SSL Certificate

I would like to run shellinabox and my private blog system through HTTPS protocol. However, an SSL certificate is really expensive, thus I decided to run our own certificate authority and distribute my cacert.pem through GitHub Pages.

In general, running a certificate authority requires three steps:

  1. Create a RSA public/private keys for the CA. This step will create cacert.pem as well. You should distribute the CA certificate via some safe tunnel.
  2. For each service, create a certificate request and send it to CA.
  3. The CA should sign the certificate request, and return it back.
  4. Install the CA-signed SSL certificate to HTTPS server (and etc.)

The OpenSSL package from Ubuntu has provide a simple script for us to manage the certificates. Let's start.

Create a Certificate Authority

Create directory to save everything:

$ mkdir MyCA
$ chmod 700 MyCA
$ cd MyCA

Copy the tools:

$ cp /usr/lib/ssl/misc/ .
$ cp /etc/ssl/openssl.cnf .

Edit the configurations to fit your need, and finally create the certificate for your CA:

$ ./ -newca

By default, the cacert.pem will be generated at demoCA/cacert.pem. Install this certificate as an authority in your browser. You can also check the fingerprint with:

$ openssl x509 -fingerprint -noout -in cacert.pem
$ openssl x509 -sha256 -fingerprint -noout -in cacert.pem

Generate Certificates for Your Service

To create the SSL certificate for your service:

# Create a certificate request
$ ./ -newreq

# Sign a certificate request
$ ./ -sign

The generated newkey.pem and newcert.pem are the private key and the certificate respectively.

Please notice that the newkey.pem has been encrypted with a passpharse. Under some situation, you have to decrypt it before installing the certificate (e.g. Apache2). Here's the command to decrypt the private key:

$ openssl rsa -in newkey.pem -out newkey.nopass.pem