After spending so much time this week dealing with repercussions relating to the OpenSSL “Heartbleed” bug,
I thought it was time to go back and properly set myself up as a CA, like I had been meaning to. Why would
anybody want to do this? Well, there are a couple of good reasons.
Just like a self-signed certificate, a user will still get a security warning if he visits a site that uses
a certificate that is signed by a CA that the browser doesn’t recognize, but it’s trivially easy to import
the generated CA into the browser as a trusted CA. Once the certificate is imported, the browser will trust
the SSL’ed site just like it does that expensive Verisign cert. This is mainly convenient for personal
use, for example when securely accessing data and/or services remotely from a home network.
Another use case is securing traffic on an internal network where many services are exposed, possibly in an app
that uses a service oriented architecture. Since these are not public-facing, you simply generate a key and
cert for each service, and then import the CA certificate into each client application. Now your network traffic
is encrypted and you’re in control of the chain of trust. You can even use the optional “Organizational Unit (OU)”
field on the certificate to pass meta-data between applications in your SOA. Docker allows you to authenticate clients
in a similar fashion, which is described here.
Here’s how you’d actually go about doing this. First, be sure you have a version of openssl that has been patched
If it was built on April 7 or later, then you have a patched version. Now, generate the private key for your
new CA. Be sure to include “-des3” so your key is password-protected.
Be sure to keep this key secure. Now self-sign your own root CA key. This is apparently how all the big CA’s do it.
Ok, now you’re a CA! Congratulations! If you can somehow manage to get your cert to be shipped with any
big-name browsers or other software, you could make some serious money. But being a CA is pretty pointless
unless you sign some SSL keys, so let’s create one that we can sign. This part should be pretty familiar
if you’ve ever purchased an SSL certificate before.
Now generate the corresponding CSR:
Now for the fun part. We’ll sign the SSL key we just generated with the CA certificate and key we generated earlier:
And you’re done! You can now install the SSL cert and key on your webserver for encrypted traffic.
Oh, by the way, here’s the certificate for the CA I just created.