Security

DIY: Create free, self-signed Certificate Authorities

Learn three methods for creating self-signed Certificate Authorities without depleting your company's IT security budget.

A Certificate Authority is an entity that issues digital certificates. These digital certificates certify the ownership of a public key associated with a host, server, client, document, and more. Digital certificates help to ensure users trust your content is actually from a reliable, safe source.

There are a variety of reasons why you might need Certificate Authorities. Whether it's for a secure site served by Apache or for LibreOffice's digital signing of documents, you need to be able to take advantage of this security feature without having to drop your department's entire budget for the certificates. Fortunately, there are ways to create self-signed certificates so you don't have to spend precious dollars that need to be used for more important projects.

If you have the right tools, it's fairly simple to create Certificate Authorities. I'll show three ways to create self-signed Certificate Authorities: via the command line, a GUI, or a Web-based service.

Command line

We'll use OpenSSL to create Certificate Authorities from the command line. Your Linux distribution should already have this tool installed, but if it doesn't, open your Add/Remove Software utility, search for openssl, and install. If you're on a Windows machine, check out this page for information on installing OpenSSL.

Within OpenSSL, there are a couple of scripts that can be used to easily create Certificate Authorities. One of the scripts is called CA.pl and will most likely be found in /usr/lib/ssl/misc/ (for your Windows installation, do a search for the CA.pl script to find its location). You will need admin rights to run the script (it can be run using sudo). You'll want to create private Certificate Authorities as well as certificates.

Creating a private Certificate Authority

  1. Open a terminal window.
  2. Change to the /usr/lib/ssl/misc.
  3. Issue the command sudo ./CA.pl -newca.
  4. When prompted for the Certificate Authority name, hit [Enter].
  5. Answer the questions as they apply to your needs.
Creating a certificate

  1. Open a terminal window.
  2. Change to the /usr/lib/ssl/misc.
  3. Issue the command sudo ./CA.pl -newreq.
  4. Answer the questions as they apply to your needs.

In that directory, you should have .pem files that need to be signed. To sign the files, follow these steps:

  1. Open a terminal window.
  2. Change to the /usr/lib/ssl/misc.
  3. Issue the command sudo ./CA.pl -sign.
  4. Enter the pem passphrase.

You should have a self-signed Certificate Authority called newcert.pem. If you plan to create new certificates, rename this Certificate Authority so it is not overwritten.

GUI

The graphical front end that I prefer to use for this task is TinyCA. You can install this tool from your distribution's default repositories. Once installed, the tool can be run by issuing the command tinyca2.

When you run the application, it will not contain any certificates. You must create a Certificate Authority by clicking CA and going to New CA. This will open a new window (Figure A); you need to fill out the necessary information in the window and click OK. Figure A

After you create the Certificate Authority, you can create certificates to sign.
After the Certificate Authority is created, click the Key/Certificate + button (it's the fifth icon from the right in the icon toolbar) and select either Create Key and Certificate (Server) or Create Key and Certificate (Client). This opens a new window (Figure B) where you fill out information to create the certificate. Figure B

Make sure you know which digest and algorithm you need for your specific certificate.

After you create the Certificate Authority and the certificates, take a look in the ~/.TinyCA folder, and you will see a sub-folder with the same name as your Certificate Authority. In that folder, you will see your .pem and your .key files.

Web-based

CAcert is an outstanding web-based service where you can create self-signed Certificate Authorities for free. Once you sign up for the service, you will automatically have a certificate available for download. You can create the following:

  • Email accounts
  • Client certificates
  • Domains
  • Server certificates
  • CAcert Web of Trust
To create these, log in to your account and then select what you want to create from the right nav pane of your account (Figure C). This is probably the single easiest method to the Certificate Authority madness (outside of paying a service to handle the entire task for you). Figure C

Make sure you have all of your details filled out correctly before you start creating/issuing certificates. You can also decide if you want to have your directory listing hidden or public from the My Details | Listing section.
If you plan to create a server certificate, you must first add the domain. You can, however, create a client certificate without adding a domain. To create the client certificate, click the New link under Client Certificates and then select what you want from the possible choices (Figure D).

Figure D

After the certificate is created, you will be presented with a link that will automatically install the certificate in your browser.

Conclusion

These three methods illustrate how easy it is to create self-signed Certificate Authorities. There are a number of options for the creation of Certificate Authorities, and the path you choose may vary from task to task.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

12 comments
yasinkaplan
yasinkaplan

You can use TekCERT for a Windows alternative; http://www.kaplansoft.com/tekcert/

TekCERT is a X.509 Certificate / Certificate Signing Request (CSR) Generator and Signing Tool runs under Windows (XP, Vista, 7/8, 2003/2008/2012 Server).

Nill Smith
Nill Smith

Self Signed SSL Certificate is not right option for ecommerce websites, which involved money transaction. In order to get rid of this message the SSL Certificate must be signed by Certificate Authority. This Certificate Authorities are third party entity that verifies the identity of an online business and then guarantees for that identity through the issuance of the Digital Certificate. http://www.clickssl.com/blog/self-signed-certificate-vs-certificate-authority/

mikebk824
mikebk824

What's the recommended way of adding your new DIY CA to the list of trusted root certificate authorities? Mike

fernpromero
fernpromero

It seems there is an issue with certificate extensions (like the extensions required by Windows XP boxes) when you create a certificate request with OpenSSL (version 0.98 and maybe newer versions), i.e. "openssl -req -newkey rsa:1024 -out serverequest.pem -outform PEM -extfile certext.txt -extensions extsection ....". I never got to keep the extensions after signing the certificate request. Maybe there is a bug that causes the extensions are deleted when you sign the certificate. I could circumvent this bug by adding the extensions when I signed the certificate, i.e. openssl x509 -req -in serverequest.pem -extensions extsection -extfile certext.txt Maybe, it's possible to add the certificate extensions in the configuration file, i.e. -config ./openssl.cnf but I didn't test it. Did someone experience this trouble?

Old Goat 77-97
Old Goat 77-97

Sorry but OpenSSl is not free for commercial use. They state on their web site that for Business use there is $225.00 fee. This does not amount to "Free, self-signed Certificate Authorities". Thanks but no thanks.

robo_dev
robo_dev

It's just fine to create a self-signed certificate for internal sites, but for public web sites, not so much. If you can create a self-signed certificate for your www.acme.com, the bad guys can create their own self-signed certificate for www.acne.com, and the fat-fingered user will be none the wiser when they get the email (allegedly) from you with a link to 'what's new' on your site. If the user does not notice that he's at the wrong URL, then whether the fake url has a real VeriSign cert (possible but unlikely), has no certificate (not using SSL), or uses a self-signed certificate (secure-phishing), it's all the same problem. I do agree that it's a good idea to encrypt everything, but know the limitations of the technology. The cost of a security control should be in proportion to the value or what is being protected. Lots of companies will sell you a nice shiny certificate for $12.99 per year.

sysop-dr
sysop-dr

Hi Jack, nice step by step of the process and in a lot of cases good enough. There is no reason every site out there isn't already encrypted and forcing all traffic to be encrypted. By using https for all traffic for everything you not only protect the data your users are accessing and user from man in the middle attacks but by everything being encrypted then you don't need to worry about missing some part of the data you should be encrypting being not encrypted. Also by everything being encrypted then the stuff that really needs to be protected is not the only thing going past snoopers trying to figure out what to attack. It also protects user in open wifi networks from attacks like firesheep and other such tools. My servers can only be accessed by encrypted means. Apache can be set with a rewrite rule that if a request is received on http it is resubmitted by https and the session is then https from then on. If our users do not have a browser that supports https they can't access the site. We want to protect our data and we want to protect our users so why would we not only use encrypted protocols. Encrypt everything,

Old Goat 77-97
Old Goat 77-97

The site I refer to is from the article " If you???re on a Windows machine, check out this page for information on installing OpenSSL." On the Shining Light web site about half way down they state: "Shining Light Productions puts forth a lot of effort into developing Win32 OpenSSL. As such, if you find it useful, a time-saver, or helps to solve a frustrating problem, seriously consider giving a donation to continue developing this software. Shining Light Productions uses PayPal for all donations because it is fast, easy, and secure. A minimum $10.00 (US) donation is recommended for individuals. Businesses integrating Win32 OpenSSL into products must pay a minimum of $225 to help cover the cost of bandwidth. Businesses can alternatively pay smaller amounts on a regular basis (sponsorship)." When they start talking about costs for business use I tend to err on the side of conservative and not use the product unless I have purchased it. I may be misunderstanding what they are referring to. If I am please correct my misunderstanding. Thank You

Monijo2
Monijo2

On the OpenSSL.org website, in their "About" section, under "Derivation and License", it says: "The OpenSSL toolkit is licensed under an Apache-style licence which basically means that you are free to get and use it for commercial and non-commercial purposes." I know I'm kind of new, but the way I read that, Old Goat, is that it is free for business and personal use. Please, correct me if I'm wrong, here's the URL: http://www.openssl.org/about/

mikebk824
mikebk824

I've found that if you are concerned with a single client, you can put the server's certificate into the Trusted Root Certificate store avoiding the need the need to create a Certificate Authority. I was actually wondering about adding the CA into the Trusted Root Certificate stories in a larger environment, like the work one in the original article. There, the motivation seemed to be avoiding the expense of multiple certificates for multiple servers and users in a business's intranet. Mike

Editor's Picks