Becoming a CA Authority

These notes reflect my steps at producing software on my Linux box to issue certificates as a Certificate Authority (CA).

Get the Software

The first step is to get the SSLeay software from the SSLeay site. While you're getting the software, why not browse the SSLeay FAQ, especially the part about generating certificates and private keys?

Note: The ftp site only allows for 10 connections at once, so you'll need to be persistent in your attempts. The FTP site lets you sign on with anonymous ftp.

This document describes my attempts as of July 15, 1998 using the SSLeay-0.9.0b.tar.gz package, the SSLeay-0.9.0b.README readme file, and for some reason I also felt inclined to grab the SSLeay.doc-1.5.tar.gz documentation file as well.

    Alternatives: Since the time of this writing, a new product, possibly superior, has appeared. It is called OpenSSL and resides at http://www.openssl.org/. It an an effort to develop a free, robust, commercial-grade replacement for SSLeay. This server contains step by step instructions to get and build OpenSSL.

Building the Software

After downloading all those pieces, I created a diretory in my home directory called ssleay (just as a place to work), and extracted the files into it.

The SSLeay-0.9.0b.tar.gz package created a subdirectory called SSLeay-0.9.0b.

Configuration Pre-Build

A quick browse of the INSTALL and README files led me to run the ./Configure program first. To build the program, one does not need to be privileged, so I was not root at the time.

Note: Configure looks for PERL in /usr/local/bin/perl. This is not where I keep Perl, so I created a symbolic link in /usr/local/bin to my Perl's location.

To configure the software, I used the linux-elf version (since that's what my system uses); running Configure without command line arguments shows you the allowable environments.

    $ ./Configure linux-elf
The configuration process took a much shorter period of time than other configuration scripts I'm familiar with.

The Build Step

After the configuration, I compiled the software with just:
    $ make all

This took a long time, upwards of 15 minutes (on a dedicated, fast 486 with lots of RAM). I had no compilation errors or severe problems, although I did notice that several compiler warnings went flying by.

Installation

At this point, I got brave. I became root and decided to install the compiled software.
    # make install

This created a directory /usr/local/ssl that had five directories in it: bin, certs, include, lib, and private.

From this point out, I felt it was a good idea to remain as root.

Configuring the Certificate Configuration File

In the newly created /usr/local/ssl/lib directory, there is a file called ssleay.cnf that I immediately decided to make a copy of (I named it ssleay.cnf.sample).

Then, using GNU Emacs, I edited the ssleay.cnf file.

I didn't change the upper part of the file, but read through most of it. The changes came when default fields are specified. (Apparently, if a fields do not have to have a default specified.)

In the [ req_distinguished_name ] section, I noticed that things ending in Name, like countryName were a description of the field. Don't change it.

Things ending in _default, like countryName_default could be changed. I changed AU to US.

I also set my stateOrProvinceName_default to Virginia. And for yucks, I set the O.organizationName_default to a company name.

Nothing else in the file required changing.

    Important Note: It was recommended to me, by Phillip Wherry, that when one goes to create the CA's public/private key it is useful to use a large expiration period, like 10 years. This helps prevent you from issuing certificates that have a longer life span than the certificate authority's. Some browsers choke on this.

    Change the default_days from 365 days to the number of days for ten years. This would be 3650 days for those who aren't math wizards.

Making of a Certificate

A interesting observation is that the /usr/local/ssl/bin directory contains a ton of symbol links to the ssleay program. ssleay when invoked on its own, it provides a command line environment. When invoked by a symbolic link, it knows the name of the link and passes it as a parameter, so ssleay behaves differently. Clever.

You'll find all the documentation back in the ..../SSLeay-0.9.0b/doc directory when you built the software. I copied all the files in there to /usr/local/ssl/doc for convienence.

The CA.sh script wraps the ca program for generating certificates (which is really a link to ssleay) eaily. This is covered very well in the SSLeay FAQ section about How to be your own CA.

When you go to invoke CA, don't forget to type CA.sh.

To see what parameters may be used by CA.sh, look at the first few lines in the script: 

    # CA -newca ... will setup the right stuff
# CA -newreq ... will generate a certificate request 
# CA -sign ... will sign the generated request and output

To create the certificate, I did the following: 

    
# CA.sh -newca

CA certificate filename (or enter to create)
I just pressed enter here
Making CA certificate ...
Using configuration from /usr/local/ssl/lib/ssleay.cnf
Generating a 1024 bit RSA private key
.....+++++
.........+++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: I typed a phrase here
Verifying password - Enter PEM pass phrase: And I did it again here
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter TT) [US]: Just accepted the default
State or Province Name (full name) [Virginia]: Just accepted the default
Locality Name (eg, city) []:Ashburn
Organization Name (eg, company) [Wizard Workshop and Company]: Just accepted the default
Organizational Unit Name (eg, section) []:Development
Common Name (Your name) []:Walt Stoneburner
Email Address []:wls@wls.wwco.com

At this point the certificate is created.

    Note: If you changed the number of days to 3650, you might want to go set the ssleay.cnf file back to 365 days.

    In addition, if this is the first time you've run the program, you might get a message about it recommending you use an environment variable to point to a data file that contains random state information. It will proceed without it, but it gives you the option to specify when.

Where's My Certificate

Inside /usr/local/ssl/bin/demoCA directory there is a file called\ cacert.pem. This is your certificate.

To validate the certificate is valid, verify it:

    # ../verify cacert.pem
    The computer responds with:
    cacert.pem: OK
...and anything that says "OK" after going through all these hoops has to be good.

You can also extract the identity of the certificate:

    # ../c_issuer cacert.pem
    The computer responds with something like:
    demoCA/cacert.pem\tissuer= /C=US/ST=Virginia/L=Ashburn/O=Wizard Workshop and Company/OU=Development/CN=Walt Stoneburner/Email=wls@wls.wwco.com

It would appear that your private key resides in a subdirectory. This would be /usr/local/ssl/bin/demoCA/private, in the file cakey.pem> and you never, ever want to give this file away, let people look at it, or give out your CA's pass phrase. This would be bad.

Using Your Certificate

Your certificate now needs to be installed so that browsers know that certificates from you are to be trusted.

This page last updated