This may sound crazy, but can I be the root certificate authority? I mean, I have many computers and smart devices in my home.
- Remote Desktop warns for the certificate not being trusted, because it is issued by the server itself. I added it to the trusted root authority using certificate manager, but it still warns.
-
When I run an EXE from a network shared folder, it also warns for the EXE not being signed.
-
SSH also warns for certificates
- I also running a web server for my own use. I know it is not that necessary, it could be better if it is on HTTPS just in case someone sniffs my Wi-Fi.
So, in order to do these, I can issue certificates and all my devices should accept those as valid, trusted certificates. The following is my just imaginary scenario:
- Install a certificate generate program on one of my PC which will
be my root authority. - Make a root certificate, and copies its public key to all of my devices and let them take it as a trusted root certificate.
- Issues multiple certificates for local uses signed by the root certificate's private key.
- The certificates generated in Step 3 are accepted as valid certificates by all of my devices without any further cumbersome work.
Are things like these possible, or should I buy real certificates? Once again, only for local area uses.
Best Answer
You can do it as I've done with it following this tutorial.
Create Private Certificate Authority on Linux
This tutorial will show you how to create your own private CA or Certificate Authority. This will give you the opportunity to sign your own certificates without having to pay someone else. However, since your private CA will not be trusted by others it may prompt warnings when others use it. You will need to add your root certificate to the machines you want to trust your CA.
I had written a similar article in 2008 (Create a Certificate Authority and Certificates with OpenSSL) but this tutorial supersedes the instructions for creating CA in the older one. Install Prerequisites
I wrote this tutorial using Fedora 18. The only prerequisite I needed was OpenSSL.
We will run all commands by default in the /home/cg/myca directory, unless stated otherwise. Config File
This file would serve as the default config file for the CA. It should look something like the following:
Thanks to http://wwwneu.secit.at/web/documentation/openssl/openssl_cnf.html for helping with this file.
Generate Root Certificate
You can use the config file (caconfig.cnf) we created in the previous step to answer a lot of the questions asked during certificate generation. Just run the following command and answer the questions. Most questions will have the default values provided in caconfig.cnf.
openssl req -new -x509 -days 3650 -config conf/caconfig.cnf -keyform PEM -keyout private/key.ca.cg.pem -outform PEM -out certs/crt.ca.cg.pem
Although we specified the default number of days in caconfig.cnf file, we still have to specify the days flag when using the x509 flag. If we don’t the certificate is created with a default value of 30 days. Thanks to Re: default_days problem and OpenSSL req(1).
If you want to provide your own custom values you may run the following command instead.
openssl req -new -x509 -days 3650 -newkey rsa:4096 -extensions v3_ca -keyform PEM -keyout private/key.ca.cg.pem -outform PEM -out certs/crt.ca.cg.pem
You will be asked for a passphrase. Make sure you use a secure passphrase and don’t forget it. You will also be asked other relevant questions. Following is an example output of the process.
Verify Root Certificate
You should verify that the certificate was created properly with accurate information.
Export Root Certificate
Since this newly created CA and its root certificate are not recognized and trusted by any computer, you need to import the root certificate on all other computers. By default an OS will have a list of trusted CAs and you need to import your CA to that list. The process varies for different OSes.
Windows
The root certificate we created is in PEM encoded format. For Windows we need it to be in DER encoded format. A great resource on the differences between the two is DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them.
Verify the certificate was created successfully.
Once you have the exported file, copy it to your Windows machine. You can follow the instructions provided by How To Import a Trusted Root Certification Authority In Windows to import the certificate to the Trusted Root Certification Authorities store on Local Computer.
You can also export the certificate to PKCS12 format. Thanks to Importing a User Certificate to the Windows Certificate Store for this information.
You will be asked to provide the passphrase you used to create the root certificate. You will also be asked for a new “Export Password”.
Copy the .p12 file to Windows and double-click it. A wizard will open and guide you to install it.
Conclusion
The process to create a CA is very simple. Next I will write about signing a certificate request.