was. However I am not understanding why some of these (for example: QNAP) is asking for a private key, I generated the csr, the cert was generated, but when/where is the key generated.

    -rw-r–r– 1 root root 1066 Dec 9 08:33 cfsan02.csr
    -rw-r–r– 1 root root 1743 Dec 9 08:30 cfsan02_key.pem
    -rw-r–r– 1 root root 5880 Dec 9 08:39 cfsan02_cfs_loc.pem

    When I use the cert cfsan02_cfs_loc.pem and the cfsan02_key.pem it tells me the key is in error. Could you shed some light on this for me please.

    Thanks,
    Michael

Leave a Comment