I Set up own Certificate Authority: Used it to generate a SSL wild card Web server Certificate
Waiting indefinitely to fulfill a pre-requisite before starting a real implementation is too hard for any IT engineer. Recently, I had to do a test SSL implementation on an AWS Application Load Balancer. And, I didn't want to purchase a commercial SSL server certificate for my experiment, which last for just one hour. Then I thought, I go for setting up own openSSL CA and generate a web server SSL certificate using it. Though I did the same a decade back, there were no constraint on subjectAltName. - Not forgetting some free tools available in the market.
Explaining the procedure….
Given below Certifciate name with Description
my-ca.crt - CA Certifiate (Public key of certificate)
my-ca.key - Private Key of CA
httpd.csr - certifciate signing request for web server certificate
httpd.crt - Server Certificate of Web Server
httpd.key - Private Key of Web Server CertifciateStep 1: I Set up a Certificate Authority first. Following commands did a CA setup, creating private and CA certificate file
# cd /etc/pki/CA
# openssl genrsa -aes256 -out private/my-ca.key 4096
# openssl req -x509 -new -nodes -key private/my-ca.key -sha256 -days 1826 -out my-ca.crt -subj '/CN=www.yourdomain.com/C=IN/ST=Karnataka/L=Bangalore/O=yourcompanyname'
# cp my-ca.crt /etc/pki/ca-trust/source/anchors
# update-ca-trustStep 2: Certificate signing request (.csr) is created for web server.
openssl req -x509 -new -nodes -key private/my-ca.key -sha256 -days 1826 -out my-ca.crt -subj '/CN=*.your_domain.com/C=IN/ST=Karnataka/L=Bangalore/O=Your_Company_Name'Step 3: Created a configuration file (httpd.altnames) containing certificate and request X.509 extensions to add. Provided the wild card domain name and IP address of my EC2 instance.
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.yourdomain.com
IP.1 = your.server.public.ipStep 4: Sign the sign the .csr file with CA.
# openssl x509 -req -in httpd.csr -CA my-ca.crt -CAkey private/my-ca.key -CAcreateserial -out httpd.crt -days 730 -sha256 -extfile httpd.altnamesStep 5: Edited Apache configuration files and added CA Certificate, Server certificate and Private key of server certificate. Configuration is not mentioned here.
Step 6: Edited /etc/hosts file adding my website name and the IP address of Server. Also, I have imported CA Certificate (my-ca.crt) in to the web browser which is a mandatory requirement
Result
Conclusion: It is easy to set up an own CA with OpenSSL and sign a server certificate for a testing environment, which can avoid paying money for a commercial SSL certificate.
Disclaimer: This set up can be used only for a testing environment. Recommended to purchase a commercial server certificate for a production setup.
