How To Sign Your Own Certificates

BACKGROUND

Many organizations wish to take advantage of SSL and certificate-based security for internal purposes such as securing e-mail access or internal secure websites. However, the cost of obtaining large numbers of certificates from a trusted certificate authority such as Verisign seem unwarranted when the certificates are for internal use only.

The obvious solution is to become an independent certificate authority and use the organization's existing authority channels to distribute certificate information. However, this process has historically been somewhat difficult. This document attempts to distill information available from a variety of sources into a simple set of instructions suitable for someone who wishes to get the job done without necessarily becoming an expert in the area.

This document assumes that the reader has access to a Unix system with OpenSSL (www.openssl.org) and Apache's mod_ssl (www.mod_ssl.org) installed. The use of stunnel (www.stunnel.org) is assumed for protocol servers that do not innately support SSL.

Document Conventions

Black Text represents output from the software or prompts for information that will appear.

Green Text represents commands or information that (at least the first time) can be entered exactly as shown.

Red Text represents commands or information that must be customized to the particular situation before being entered. For example, WWWI should be changed to the name of your own organization.

Following this document will require two PEM pass phrases (passwords), which will be very important to remember, and to differentiate. These phrases will be referred to as PassPhrase1 and PassPhrase2 in the text. Treat these pass phrases with the same level of security as a system root password.

CREATING AND SIGNING CERTIFICATES

  1. Create a self-signed Certificate Authority (CA) key and certificate:

    YourPrompt> openssl genrsa -des3 -out ca.key 1024
    Generating RSA private key, 1024 bit long modulus
    ....................++++++
    .......++++++
    e is 65537 (0x10001)
    Enter PEM pass phrase: PassPhrase1
    Verifying password - Enter PEM pass phrase: PassPhrase1
    YourPrompt>

  2. Use the CA key to create a self-signed certificate:

    YourPrompt> openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
    Using configuration from /etc/ssl/openssl.cnf
    Enter PEM pass phrase: PassPhrase1
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]: US
    State or Province Name (full name) [Some-State]:Texas
    Locality Name (eg, city) []:Montgomery
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:WWWI
    Organizational Unit Name (eg, section) []:WWWI Certificate Authority
    Common Name (eg, YOUR name) []:WWWI CA
    Email Address []:. (<-- NOTE: that's a green dot!)
    YourPrompt>

    This will give you a CA key (ca.key) and a certificate (ca.crt). Keep backups of both of these and PassPhrase1 in a secure location.

  3. Create a server key for the server/service to secure:

    YourPrompt> openssl genrsa -out my_imap.key 2048
    Generating RSA private key, 2048 bit long modulus
    ..........................................+++
    .........................+++
    e is 65537 (0x10001)
    YourPrompt>

  4. Generate a certificate request for the server key:

    YourPrompt> openssl req -new -key my_imap.key -out my_imap.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:Texas
    Locality Name (eg, city) []:Montgomery
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:WWWI
    Organizational Unit Name (eg, section) []:WWWI Email Services
    Common Name (eg, YOUR name) []:imap.wwwi.com
    Email Address []:.

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:.
    An optional company name []:.
    YourPrompt>

    A key part of this step is that the "Common Name (eg, YOUR name)" above must be the DNS name of the server as it will be seen from the client (i.e. "imap.wwwi.com").

  5. Sign the certificate signature request with your CA key:

    YourPrompt> .../path/to/mod_ssl/pkg.contrib/sign.sh my_imap.csr
    CA signing: my_imap.csr -> my_imap.crt:
    Using configuration from ca.config
    Enter PEM pass phrase:PassPhrase1
    Check that the request matches the signature
    Signature ok
    The Subjects Distinguished Name is as follows
    countryName :PRINTABLE:'US'
    stateOrProvinceName :PRINTABLE:'Texas'
    localityName :PRINTABLE:'Montgomery'
    organizationName :PRINTABLE:'WWWI'
    organizationalUnitName:PRINTABLE:'WWWI Email Services'
    commonName :PRINTABLE:'imap.wwwi.com'
    Certificate is to be certified until Jan 20 21:35:12 2003 GMT (365 days)
    Sign the certificate? [y/n]:y


    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    CA verifying: my_imap.crt <-> CA cert
    my_imap.crt: OK

    This will give you a server key (my_imap.key) a server certificate request that will no longer be used (my_imap.csr) and a server certificate (my_imap.crt).

  6. Create Diffie-Hellman parameters with the following command:

    YourPrompt> openssl gendh -out my_imap.dh 1024
    Generating DH parameters, 1024 bit long safe prime, generator 2
    This is going to take a long time
    .................+............................................................+.
    [... it wasn't kidding about taking a long time, it goes on and on like this ...]
    .................................++*++*++*

    This will give you server DH parameters (my_imap.dh).

  7. Create a PEM file called my_imap.pem containing pieces from three other files as follows:

    -----BEGIN RSA PRIVATE KEY-----
    [encoded key]
    -----END RSA PRIVATE KEY-----
    [empty line]
    -----BEGIN CERTIFICATE-----
    [encoded certificate]
    -----END CERTIFICATE-----
    [empty line]
    -----BEGIN DH PARAMETERS-----
    [encoded key]
    -----END DH PARAMETERS-----

    The RSA private key portion is in my_imap_nopw.key.
    The Certificate portion is in my_imap.crt. (There is a bunch of extra junk in this file that isn't used, only include the part from ----BEGIN to -----END inclusive.
    The DH Parameters portion is in my_imap.dh.

    I use cat, vi, and cut and past to accomplish this. If you use cat to concat the files, make sure to delete the extra from the Certificate portion, and make sure there is a blank line between each of the three sections.

  8. Set the permissions on the PEM file:

    YourPrompt> chmod 400 my_imap.pem

  9. Move the PEM file into your SSL certs directory (often /usr/local/ssl/certs) and point stunnel at it in inetd.conf: 

    imap4s  stream  tcp     nowait  root    /usr/local/sbin/stunnel stunnel -p/usr/local/ssl/certs/my_imap.pem -l /usr/local/sbin/imapd

Repeat steps 2-7 for POP, HTTPS, SMTP, and any other secure server names that your organization may require. Don't forget to HUP inetd after changing inetd.conf. When providing secure SMTP via stunnel, certain older versions of Microsoft Outlook do not require the "-n smtp" option to stunnel. Most other email clients (including Outlook XP) do.

CLIENT SUPPORT

Finally, the CA certificate must be installed on each client machine. That can be done on Windows 2000 and Windows XP with these steps:

  1. Copy the ca.crt file to ca.cer on the Windows machine.
  2. Right click it, pick "Install Certificate".
  3. Click "Next".
  4. Click "Place all certificates in the following store"
  5. Click "Browse..."
  6. Click "Trusted Root Certification Authorities" and click "Ok".
  7. Click "Next".
  8. Click "Finish".
  9. Click "Yes".
  10. Click "Ok".
THANKS

This document was made possible by information gathered from the following sources. Thanks to:

AUTHOR

This document was written by Jeffrey D. Wheelhouse (jdw@wheelhouse.org). This is version 1.1.1, created January 20, 2002 and last updated October 31, 2002. Comments, suggestions, and corrections are welcomed via email. This document and its contents are placed into the public domain for unlimited use and distribution.

HISTORY

1.1.1 (October 31, 2002)
Updated contact info.
1.1 (October 21,2002)
Removed steps involving a DES-encrypted server key that is never used. Broke up run-on steps.
1.0.1 (February 2, 2002)
Fixed minor typos.
1.0 (January 20, 2002)
Initial version.

WWWI | Software | SSL | Sign Own