I would like to run shellinabox and my private blog system through HTTPS protocol. However, an SSL certificate is really expensive, thus I decided to run our own certificate authority and distribute my cacert.pem through GitHub Pages.
In general, running a certificate authority requires three steps:
- Create a RSA public/private keys for the CA. This step will create
cacert.pemas well. You should distribute the CA certificate via some safe tunnel. - For each service, create a certificate request and send it to CA.
- The CA should sign the certificate request, and return it back.
- Install the CA-signed SSL certificate to HTTPS server (and etc.)
The OpenSSL package from Ubuntu has provide a simple script for us to manage the certificates. Let's start.
Create a Certificate Authority
Create directory to save everything:
$ mkdir MyCA
$ chmod 700 MyCA
$ cd MyCA
Copy the tools:
$ cp /usr/lib/ssl/misc/CA.pl .
$ cp /etc/ssl/openssl.cnf .
Edit the configurations to fit your need, and finally create the certificate for your CA:
$ ./CA.pl -newca
By default, the cacert.pem will be generated at
demoCA/cacert.pem. Install this certificate as an authority in your
browser. You can also check the fingerprint with:
$ openssl x509 -fingerprint -noout -in cacert.pem
$ openssl x509 -sha256 -fingerprint -noout -in cacert.pem
Generate Certificates for Your Service
To create the SSL certificate for your service:
# Create a certificate request
$ ./CA.pl -newreq
# Sign a certificate request
$ ./CA.pl -sign
The generated newkey.pem and newcert.pem are the private key
and the certificate respectively.
Please notice that the newkey.pem has been encrypted with a passpharse.
Under some situation, you have to decrypt it before installing the certificate
(e.g. Apache2). Here's the command to decrypt the private key:
$ openssl rsa -in newkey.pem -out newkey.nopass.pem
