Web www.freebsdmadeeasy.com
Main Menu

Creating an SSL Certificate of Authority

If you want to create your own SSL certificates for things such as Apache you need a CA. You can buy an SSL certificate generated by a trusted CA such as Thwate or Verisign, or you can generate one yourself using OpenSSL. Before generating your OpenSSL CA you should edit your openssl.cnf file to save yourself time. This file is used everytime you use OpenSSL and it stores the defaults for many of the things that you are prompted for everytime.


On FreeBSD you can edit your OpenSSL config file with

# ee /etc/ssl/openssl.cnf

This tutorial will use most of the default FreeBSD openssl.cnf settings. You just need to change the following settings in the file

dir = /root/sslCA
default_days = 3650

/root/sslCA is the directory we will be using in this tutorial. 3650 days is equal to 10 years. You can set this to any number of days, the default is 365.

Filling out your location and company information is often the most tedious task when generating SSL certificates so it is best to set as much of it as you can in your openssl.cnf file. The places where it can be set end in _default such as

countryName_default = US
stateOrProvinceName_default = NE
localityName_default = Wahoo

Tutorial Script

The rest of the commands in this tutorial can be done quickly using this script to create a CA. They are explained and given individually below.

Setting up the directories

Now that the openssl.cnf file is set up it is time to create the directories where we will keep our CA and other certificates that we will generate. The best place to put these are in the root directory with 700 for the permissions to restrict access.

# cd ~root/
# mkdir sslCA

# chmod 700 sslCA

# cd ~root/sslCA
# mkdir certs private newcerts

Create a serial file which will be used to name the new certificates generated and an index.txt file.

# echo 1000 > serial
# touch index.txt

Creating the CA

Use the following command to generate the Certificate of Authority. The command is shown with slashes to fit it onto the page.

# cd ~root/sslCA
# openssl req -new -x509 -days 3650 -extensions v3_ca \ 
-keyout private/cakey.pem -out cacert.pem \
-config /etc/ssl/openssl.cnf

The output will look similar to this. Fill in your own information as needed. Make SURE you choose a good password for your CA, and that you remember it for as many years as you generating the CA for. Without the password you will not be able to use it to generate any new certificates. For fields that show the correct default value you can just hit enter.

Generating a 1024 bit RSA private key
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that
will be incorporated
into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [Nebraska]:
Locality Name (eg, city) [Wahoo]: 
Organization Name (eg, company) []: My CA
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: freebsdmadeeasy.com
Email Address []: ca@freebsdmadeeasy.com

The CA should now be generated. You can double check it by looking at the two files that were created.

# more ~root/sslCA/cacert.pem
# more ~root/sslCA/private/cakey.pem

Keep the cakey.pem file and the password safe and you can now use it to generate SSL certificates.

You are now ready to generate your own SSL certificates for Apache