Security

DIY: Create free, self-signed Certificate Authorities

Learn three methods for creating self-signed Certificate Authorities without depleting your company's IT security budget.

A Certificate Authority is an entity that issues digital certificates. These digital certificates certify the ownership of a public key associated with a host, server, client, document, and more. Digital certificates help to ensure users trust your content is actually from a reliable, safe source.

There are a variety of reasons why you might need Certificate Authorities. Whether it's for a secure site served by Apache or for LibreOffice's digital signing of documents, you need to be able to take advantage of this security feature without having to drop your department's entire budget for the certificates. Fortunately, there are ways to create self-signed certificates so you don't have to spend precious dollars that need to be used for more important projects.

If you have the right tools, it's fairly simple to create Certificate Authorities. I'll show three ways to create self-signed Certificate Authorities: via the command line, a GUI, or a Web-based service.

Command line

We'll use OpenSSL to create Certificate Authorities from the command line. Your Linux distribution should already have this tool installed, but if it doesn't, open your Add/Remove Software utility, search for openssl, and install. If you're on a Windows machine, check out this page for information on installing OpenSSL.

Within OpenSSL, there are a couple of scripts that can be used to easily create Certificate Authorities. One of the scripts is called CA.pl and will most likely be found in /usr/lib/ssl/misc/ (for your Windows installation, do a search for the CA.pl script to find its location). You will need admin rights to run the script (it can be run using sudo). You'll want to create private Certificate Authorities as well as certificates.

Creating a private Certificate Authority

  1. Open a terminal window.
  2. Change to the /usr/lib/ssl/misc.
  3. Issue the command sudo ./CA.pl -newca.
  4. When prompted for the Certificate Authority name, hit [Enter].
  5. Answer the questions as they apply to your needs.
Creating a certificate

  1. Open a terminal window.
  2. Change to the /usr/lib/ssl/misc.
  3. Issue the command sudo ./CA.pl -newreq.
  4. Answer the questions as they apply to your needs.

In that directory, you should have .pem files that need to be signed. To sign the files, follow these steps:

  1. Open a terminal window.
  2. Change to the /usr/lib/ssl/misc.
  3. Issue the command sudo ./CA.pl -sign.
  4. Enter the pem passphrase.

You should have a self-signed Certificate Authority called newcert.pem. If you plan to create new certificates, rename this Certificate Authority so it is not overwritten.

GUI

The graphical front end that I prefer to use for this task is TinyCA. You can install this tool from your distribution's default repositories. Once installed, the tool can be run by issuing the command tinyca2.

When you run the application, it will not contain any certificates. You must create a Certificate Authority by clicking CA and going to New CA. This will open a new window (Figure A); you need to fill out the necessary information in the window and click OK. Figure A

After you create the Certificate Authority, you can create certificates to sign.
After the Certificate Authority is created, click the Key/Certificate + button (it's the fifth icon from the right in the icon toolbar) and select either Create Key and Certificate (Server) or Create Key and Certificate (Client). This opens a new window (Figure B) where you fill out information to create the certificate. Figure B

Make sure you know which digest and algorithm you need for your specific certificate.

After you create the Certificate Authority and the certificates, take a look in the ~/.TinyCA folder, and you will see a sub-folder with the same name as your Certificate Authority. In that folder, you will see your .pem and your .key files.

Web-based

CAcert is an outstanding web-based service where you can create self-signed Certificate Authorities for free. Once you sign up for the service, you will automatically have a certificate available for download. You can create the following:

  • Email accounts
  • Client certificates
  • Domains
  • Server certificates
  • CAcert Web of Trust
To create these, log in to your account and then select what you want to create from the right nav pane of your account (Figure C). This is probably the single easiest method to the Certificate Authority madness (outside of paying a service to handle the entire task for you). Figure C

Make sure you have all of your details filled out correctly before you start creating/issuing certificates. You can also decide if you want to have your directory listing hidden or public from the My Details | Listing section.
If you plan to create a server certificate, you must first add the domain. You can, however, create a client certificate without adding a domain. To create the client certificate, click the New link under Client Certificates and then select what you want from the possible choices (Figure D).

Figure D

After the certificate is created, you will be presented with a link that will automatically install the certificate in your browser.

Conclusion

These three methods illustrate how easy it is to create self-signed Certificate Authorities. There are a number of options for the creation of Certificate Authorities, and the path you choose may vary from task to task.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

Editor's Picks