Thursday, January 12, 2012

OpenSSL - Create your own Certificate of Authority and sign your SSL Certs

Creating your own CA for Signing Dev Certs



Here are some handy commands to create a CA and sign your own cert for development.



The commands are fully scriptable: all key passwords have been bypassed with the -nodes flag, and the interactive openssl prompts not necessary with in the the -subj flag.


tldr; Short version for the Impatient:



# Create Certificate of Authority
SUBJ="/C=US/ST=CA/L=San Diego/O=Lance Rushing/OU=Development/CN=Dev Certificate of Authority"
openssl req -subj "$SUBJ" -nodes -new -x509 -extensions v3_ca -keyout devCA.key -out devCA.crt -days 365

# Create Key and CSR
HOST="appname.local"
SUBJ="/C=US/ST=CA/L=San Diego/O=Lance Rushing/OU=Dev Web Sites/CN=$HOST"
openssl req -subj "$SUBJ" -newkey rsa:2048 -nodes -keyout $HOST.key -out $HOST.csr -days 365

# Create the Cert by signing the CSR with our CA
openssl x509 -req -CA devCA.crt -CAkey devCA.key -CAcreateserial -in $HOST.csr -out $HOST.crt


Add the appname.key and appname.crt to your apache/nginx/IIS config, and add the devCA.crt to your browser.



Long Version.



When developing webservices that will be using SSL in production, I like to use SSL in development.



The old way



The traditional way to do this is create a self-signed cert. Where you sign your Certificate Signing Request (CSR) with the same key that created it. (Thus "self-signed".)



HOST="appname.local"
SUBJ="/C=US/ST=CA/L=San Diego/O=Lance Rushing/OU=Dev/CN=$HOST"
openssl req -subj "$SUBJ" -x509 -newkey rsa:2048 -nodes -keyout $FILENAME.key -out $FILENAME.crt -days 3650 ## look mom! One line.



Then add it to the apache.conf


<VirtualHost 172.16.1.1:443>
ServerName appname.local:443
DocumentRoot "/Users/lance/Sites/AppName/src/webroot"

SSLEngine on
SSLCertificateFile "/Users/lance/Sites/AppName/certs/appname.local.crt"
SSLCertificateKeyFile "/Users/lance/Sites/AppName/certs/appname.local.key"
</VirtualHost>


This works great, but now with every new ssl cert I generate I have to add a trust exception in my browser.



A better way



To avoid multiple trust exceptions of you self-signed certs, is to first generate a "Certificate of Authority" (CA), add that CA to your browser, and then sign all of your certs with that CA.


# Create CA
SUBJ="/C=US/ST=CA/L=San Diego/O=Lance Rushing/OU=Development/CN=Dev Certificate of Authority"
openssl req -subj "$SUBJ" -new -x509 -nodes -extensions v3_ca -keyout devCA.key -out devCA.crt -days 3650

# Create Key and CSR (same as above)
HOST="appname.local"
SUBJ="/C=US/ST=CA/L=San Diego/O=Lance Rushing/OU=Dev Web Sites/CN=$HOST"
openssl req -subj "$SUBJ" -newkey rsa:2048 -nodes -keyout $HOST.key -out $HOST.csr -days 365

# Create the Cert by signing the CSR with our CA
openssl x509 -req -CA devCA.crt -CAkey devCA.key -CAcreateserial -in $HOST.csr -out $HOST.crt

# cleanup CSR
rm $HOST.csr


Thoughts



These commands are the shortest way I've found to create keys, CSRs, and signing. Other guides often use three steps (1 genrsa, 2 key export w/o pass, 3 req ) to generate the CSR, whereas it is possible to do it with 1 step.



Hint: By using the -subj flag we can bypass openssl's interactive prompts



Hint: I use Virtual IPs for each https web service I need:
OsX: $ ifconfig lo0 alias 172.16.1.1
Linux: $ ifconfig lo:0 172.16.1.1
windows: http://support.microsoft.com/kb/236869



http://gagravarr.org/writing/openssl-certs/ca.shtml
http://www.g-loaded.eu/2005/11/10/be-your-own-ca/

No comments: