On Thu, 4 Aug 2011, Bernhard Fröhlich wrote:
Am 04.08.2011 08:23, schrieb Tomas Macek:
We have some web servers and I want to create self signed certificates for
them.
What do I want:
- I want to create my own certification authority keys and certificate,
that will be imported to all web browsers of our employees
- I want to create certificates, that will be signed by my own
certification authority (previous step) and include them to the
apache/httpd configuration. I don't want our employees to be warned that
the certificate is not trusted (I cannot buy a REAL trusted certificate)
Reading FAQ here http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29, reading
CA.pl from openssl-perl and discussions on inet for 2 days gave me these
steps, that I already performed:
1) creating my own CA:
openssl genrsa -des3 -out ca.key 1024
openssl rsa -in ca.key -out ca.key.unsecure
mv ca.key.unsecure ca.key
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
2) creating my own server key and certification request:
openssl genrsa -des3 -out server.key 1024
openssl rsa -in server.key -out server.key.unsecure
mv server.key.unsecure server.key
openssl req -new -key server.key -out server.csr
3) signing the request by my own CA (see step 1):
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAserial ca.srl
server.crt
4) I have imported the ca.crt into the web browser
5) the server.key and server.crt were included to the apache/httpd
configuration
After these steps the web page looks secured and no warning appears when I
enter the page.
Question:
---------------
Do you see any bad thing about these steps or can you please recommend me
any further step in order to make things properly?
The process looks good to me, though I'm not totally sure about step #3. I
use the "openssl ca ..." command to sign my certificates, it needs a config
file but also keeps an index file and archive structure of issued
certificates which is (IMHO) worth the work.
I have seen some users on inet using this, but configuration of
openssl.cnf is absolutely confusing for me, there are too many options and
these steps seemed to me simpler, so I have tried these steps and hoped
they will be OK.
But, are you sure that you want to keep your CA key unprotected? I'd advise
strongly against this. Issuing server certificates should be seldom enough to
do it manually by entering a password...
One hint: You probably won't be happy with a CA certificate expiring in one
year, since all your created certificates will be considered invalid once the
CA certificates becomes invalid.
So I'm quite sure you'll want to use at least 5 years as the expiry time for
your CA, or even more if distributing the CA certificate is some work.
Thank you Ted, sure, I will prolong the 1 year to something more... 20
years for example :-)
Tomas
