OpenSSL Certificate Authority
SSL certificates are often used in web servers, and also in OpenVPN networks. The basic idea of SSL certificates is to provide a mechanism to instill trust - you receive a certificate from someone requesting your trust, and examine that certificate to help you decide whether or not to trust them. The certificates are generally held to be unforgetable (at current technology levels).
The trust aspect is managed by the existence of Certification Authorities, who create a "Root CA Certificate", and publish its details. One company who you might have heard of is 
Thawte. You get a copy of their Root CA Certificate, and verify its details to be correct. (I don't actually know how you do that. The certificate is shipped with your web browser, which is the most common place to use these things, and your web browser authors have done the verification phase for you).
Once you have their certificate in a trusted state, any other certificates that show up in the future that have been signed by Thawte will be automatically trusted by your software. This facility creates a chain of trust-relationships ... AcmeCorp present a certificate you've never seen before, but it's been signed (i.e. trusted) by Thawte, and you trust Thawte ... therefore you trust AcmeCorp. The point here is that Thawte promise to verify that the AcmeCorp certificate is only sold to someone with a right to use the name AcmeCorp.
Have a look at the list of Root Certificates that have been installed in your browser by default - it's a lot of companies! Each one of these companies tries to sell as many certificates as possible ... and naturally each certificate expires after a year or so, encouraging companies to keep on going back to buy more.
But the future isn't bleak - you can easily set up your own Root CA, for free, using free software. The only difference between your CA and a "real" one is that your CA Root Certificate won't be automatically recognised by the web browsers - that is, until you just click a couple of buttons and add it!
Creating a Root CA with OpenSSL
Here's a dump from my FreeMind map, so the formatting isn't perfect ...
Creation :-
Make the CA directory structure
- mkdir /CA
- cd /CA
- mkdir private newcerts
- touch index.txt
- echo "01" > serial
Create a config file
- create ca.config
[ ca ]
default_ca = private_CA
[ private_CA ]
dir = /CA
database = $dir/index.txt # index file.
new_certs_dir = $dir/newcerts # new certs dir
certificate = $dir/CAcert.pem # The CA cert
serial = $dir/serial # serial no file
private_key = $dir/private/CAkey.pem # CA private key
RANDFILE = $dir/private/.rand # random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # md to use
policy = policy_CA # default policy
email_in_dn = no # Don't add the email into cert DN
nameopt = ca_default # Subject name display option
certopt = ca_default # Certificate display option
copy_extensions = none # Don't copy extensions from request
[ policy_CA ]
countryName = optional
stateOrProvinceName = optional
organizationName = supplied # Say something
organizationalUnitName = optional
commonName = supplied # FQDN of server
emailAddress = optional #
Create the CA key
openssl genrsa -des3 -out private/CAkey.pem 2048
- Password:
- Warning - keys greater than 2048 will not work with JDK 1.4
- http://forum.java.sun.com/thread.jsp?thread=248078&forum=2&message=2250271
- chmod -R 500 private/
Create the CA Certificate
openssl req -new -x509 -days 1095 -key private/CAkey.pem -out CAcert.pem
- Country Name: NZ
- State: Canterbury
- Locality: Christchurch
- Organisation: private CA
- Org Unit: -blank-
- Common Name: private Certification Authority
- Email:
Create a Windows version of the CA Certificate
- openssl x509 -in CAcert.pem -outform DER -out CAcert.der
- Apache mime-type defaults to .crt for the above .der file
- Secure the CA Key!
