Create SSL/TLS certificates with openSSL

Self Signed Certificates

If you want to create your own self signed X.509 certificate to secure your Webservices just use them. They are as secure as every other certificate.

IMHO – CA/Certificate Authorities just take money for no additional security. Their Trust model is broken and was never secure. They only check if you are able to receive a mail linked to your domain. No more security checks.

openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/mydomain.tld.key -out /etc/ssl/certs/mydomain.tld.pem

Set up your vhost on apache, lighty ngin-x or any other TLS-capable Webserver with the key and the pem file.

Firefox brings a warning, and lets you add the certificate to your trusted certificates. Chromium warns always about the untrusted certificate. Similar to MS Internet Explorer.

If you want to put your self signed certificate on an Android Phone to remove warning, import it with the App CAdroid (GPLv3) from F-Droid Repository. CAdroid on GitHub and CAdroid Homepage

SHA1 is broken – don’t use it anymore.

Check your page with similar site’s like https://shaaaaaaaaaaaaa.com/check/blog.cavebeat.org and verify if your certificate is signed with SHA256 instead of SHA1/MD5.

Most of the secure web is using an insecure algorithm, and Google’s just declared it to be a slow-motion emergency. Something like 90% of websites that use TLS encryption use an algorithm called SHA-1 to sign their certificates.

Unfortunately, SHA-1 is dangerously weak, and has been for a long time. It gets weaker every year, but remains widely used on the internet. Its replacement, SHA-2, is strong and supported just about everywhere.

That’s why you should add -sha256 to every openSSL command when creating new certificates.

Create a CSR File – Certificate Signing Request

If you still want to use a Certificate Signed from a CA you need to create a CSR File and send it to them. Your key MUST not be sent to them.

openssl req -new -newkey rsa:4096 -sha256 -nodes -keyout mydomain.tld.key -out mydomain.tld.csr

Put your *.key file into your /etc/ssl/private/ directory and send the CA company your *.csr file.

LowEnd Providers for single Domains:

  • Namecheap/Comodo/PositiveSSL – sell’s cheap 8€/yr certificates, hands out all necessary intermediate files.
  • StartSSL – hands out one 0$ Certificate for a single domain, expect an OCSP error in the first few hours when used with FF.
  • LetsEncrypt – Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. GoLive for Mid of 2015
  • CAcertCAcert.org is a community-driven certificate authority that issues free public key certificates to the public. Unfortunately they are not available as RootCA in the plattforms where we want to access our TLS secured WebServers. Even Debian has removed CAcert from there trusted RootCA store.

They will send back soon the signed certificate mydomain.tld.CRT which you can use like the self signed mydomain.tld.pem file.

You will receive two or three additional certicates from your CA. These are intermediary certificates needed for the Certification Paths which point in the end to your pre-installed RootCA’s. Copy the intermediary files without the RootCA and the signed Cert into the file CA_path_for_mydomain.tld.crt

Apache vHost config

Certificate File – *.PEM from Self-Signed or *.CRT from CA

SSLCertificateFile    /etc/ssl/certs/mydomain.tld.crt

Private Key File – Keep this one save!

SSLCertificateKeyFile /etc/ssl/private/mydomain.tld.key

Certificate Paths for Intermediary Certificates

SSLCertificateChainFile /etc/ssl/certs/CA_path_for_mydomain.tld.crt

Comments are closed.