Create your own certificate authority with openssl - part one July 31, 2018

This post is part one of a series on working with openssl to manage your own certificate authority (CA) for a couple of different use cases. If you just want to get a CA up and running for local development I thoroughly recommend mkcert.

In this first part we’ll create a CA with openssl, install it into our browser and test it with a local web server. Note that I’ll be providing all the information on the command line to make it easier to script things. To see it all tied together see this related github repo.

Create a certificate authority with OpenSSL

First we generate the private key for our CA (with a password other than ‘capassword’ preferably, and ensure it’s not visible in your shell history).

> openssl genrsa -aes256 -passout pass:capassword -out test-ca.key 2048

Next we generate the root certificate. The fields in the subject name do not affect the certificate’s validity. They are queryable and shown when the certificate is installed (firefox lists them by organisation) so use something that will remind you what it’s for.

> openssl req -x509 -new -nodes \
  -passin pass:capassword \
  -key test-ca.key \
  -sha256 -days 1825 \
  -subj "/C=GB/O=robyoung.digital/CN=test" \
  -out test-ca.pem

And we’re done! Next we’re going to create a server certificate and sign it with our shiny new CA key.

Create a server certificate

As with the CA, our first step is to generate a private key for our server. This time we don’t want a password otherwise it becomes harder to install.

> openssl genrsa -out test-server.key 2048

Once we have a key we can generate our certificate signing request (CSR), just like when we’re using a public CA. This time the common name is significant as clients will use it to determine whether the server is authorised to serve that domain.

> openssl req -new \
  -subj "/C=GB/CN=dev.test" \
  -key test-server.key \
  -out test-server-static-csr.pem

If you need to support multiple domains with a single server certificate you have two options. Wildcard certificates, where you use a star (*) to match a domain name segment or subject alternative names (SANs).

The wildcard certificate approach is pretty simple.

> openssl req -new \
  -subj "/C=GB/CN=*.dev.test" \
  -key test-server.key \
  -out test-server-wildcard-csr.pem

Subject alternative names (SAN) is an x509 extension that allows you to add multiple domains to a single certificate. It is bit more complex to implement on the command line. This Stack Exchange answer helped me figure out how to do it. The path to your openssl.cnf is going to be system dependent, on Linux it will probably be /etc/ssl/openssl.cnf, however on Mac (using a homebrew installed openssl) it is at /usr/local/etc/openssl/openssl.cnf.

> openssl req -new \
  -subj "/C=GB/CN=dev.test" \
  -key test-server.key \
  -out test-server-san-csr.pem \
  -reqexts SAN \
  -config <( \
    cat /usr/local/etc/openssl/openssl.cnf \
        <(printf "[SAN]\nsubjectAltName=DNS:one.dev.test,DNS:two.dev.test\n") \
  )

While this is how you add SANs to a self signed key or a CSR you send to a public CA, there is unfortunately a bug in the x509 command that means extensions are not passed from certificate requests to certificates. For our purposes if we want SANs we’re going to have to add them when we sign the CSR.

First, our basic certificate with no SANs. For more information about the extensions used see the openssl x509 config docs.

> openssl x509 \
  -req -in test-server-static-csr.pem \
  -passin pass:capassword \
  -CA test-ca.pem -CAkey test-ca.key -CAcreateserial \
  -out test-server-static-cert.pem \
  -days 1825 -sha256 \
  -extfile <( cat <<EOF
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment
EOF
)

With the SANs it is almost identical but with the subjectAltName extension.

> openssl x509 \
  -req -in test-server-static-csr.pem \
  -passin pass:capassword \
  -CA test-ca.pem -CAkey test-ca.key -CAcreateserial \
  -out test-server-san-cert.pem \
  -days 1825 -sha256 \
  -extfile <( cat <<EOF
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment
subjectAltName=DNS:one.dev.test,DNS:two.dev.test
EOF
)

We now have a CA certificate and a couple of server certificates signed by that CA. It’s time to test them out.

Test with Nginx and Curl

First let’s spin up an Nginx docker container with our static certificate and server key. We’re going to use a minimal ssl configuration, in real life you’re going to want something much more robust.

nginx.vhost.conf

server {
  listen 443 ssl;

  server_name dev.test;

  ssl_certificate /etc/nginx/ssl/certs/server-crt.pem;
  ssl_certificate_key /etc/nginx/ssl/private/server.key;

  location / {
    return 200 'Static vhost test\n';
    add_header Content-Type text/plain;
  }
}
> docker run \
  --rm -p 443:443 \
  -v $(pwd)/nginx.vhost.conf:/etc/nginx/conf.d/default.conf:ro \
  -v $(pwd)/test-server.key:/etc/nginx/ssl/private/server.key:ro \
  -v $(pwd)/test-server-static-cert.pem:/etc/nginx/ssl/certs/server-crt.pem:ro \
  nginx

Before we finally test this we’re going to need dev.test to point to 127.0.0.1. If we were just testing with cur we could make use of the --resolve option to manually resolve. However, we also want this to work in a browser so let’s add it to our hosts file.

> echo "127.0.0.1 dev.test" >> /etc/hosts

Finally we’re able test our certificate!

> curl --cacert test-ca.pem https://dev.test
Static vhost test

Install the certificate authority

In order to test this in a browser we need to install the CA certificate. This process varies between different platforms and can be tempremental (which is one of the reasons mkcert is so great). To make my life easier I’m going to describe adding the CA certificate to Firefox as it allows you to manage your authorities from it’s own preferences.

First open your Firefox “Preferences”. Select “Privacy & Security”. Scroll all the way to the bottom and click “View Certificates”. Here we want to click the tab called “Authorities” and then click “Import”. Select our test-ca.pem and import.

You should now be able to visit https://dev.test in Firefox and see “Static vhost test” displayed. And we’re done!

Next steps

This has been a bit of a monster post but we now have a CA certificate installed in our browser, a process for creating signed server certificates and a web server that tests this out, all created with easily scriptable commands. In the next post we’ll create client certificates to identify ourselves with our servers.