This guide will demonstrates how to create your own certificate authority for simple uses
I'm using ubuntu 16.04 for this, But any version should do it.
Firstly, make sure that you have updated openssl to the latest version available.
Contents:
1- Create a simple private key
2- Self-sign the certificate
3- Install the certificate to devices
4- Create a website certificate
|
|_ Create a website private key
|
|_ Create an certificate signing request
|
|_ Sign the signing request with your ca
4096: Key length
Key length can be {2048,3072,4096,7168,8192} and so on.
Remember: Anything less than 2048 is insecure nowadays and more secure on 3072,4096 and so on.
And higher key length's will require more CPU power.
I'm using ubuntu 16.04 for this, But any version should do it.
Firstly, make sure that you have updated openssl to the latest version available.
Contents:
1- Create a simple private key
2- Self-sign the certificate
3- Install the certificate to devices
4- Create a website certificate
|
|_ Create a website private key
|
|_ Create an certificate signing request
|
|_ Sign the signing request with your ca
- Prepare the working directory:
Simply create a new directory and name it as you like (change simpleca with anything):
mkdir simpleca
cd simpleca
cd simpleca
Create a simple private key
Creating a simple private key is very easy.
Make sure you don't create a key less than 2048 bits.
And also this called "Private" for a reason, if anyone have it then anyone would sign any certificate with your ca.
In this example i will create a 4096-bit key:
Make sure you don't create a key less than 2048 bits.
And also this called "Private" for a reason, if anyone have it then anyone would sign any certificate with your ca.
In this example i will create a 4096-bit key:
openssl genrsa -out rootkey.pem 4096
rootkey.pem: Output file name4096: Key length
Key length can be {2048,3072,4096,7168,8192} and so on.
Remember: Anything less than 2048 is insecure nowadays and more secure on 3072,4096 and so on.
And higher key length's will require more CPU power.
Self-sign the certificate
Simply do:
-sha256: Hash algorithm
1024: Number of days the certificate will be valid
rootcert.pem: Output certificate filename
Hash algorithm can be {-sha1,-sha224,-sha256,-sha384 and -sha512}.
Using sha1 isn't recommended.
You will be asked some info that will be on the output certificate.
Example of using sha512 and valid for 8 years:
Create a website certificate
openssl req -x509 -new -nodes -key rootkey.pem -sha256 -days 1024 -out rootcert.pem
rootkey.pem: Key filename-sha256: Hash algorithm
1024: Number of days the certificate will be valid
rootcert.pem: Output certificate filename
Hash algorithm can be {-sha1,-sha224,-sha256,-sha384 and -sha512}.
Using sha1 isn't recommended.
You will be asked some info that will be on the output certificate.
Example of using sha512 and valid for 8 years:
openssl req -x509 -new -nodes -key rootkey.pem -sha512 -days 2922 -out rootcert.pem
Install the certificate to devices
To install it into an android device you need to convert it into crt format via:
rootcert.crt: Output crt file
After that you need to copy it into the device then:
Open settings then Security then Install from SD card (From Credential storage).
For ios (skip step1): https://blogs.technet.microsoft.com/uclobby/2014/01/09/installing-private-ca-root-certificate-on-ios-devices/
openssl x509 -inform PEM -outform DER -in rootcert.pem -out rootcert.crt
rootcert.pem: Input pem filerootcert.crt: Output crt file
After that you need to copy it into the device then:
Open settings then Security then Install from SD card (From Credential storage).
For ios (skip step1): https://blogs.technet.microsoft.com/uclobby/2014/01/09/installing-private-ca-root-certificate-on-ios-devices/
- Create a website private key:
4096: Key length
- Create an certificate signing request:
websitereq.csr: Output request file
You will be asked some info that will be on the output certificate.
Note that the common name field (CN) is the website dns address.
- Sign the signing request with your ca:
rootcert.pem: Input CA certificate file
rootkey.pem: Input CA private key file
websitecert.pem: Output website certificate file
500: Number of days to sign the certificate with
openssl genrsa -out websitekey.pem 4096
websitekey.pem: Output file name4096: Key length
- Create an certificate signing request:
openssl req -new -key websitekey.pem -out websitereq.csr
websitekey.pem: Input key filewebsitereq.csr: Output request file
You will be asked some info that will be on the output certificate.
Note that the common name field (CN) is the website dns address.
- Sign the signing request with your ca:
openssl x509 -req -in websitereq.csr -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out websitecert.pem -days 500 -sha512
websitereq.csr: Input request filerootcert.pem: Input CA certificate file
rootkey.pem: Input CA private key file
websitecert.pem: Output website certificate file
500: Number of days to sign the certificate with
No comments:
Post a Comment