I would like to run shellinabox and my private blog system through HTTPS protocol. However, an SSL certificate is really expensive, thus I decided to run our own certificate authority and distribute my cacert.pem through GitHub Pages.
In general, running a certificate authority requires three steps:
- Create a RSA public/private keys for the CA. This step will create
cacert.pemas well. You should distribute the CA certificate via some safe tunnel.
- For each service, create a certificate request and send it to CA.
- The CA should sign the certificate request, and return it back.
- Install the CA-signed SSL certificate to HTTPS server (and etc.)
The OpenSSL package from Ubuntu has provide a simple script for us to manage the certificates. Let's start.
Generate Certificates for Your Service
To create the SSL certificate for your service:
# Create a certificate request $ ./CA.pl -newreq # Sign a certificate request $ ./CA.pl -sign
newcert.pem are the private key
and the certificate respectively.
Please notice that the
newkey.pem has been encrypted with a passpharse.
Under some situation, you have to decrypt it before installing the certificate
(e.g. Apache2). Here's the command to decrypt the private key:
$ openssl rsa -in newkey.pem -out newkey.nopass.pem