User Tools

Site Tools


docu:tutos:misc:gen_own_trusted_ca

How to create your own CA root certificate


Self-signed certificates are pretty bad overall, even worse when served over the internet. You can't easily tell if the certificate you are about to exceptionally trust, is yours, or faked by your gov or ISP.

So, how do you solve this?. By creating your own CA certificate and importing it either on your system, or on your Firefox Independent CAcert list.

This will turn a self-signed tls warning into a shining green lock, which will ensure the connection to your server is not tampered. In case it gets tampered, a warning will appear on your browser and you will easily notice someone is modifying your tls handshake.

Why not using a let's encrypt certificate? Well, there is cases where the service you want to expose on the internet is merely private (ex: a nextcloud, music server, documentation) and there is not a public domain name pointing to your server, just a local DNS server or custom /etc/hosts entry.

After some background on why/when using your own CAcert is needed, let's get started !!


Create your CA root certificate


First, we need to create our CA signing key (used to create signed certificates by US)
Please use a strong key!!

openssl genrsa -aes256 -out AGUAKTECH.key 4096

Create pem (crt) file for your CAcert (valid for 10 years)

openssl req -x509 -new -nodes -key AGUAKTECH.key -sha256 -days 3650 -out AGUAKTECH.pem


Create a self-signed certificate for your application


Generate a new private key for our server/domain

openssl genrsa -out yourdomain.com.key 4096

Generete a san.cnf signing request and configure your domain information

yourdomain.com.san.cnf
[ req ]
default_bits = 4096
prompt = no
encrypy_key = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
 
[ dn ]
# you can choose to use a wildcard or not
#CN = *.yourdomain.com
CN = yourdomain.com
O = Your Domain
OU = Your Domain
L = Los Angeles
ST = California
C = EU
 
[ req_ext ]
subjectAltName = DNS: *.yourdomain.com, DNS: yourdomain.com

Now create a CSR (signing request) from the san.cnf config file created

openssl req -new -config yourdomain.com.san.cnf -nodes -key yourdomain.com.key -out
yourdomain.com.csr


Sign your CSR with your CAcert key


Given the csr generated by the issuer (us), sign the certificate to generate a crt file

# Expiration time
# paranoid: 1 year max
# normal: 2-3 years
# stupid: 10 years
openssl x509 -req -in yourdomain.com.csr -CA AGUAKTECH.pem -CAkey AGUAKTECH.key -CAcreateserial
-out yourdomain.com.crt -days 365 -sha256


Install the generated certificate


Certificate installation steps on firefox:

  1. Upload the yourdomain.com.crt file on some http server (optional)
  2. Browse the http resource or do it locally using the file:///path/to/yourdomain.com.crt
  3. Check both trust CA for internet and email. Enjoy!

Certificate installation steps on a Debian-based Linux system (Optional)

# copy the .pem file to a .crt file in the appropiate path
cp AGUAKTECH.pem /usr/local/share/ca-certificates/
# update system certificates automatically
update-ca-certificates


Things to consider on Reverse Proxies

  • Nginx and Apache let you specify both the .crt and the .key file in different directives.
  • HAProxy uses a packed .pem file which contains the .crt and .key file all in one (cat yourdomain.com.crt yourdomain.com.key > yourdomain.com.pem)
docu/tutos/misc/gen_own_trusted_ca.txt · Last modified: 2020/02/08 22:54 by admin