How to Create Self-Signed SSL Certificates (Part 1)
As more and more programs realise the importance of security many are turning to SSL to secure connections between clients and servers anyone who has spent any time with SSL probably knows that SSL certificates can be quite expensive. However there are times when it simply isn’t necessary to pay for an SSL certificate, there is an alternative, and even better is its free!
In this first guide I will explain how to generate your own Root Certificate and then in the next part I will show how you can then use this Root Certificate to sign your own certificates, the final part of this series will explain how to then deploy the certificate using Group Policy.
This magical alternative is to sign your own SSL certificates, however many people are put off this because of the warnings web browsers generate these days when then encounter a self-signed SSL certificate. For Internal deployments though, self-signed certificates are a perfectly valid option as it is possible to deploy the certificates so users don’t receive any warnings. Of course, even this can get tedious as for each new or renewed certificate you have to ensure this is deployed correctly for all your users, if you have a number of different web pages or web-apps that you want to secure this can quickly create additional work and take up time you could be spending on other things.
Don’t worry though, there is a better option! This is to become your own Root Certificate Authority and then use this to sign your certificates, that way all you need to do is to deploy the one Root Certificate to your users and then any certificate that you sign with it is automatically trusted and no warnings are displayed. This method allows you to secure any number of services or websites using an SSL certificate that you know will be accepted by their browser.
For this series of guides I will be using OpenSSL from within a Cygwin install, this requires a little bit of additional work to setup but will make it much easier to work in and troubleshoot any problems as the vast majority of guides on the Internet are for OpenSSL running under Linux so knowing that you can refer to them for additional help (or if you want to use some of the more advanced options). Of course, if you already have access to a Linux box then you can use that too, the commands will be the same however you may find that some of the files referenced are in different locations depending on your Linux distribution. It is also possible to install OpenSSL within Windows natively however this is not recommended and is not something that I will cover in these guides.
To get started you should install Cygwin either on your desktop or on a test server – do not install it on a production server! You should also install the OpenSSL package in Cygwin too, see my previous blog post for instructions on how to do this.
Using a tool such as Notepad++ open the file c:\cygwin\usr\ssl\openssl.cnf and find the section beginning with [ CA_default ], edit this section so that is looks like this:
[ CA_default ] dir = /etc/ssl # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/CA/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/certs/cacert.pem # The CA certificate serial = $dir/CA/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem # The private key RANDFILE = $dir/private/.rand # private random number file
Open a Cygwin command shell and create the directories that we need:
Create a certificate index file:
echo "01" > /etc/ssl/CA/serial touch /etc/ssl/CA/index.txt
Now we can generate the Root Certificate that will be used to sign every certificate:
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
During this process you will be asked for a private key – this needs to be a complex password and should be kept secure as it will be needed to sign any future certificates and if compromised would allow someone to generate certificates in your name!
This will generate two files, cakey.pem which is your private key for the Root Certificate, copy it to correct folder and make a backup to somewhere secure, without this you wont be able to sign any certificates. The file cacert.pem is the new Root Certificate that we will use to sign our other certificates and eventually we will deploy this Root Certificates to our users, for now though lets move the certificates to the correct folders:
mv /home/Administrator/cakey.pem /etc/ssl/private mv /home/Administrator/cacert.pem /etc/ssl/certs
In the next part of the series I will show you how to generate a pair of keys and use these to create a Certificate Signing Request which we will then fulfil with our new Root Certificate resulting in a Self-Signed Certificate that can be used in any web site or application that requires it.