[{"data":1,"prerenderedAt":485},["ShallowReactive",2],{"Categories":3,"NavIndexCategoriesCountFooter":203,"content-\u002F2008\u002F08\u002F09\u002Fusing-a-self-generated-certificate-authority-for-openssl-on-debian-etch\u002F":204},[4,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,68,70,71,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202],{"category":5},"System Administration",{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":27},"Software Development",{"category":5},{"category":5},{"category":5},{"category":5},{"category":27},{"category":27},{"category":5},{"category":5},{"category":5},{"category":27},{"category":5},{"category":5},{"category":5},{"category":27},{"category":27},{"category":27},{"category":27},{"category":5},{"category":5},{"category":5},{"category":27},{"category":27},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":27},{"category":5},{"category":5},{"category":27},{"category":27},{"category":27},{"category":27},{"category":5},{"category":27},{"category":27},{"category":67},"Drones & RC",{"category":69},"DIY Projects",{"category":67},{"category":72},"Photography",{"category":69},{"category":69},{"category":69},{"category":67},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":67},{"category":69},{"category":69},{"category":67},{"category":67},{"category":72},{"category":72},{"category":72},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":5},{"category":5},{"category":72},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":5},{"category":67},{"category":67},{"category":72},{"category":72},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":72},{"category":67},{"category":138},"3D Printing - Laser Cutting - CNC",{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":5},{"category":138},{"category":27},{"category":27},{"category":138},{"category":138},{"category":72},{"category":158},"Photography,3D Printing - Laser Cutting - CNC",{"category":27},{"category":27},{"category":69},{"category":27},{"category":27},{"category":27},{"category":27},{"category":5},{"category":67},{"category":5},{"category":5},{"category":27},{"category":27},{"category":27},{"category":27},{"category":27},{"category":69},{"category":27},{"category":27},{"category":27},{"category":27},{"category":181},"Home Assistant",{"category":181},{"category":72},{"category":27},{"category":27},{"category":72},{"category":138},{"category":5},{"category":72},{"category":72},{"category":138},{"category":27},{"category":181},{"category":181},{"category":72},{"category":72},{"category":72},{"category":72},{"category":72},{"category":72},{"category":72},{"category":72},191,{"id":205,"title":206,"body":207,"category":5,"date":470,"description":213,"embedImage":471,"extension":472,"image":471,"intro":471,"meta":473,"navigation":474,"path":475,"seo":476,"series":471,"sitemap":477,"stem":478,"tags":479,"__hash__":484},"content\u002F2008\u002F08\u002F09\u002Fusing-a-self-generated-certificate-authority-for-openssl-on-debian-etch.md","Using a self-generated Certificate Authority for OpenSSL on debian etch",{"type":208,"value":209,"toc":467},"minimark",[210,214,217,220,223,226,237,240,246,249,255,262,268,270,276,279,285,287,293,296,302,304,310,313,316,319,325,341,344,347,350,353,359,362,368,371,383,386,389,404,407,410,416,428,431,434,437,443,446,449,452,455,458,464],[211,212,213],"p",{},"I've been using self-signed certificates for a while - but - that means getting the users to approve them each time they change. Instead - lets generate a Certificate Authority (CA) certificate with a reasonably long life - get them to install that and then new certificates signed with that will be valid for them.",[211,215,216],{},"We will install a CA area on \u002Fetc\u002Fssl\u002Fca and then create a certificate signed with this.",[211,218,219],{},"###Setup",[211,221,222],{},"We're going to use the script CA.pl which on debian is installed on \u002Fusr\u002Flib\u002Fssl\u002Fmisc. But - we need to make some changes",[211,224,225],{},"First - in CA.pl itself - change the variables near the top for DAYS (default certificate length) and CADAYS (default CA certificate length). By default they are for 1 and 3 years - I went with 10 and 15 - since I'm lazy :)",[227,228,233],"pre",{"className":229,"code":231,"language":232},[230],"language-text","$DAYS=\"-days 3650\";     # 10 years\n$CADAYS=\"-days 5475\";   # 15 years\n","text",[234,235,231],"code",{"__ignoreMap":236},"",[211,238,239],{},"The CA.pl script makes everything in paths relative to your current working directory. This is fine for new certificates, requests etc - but not for the CA files themselves. Find and change",[227,241,244],{"className":242,"code":243,"language":232},[230],"$CATOP=\"demoCA\";\n",[234,245,243],{"__ignoreMap":236},[211,247,248],{},"to",[227,250,253],{"className":251,"code":252,"language":232},[230],"$CATOP=\"\u002Fetc\u002Fssl\u002Fca\";\n",[234,254,252],{"__ignoreMap":236},[211,256,257,258,261],{},"One more change - the default CA certificates key is 1024 bits RSA. I would like 2048. So - search down to ",[234,259,260],{},"  print \"Making CA certificate ...\\n\";",". The line after that needs changing from",[227,263,266],{"className":264,"code":265,"language":232},[230],"system (\"$REQ -new -keyout \" .\n",[234,267,265],{"__ignoreMap":236},[211,269,248],{},[227,271,274],{"className":272,"code":273,"language":232},[230],"system (\"$REQ -newkey rsa:2048 -keyout \" .\n",[234,275,273],{"__ignoreMap":236},[211,277,278],{},"Finally - we need to match changes in \u002Fetc\u002Fssl\u002Fopenssl.cnf",[227,280,283],{"className":281,"code":282,"language":232},[230],"dir = .\u002FdemoCA\n",[234,284,282],{"__ignoreMap":236},[211,286,248],{},[227,288,291],{"className":289,"code":290,"language":232},[230],"dir = \u002Fetc\u002Fssl\u002Fca\n",[234,292,290],{"__ignoreMap":236},[211,294,295],{},"And",[227,297,300],{"className":298,"code":299,"language":232},[230],"default_days    = 365\n",[234,301,299],{"__ignoreMap":236},[211,303,248],{},[227,305,308],{"className":306,"code":307,"language":232},[230],"default_days    = 3650\n",[234,309,307],{"__ignoreMap":236},[211,311,312],{},"You can also if you wish change the default certificate parts (country, section etc) lower down in this file. You'll be able to overwrite each entry at certificate creation time - but this allows you to set useful defaults.",[211,314,315],{},"###Generate the CA",[211,317,318],{},"Run the following:",[227,320,323],{"className":321,"code":322,"language":232},[230],"\u002Fusr\u002Flib\u002Fssl\u002Fmisc\u002FCA.pl -newca\n",[234,324,322],{"__ignoreMap":236},[326,327,328,332,335,338],"ul",{},[329,330,331],"li",{},"Press return for the CA certificate file name.",[329,333,334],{},"It will ask for A PEM pass phrase - choose a good one - this protects your CA certificate's key.",[329,336,337],{},"It will ask for certificate details (country etc) - enter whatever is appropriate for you.",[329,339,340],{},"It will then try to create the certificate with the newly signed key (using the openssl.cnf config) - you will have to give the password you entered above.",[211,342,343],{},"Your new cacert.pem file is now in \u002Fetc\u002Fssl\u002Fca\u002Fcacert.pem and can be distributed for installation in browsers etc.",[211,345,346],{},"###Create a PKCS12 version of the certificate",[211,348,349],{},"Some systems want the certificate in pkcs12 format:",[211,351,352],{},"From the \u002Fetc\u002Fssl\u002Fca directory run",[227,354,357],{"className":355,"code":356,"language":232},[230],"openssl pkcs12 -export -in cacert.pem -inkey private\u002Fcakey.pem -out cacert.p12\n",[234,358,356],{"__ignoreMap":236},[211,360,361],{},"Opera will not accept this - it believes that both the key and the certificate in this file should be encrypted. I'm still working on this one - at present I've used:",[227,363,366],{"className":364,"code":365,"language":232},[230],"openssl pkcs12 -export -in cacert.pem -inkey private\u002Fcakey.pem -descert -out cacert.des.p12\n",[234,367,365],{"__ignoreMap":236},[211,369,370],{},"And Opera will at least import it - but - it places it in the Personal Client certificate list instead of the Authorities tab - despite being on the Authorities tab on import. I will update this if I find out what needs to be done.",[211,372,373,374],{},"More info on ",[375,376,377],"a",{"href":377,"rel":378,"target":382},"http:\u002F\u002Fmy.opera.com\u002Fcommunity\u002Fforums\u002Ftopic.dml?id=245482",[379,380,381],"nofollow","noopener","noreferer","_blank",[211,384,385],{},"###Generating certificates",[211,387,388],{},"This goes through the following process:",[390,391,392,395,398,401],"ol",{},[329,393,394],{},"Generate a certificate request",[329,396,397],{},"Send this for signing",[329,399,400],{},"Receive the signed certificate",[329,402,403],{},"Install it",[211,405,406],{},"Of course - as your own CA you will be sending it to yourself and signing it yourself.",[211,408,409],{},"####Generating a certificate request",[227,411,414],{"className":412,"code":413,"language":232},[230],"\u002Fusr\u002Flib\u002Fssl\u002Fmisc\u002FCA.pl -newreq\n",[234,415,413],{"__ignoreMap":236},[211,417,418,419,423,424,427],{},"This will prompt you for the certificate details. The ",[420,421,422],"em",{},"vital"," point is that the CN of the certificate ",[420,425,426],{},"must"," be the domain name of the site you wish to secure. You can use *.example.com for a wildcard certificate (everything under example.com).",[211,429,430],{},"This will generate a newkey.pem and a newreq.pem. newkey.pem you need to keep for later - newreq.pem you would send off for signing - in this case to yourself - but you could also use it for purchasing a real certificate.",[211,432,433],{},"####Signing a certificate request",[211,435,436],{},"Given a newreq.pem in the current working directory run",[227,438,441],{"className":439,"code":440,"language":232},[230],"\u002Fusr\u002Flib\u002Fssl\u002Fmisc\u002FCA.pl -sign\n",[234,442,440],{"__ignoreMap":236},[211,444,445],{},"This will sign the request and generate a newcert.pem with the signed certificate.",[211,447,448],{},"####Installing the certificates",[211,450,451],{},"The installation will depend on what software you are using. You will need the newkey.pem and newcert.pem - rename them to something useful - like domainname.key and domainname.cert.",[211,453,454],{},"Some software will not accept the extra information in the certificate file - you can strip out everything apart from the lines \"-----BEGIN CERTIFICATE-----\" up to and including \"-----END CERTIFICATE-----\".",[211,456,457],{},"Note - your key has a passphrase assigned during the -newreq phase. If you want your software to autostart this won't work - since it prompts for the password. To remove a passphrase:",[227,459,462],{"className":460,"code":461,"language":232},[230],"openssl rsa -in newkey.pem -out newkey.nopass.pem\n",[234,463,461],{"__ignoreMap":236},[211,465,466],{},"This will prompt you one last time and then generate a non-passphrase key file that you can use instead.",{"title":236,"searchDepth":468,"depth":468,"links":469},2,[],"2008-08-09 09:40:47 +0200",null,"md",{},true,"\u002F2008\u002F08\u002F09\u002Fusing-a-self-generated-certificate-authority-for-openssl-on-debian-etch",{"title":206,"description":213},{"loc":475},"2008\u002F08\u002F09\u002Fusing-a-self-generated-certificate-authority-for-openssl-on-debian-etch",[480,481,482,483],"debian","ssl","openssl","ca.pl","0Md82nbCMVWaQRU6GgNbEXgj7rz6Bsolit6pt1wmszU",1775293015324]