By Priyal Walpita
Sometimes you may want to create your own certificate authority (CA) for demonstration purposes or for simulation purposes. A certificate authority (CA), also sometimes referred to as a certification authority, is a company or organization that acts to validate the identities of entities (such as websites, email addresses, companies, or individual persons) and bind them to cryptographic keys through the issuance of electronic documents known as digital certificates.
Note : Please note that this tutorial is for demonstration purposes only and it is not recommended to use in a production environment.
We are using the freely available openssl tool for this purpose.
Step 1 : Create the private key
As the first step you should create the private key for the CA. You can simply do this by using the genrsa command. Note that we are using the des3 (Triple DES) algorithm with 2048 key length.
openssl genrsa -des3 -out CAPrivate.key 2048
This would output the CAPrivate.key file. Please note that you will be promoting to give a passphrase when executing this command. It is recommended to enter a password and secure your private key.
Step 2: Generate the root certificate
As the next step, you need to create your root certificate using the generated private key. Ideally, this root certificate should be provided by another CA on top of your CA ( this is called as the certificate chain ). But in this instance , we are trying to act as the root CA and hence we need to create the root certificate file as follows.
openssl req -x509 -new -nodes -key CAPrivate.key -sha256 -days 365 -out CAPrivate.pem
We are creating the certificate file as x-509 certificate standard and using the sha256 as the hashing algorithm. Our certificate would be valid for 365 days. You will be prompting to enter lots of certificate related data in this step followed by validation of your private key’s password. You can give any value into these
Congratz ! Not you are technically as CA. Let’s test the operation of this CA.
As the next step lets see how we can generate a certificate file using our own CA.
Step 3 : Generate the CSR
First of all, we need to generate a private key.
openssl genrsa -out MyPrivate.key 2048
We are using the RSA asymmetric algorithm to generate this private key. As the nest step we need to generate the CSR ( Certificate request ) using this private key.
openssl req -new -key MyPrivate.key -out MyRequest.csr
So, you need to send this CSR to the CA to obtain the certificate file.
Step 4: Generate the Certificate using the CSR
We are going to create a X509 certificate using the CSR. We are setting the certificate’s validity period for 1 year ( -days 365 ). Note that we need to use our CA’s root certificate and the private key in this operation. We need to enter the CA private key’s password as well when prompted.
openssl x509 -req -in MyRequest.csr -CA CAPrivate.pem -CAkey CAPrivate.key -CAcreateserial -out X509Certificate.crt -days 365 -sha256
So, let test the generated certificate file
Step 5: Testing the generated certificate
You can import this certificate into your OS’s trusted certificate list or use in your web server as well. In this post, I’m gonna show you how to use this certificate to verify a signing process.
First let’s sign some text file using the user’s private key.
openssl dgst -sha256 -sign MyPrivate.key -out signature.txt sign.txt
The signature.txt would hold the signature of the content of the sign.txt file.
We can verify this signature by using user’s certificate as follows. First of all , load the X509 certificate into the openssl tool and then perform the verification.
openssl x509 -in X509Certificate.crt
Verification step :
openssl dgst -sha256 -verify <(openssl x509 -in X509Certificate.crt -pubkey -noout) -signature signature.txt sign.txt
Let’s change the content of the sign.txt file and try to verify this again.
Note : You have to use a secure vault or a HSM ( Hardware Security Module ) to persist all secret files in this process if you are going to use this in a production environment.
Thank you !