Becoming a CA AuthorityThese notes reflect my steps at producing software on my Linux box to issue certificates as a Certificate Authority (CA).
Get the SoftwareThe first step is to get the SSLeay software from the SSLeay site. While you're getting the software, why not browse the SSLeay FAQ, especially the part about generating certificates and private keys?
Note: The ftp site only allows for 10 connections at once, so you'll need to be persistent in your attempts. The FTP site lets you sign on with anonymous ftp.
This document describes my attempts as of July 15, 1998 using the SSLeay-0.9.0b.tar.gz package, the SSLeay-0.9.0b.README readme file, and for some reason I also felt inclined to grab the SSLeay.doc-1.5.tar.gz documentation file as well.
Building the SoftwareAfter downloading all those pieces, I created a diretory in my home directory called ssleay (just as a place to work), and extracted the files into it.
The SSLeay-0.9.0b.tar.gz package created a subdirectory called SSLeay-0.9.0b.
Configuration Pre-BuildA quick browse of the INSTALL and README files led me to run the ./Configure program first. To build the program, one does not need to be privileged, so I was not root at the time.
Note: Configure looks for PERL in /usr/local/bin/perl. This is not where I keep Perl, so I created a symbolic link in /usr/local/bin to my Perl's location.
To configure the software, I used the linux-elf version (since that's what my system uses); running Configure without command line arguments shows you the allowable environments.
The Build StepAfter the configuration, I compiled the software with just:
This took a long time, upwards of 15 minutes (on a dedicated, fast 486 with lots of RAM). I had no compilation errors or severe problems, although I did notice that several compiler warnings went flying by.
InstallationAt this point, I got brave. I became root and decided to install the compiled software.
This created a directory /usr/local/ssl that had five directories in it: bin, certs, include, lib, and private.
From this point out, I felt it was a good idea to remain as root.
Configuring the Certificate Configuration FileIn the newly created /usr/local/ssl/lib directory, there is a file called ssleay.cnf that I immediately decided to make a copy of (I named it ssleay.cnf.sample).
Then, using GNU Emacs, I edited the ssleay.cnf file.
I didn't change the upper part of the file, but read through most of it. The changes came when default fields are specified. (Apparently, if a fields do not have to have a default specified.)
Things ending in _default, like countryName_default could be changed. I changed AU to US.
I also set my stateOrProvinceName_default to Virginia. And for yucks, I set the O.organizationName_default to a company name.
Nothing else in the file required changing.
Change the default_days from 365 days to the number of days for ten years. This would be 3650 days for those who aren't math wizards.
Making of a CertificateA interesting observation is that the /usr/local/ssl/bin directory contains a ton of symbol links to the ssleay program. ssleay when invoked on its own, it provides a command line environment. When invoked by a symbolic link, it knows the name of the link and passes it as a parameter, so ssleay behaves differently. Clever.
You'll find all the documentation back in the ..../SSLeay-0.9.0b/doc directory when you built the software. I copied all the files in there to /usr/local/ssl/doc for convienence.
When you go to invoke CA, don't forget to type CA.sh.
To see what parameters may be used by CA.sh, look at the first few lines in the script:
# CA -newca ... will setup the right stuff # CA -newreq ... will generate a certificate request # CA -sign ... will sign the generated request and output
To create the certificate, I did the following:
# CA.sh -newca CA certificate filename (or enter to create) I just pressed enter here Making CA certificate ... Using configuration from /usr/local/ssl/lib/ssleay.cnf Generating a 1024 bit RSA private key .....+++++ .........+++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: I typed a phrase here Verifying password - Enter PEM pass phrase: And I did it again here ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter TT) [US]: Just accepted the default State or Province Name (full name) [Virginia]: Just accepted the default Locality Name (eg, city) :Ashburn Organization Name (eg, company) [Wizard Workshop and Company]: Just accepted the default Organizational Unit Name (eg, section) :Development Common Name (Your name) :Walt Stoneburner Email Address :firstname.lastname@example.org
At this point the certificate is created.
In addition, if this is the first time you've run the program, you might get a message about it recommending you use an environment variable to point to a data file that contains random state information. It will proceed without it, but it gives you the option to specify when.
Where's My CertificateInside /usr/local/ssl/bin/demoCA directory there is a file called\ cacert.pem. This is your certificate.
To validate the certificate is valid, verify it:
The computer responds with:
You can also extract the identity of the certificate:
The computer responds with something like:
demoCA/cacert.pem\tissuer= /C=US/ST=Virginia/L=Ashburn/O=Wizard Workshop and Company/OU=Development/CN=Walt Stoneburner/Emailemail@example.com
It would appear that your private key resides in a subdirectory. This would be /usr/local/ssl/bin/demoCA/private, in the file cakey.pem> and you never, ever want to give this file away, let people look at it, or give out your CA's pass phrase. This would be bad.
Using Your CertificateYour certificate now needs to be installed so that browsers know that certificates from you are to be trusted.