To self sign a certificate, to act as a CA
A topic on certificate manipulation, especially note naming convention:
http://gagravarr.org/writing/openssl-certs/ca.shtml
A topic on certificate creation with first creating a CA
RSA key length: should be at least 2048 bits, for CA maybe longer
Algorithm: MD5 no longer secure!, and clients have began to reject it (see
http://forums.mozillazine.org/viewtopic.php?f=39&t=2575295). Check to make sure certificate not signed by MD5.
(Reference: http://hostingfu.com/article/your-ssl-certificates-signed-using-vulnerable-md5)
First reference at gagravarr.org mentioned, for names in a certificate for a CA:
The common name (CN) should be something like "John Smiths CA", the organisational unit (ou) should be something like "Certificate Authority", the organisation (o) should be you're going to use for your other certificates. Set the email address to the CA contact email address. You'll quite probably want to leave the other fields blank.
For user request, it mentioned (however, I can find no source of this requirement):
Make sure you've read the section of an LDAP book on the naming scheme before proceding.
For users, the CN should be their name, for servers it should be the FQN of the server. For users, the email address should be theirs, for the server it should be the email address of the server admin. For users, the OU should be something like "People", and for servers something like "Servers" or "<function> Servers".
Second reference at www.ulduzsoft.com mentioned:
If you create the SSL certificate for your web or mail server, pay special attention to the Common Name field. You must enter there the fully-qualified domain name this certificate will serve. For example, if your web server is https://mymail.example.com your common name must be mymail.example.com. You can also use the wildcard in the first part of the domain name: a certificate with the common name such as *.example.com could be used for all subdomains of the example.com. An e-mail address must also be supplied, although it doesn’t have to be valid.
http://gagravarr.org/writing/openssl-certs/ca.shtml
openssl req -new -x509 -nodes -days 7000\
-newkey rsa:1024 \
-keyout private/secure_email.key \
-out secure_email.crt
openssl x509 -in secure_email.crt -text
openssl s_client -connect 192.168.20.11:995 -debug
http://social.rocho.org/jan/selfsign.html
Read carefully and note the follows:
(1) Do (1B), when doing the CA way, not simply "self-signed" certificate
(2) No collision between common name of CA and the certificate being signed;
Common name of CA can be something like "what ever CA"; common name of server should be the domain name
(3) When signing a request multiple times (over the years, i.e.), do with different serials
Steps:
(1) The self-signed CA
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
(2) The server request
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
(3) Signing the request
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
(4) To examine the components if you're curious:
openssl rsa -noout -text -in server.key
openssl req -noout -text -in server.csr
openssl rsa -noout -text -in ca.key
openssl x509 -noout -text -in ca.crt
(5) To remove password protection on a key
openssl rsa -in server.key -out server.key.insecure
$ (openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
openssl rsa -noout -modulus -in server.key | openssl md5) | uniq
$ openssl req -noout -modulus -in server.csr | openssl md5
(1) Preparing CA
Create a dir, in my case at /home/bing/Documents/IT/CA
Place a file ca.cnf, use template provided by reference, and change as needed
Create dirs:
mkdir certs
mkdir private
mkdir crl
echo "01" >serial
touch index.txt
Create CA key and certificate:
OPENSSL=ca.cnf openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -out certs/ca.pem -outform PEM -keyout private/ca.key
(2) User Request
Now, as the user to request certificate from the CA, create key and request:
mkdir private_users
openssl req -newkey rsa:2048 -nodes -sha1 -keyout private_users/mshk01.key -keyform PEM -out private_users/mshk01.req -outform PEM
Do note:
for server certificate, common name needs to be the full qualified domain name, and email must be provided
(3) Sign User Request
Now, as CA, sign the user request:
mkdir cert_users
OPENSSL_CONF=ca.cnf openssl ca -batch -notext -in private_users/mshk01.req -out cert_users/mshk01.pem
(4) Optionally Convert Certificate to Another Format
For example, FireFox requires P12 format
openssl pkcs12 -export -in cert_users/bing.ren.pem -inkey private_users/bing.ren.key -out cert_users/bing.ren.p12