Creating a Certificate Authority

Creating a Certificate Authority requires

Creating a self-signed certificate authority certificate
Installing the CA certificate in the server
Installing the CA certificate in browsers

Creating Self-Signed Certificate Authority Certificate

To create a self-signed certificate, use the SSLeay "req" command with the "-x509" switch. The certificate is placed in the file CAcert.pem, and the private key in CAkey.pem. The commonName for the self-signed certificate should be a meaningful string for people to read, and not be the domain name of the server (since the server domain name is needed for server certificates used by Netscape).

The "req" command prompts for the password (e.g. caKEY) for the private key, and is used as follows:

Creating a Self-Signed CA Certificate
$SSLDIR/bin/ssleay req -new -x509 -keyout ${SSLDIR}/private/CAkey.pem \ -out ${SSLDIR}/private/CAcert.pem -config /opt/www/lib/ssleay.cnf Using configuration from /opt/www/lib/ssleay.cnf Generating a 512 bit private key writing new private key to '../private/CAkey.pem' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorperated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [MA]: Locality Name (eg, city) [Cambridge]: Organization Name (eg, company) [The Open Group]: Organizational Unit Name (eg, section) [Research Institute]: Common Name (eg, YOUR name) [example.opengroup.org]:Example CA Email Address []:ssl_admin@opengroup.org

Creating a Self-Signed CA Certificate

$SSLDIR/bin/ssleay req -new -x509 -keyout ${SSLDIR}/private/CAkey.pem \
      -out ${SSLDIR}/private/CAcert.pem  -config /opt/www/lib/ssleay.cnf

Using configuration from /opt/www/lib/ssleay.cnf
Generating a 512 bit private key
writing new private key to '../private/CAkey.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorperated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [MA]:
Locality Name (eg, city) [Cambridge]:
Organization Name (eg, company) [The Open Group]:
Organizational Unit Name (eg, section) [Research Institute]:
Common Name (eg, YOUR name) [example.opengroup.org]:Example CA
Email Address []:ssl_admin@opengroup.org

Installing CA certificate in the server

The CA certificate and key files must remain in $SSLDIR/private, which is where SSLeay will look for them by default (as specified in ssleay.cnf CA_default section), both when acting as a certificate authority, and also when used by the server to implement SSL and validate client certificates signed by the CA.

certificate     = $dir/private/CAcert.pem       # The CA certificate
private_key     = $dir/private/CAkey.pem       # The private key

When the Apache-SSL server is used, then the httpd.conf file must also be modified to specify the CA certificate and key files as follows:

# Set the CA certificate verification path (must be PEM encoded).
# (in addition to getenv("SSL_CERT_DIR"), I think).
SSLCACertificatePath /opt/dev/ssl/private

# Set the CA certificate verification file (must be PEM encoded).
# (in addition to getenv("SSL_CERT_FILE"), I think).
SSLCACertificateFile /opt/dev/ssl/private/CAcert.pem

Installing CA certificate in browsers

The CA certificate will need to be installed in browsers which will access servers using server certificates signed by the Certificate Authority. Installing a CA certificate in a browser is somewhat dangerous unless you trust that certificate and the security of the Certificate Authority. Once installed, the browser accepts any certificate signed by that authority.

To install the CA certificate, load it using HTTP Content-Type application/x-x509-ca-cert. To do this in a manner which does not depend on the server, use a cgi-script like the following example, or save the certificate in a file with a "cacert" suffix and define this suffix in the server configuration file to correspond to the application/x-x509-ca-cert mime type. For the Apache server, for example, add the line AddType application/x-x509-ca-cert cacert to srm.conf. The certificate and key file must also remain available to SSLeay for the server to be able to use the public key, and the certificate authority to use the private key.

The HTML form used to request loading a CA certificate into a browser might be written as follows:

HTML Form to Request CA Certificate to Load Into Browser
<HTML><HEAD><TITLE>Load CA Certificate</TITLE></HEAD><BODY> <H1>Load Certificate Authority Certificate</H1> <FORM ACTION="http://example.opengroup.org/cgi-bin/loadCAcert.pl" METHOD=post> <TABLE> <TR> <TD>Netscape Browser (PEM Format):</TD> <TD><INPUT TYPE="RADIO" NAME="FORMAT" VALUE="PEM" CHECKED></TD></TR> <TR><TD>Microsoft Browser (DER Format):</TD> <TD><INPUT TYPE="RADIO" NAME="FORMAT" VALUE="DER"></TD></TR> </TABLE> <INPUT TYPE="SUBMIT" VALUE="Load Certificate"> </FORM> </BODY></HTML>

HTML Form to Request CA Certificate to Load Into Browser

<HTML><HEAD><TITLE>Load CA Certificate</TITLE></HEAD><BODY>
<H1>Load Certificate Authority Certificate</H1>

<FORM ACTION="http://example.opengroup.org/cgi-bin/loadCAcert.pl" METHOD=post>
<TABLE>
<TR>
<TD>Netscape Browser (PEM Format):</TD>
<TD><INPUT TYPE="RADIO" NAME="FORMAT" VALUE="PEM" CHECKED></TD></TR>

<TR><TD>Microsoft Browser (DER Format):</TD>
<TD><INPUT TYPE="RADIO" NAME="FORMAT" VALUE="DER"></TD></TR>
</TABLE>

<INPUT TYPE="SUBMIT" VALUE="Load Certificate">
</FORM>
</BODY></HTML>

When this form is submitted, the following CGI script is used to process it and return the result (loadCAcert.pl):

Perl CGI Script to Load CA Certificate into Browser
#!/usr/local/bin/perl require 5.003; use strict; use CGI; my $cert_dir = "/opt/dev/ssl/private"; my $cert_file = "CAcert.pem"; my $query = new CGI; my $kind = $query->param('FORMAT'); if($kind eq 'DER') { $cert_file = "CAcert.der"; } my $cert_path = "$cert_dir/$cert_file"; my $data = ""; open(CERT, "<$cert_path"); while(<CERT>) { $data .= $_; } close(CERT); print "Content-Type: application/x-x509-ca-cert\n"; print "Content-Length: ", length($data), "\n\n$data"; 1;

Perl CGI Script to Load CA Certificate into Browser

#!/usr/local/bin/perl

require 5.003;
use strict;
use CGI;

my $cert_dir = "/opt/dev/ssl/private";
my $cert_file = "CAcert.pem";

my $query = new CGI;

my $kind = $query->param('FORMAT');
if($kind eq 'DER') { $cert_file = "CAcert.der"; }

my $cert_path = "$cert_dir/$cert_file";

my $data = "";
open(CERT, "<$cert_path");
while(<CERT>) { $data .= $_; }
close(CERT);		
print "Content-Type: application/x-x509-ca-cert\n";
print "Content-Length: ", length($data), "\n\n$data";

1;

Cookbook