in order to sign internal certificates with an internal CA, one can use this instruction set, which is based on this thread in stack-overflow:

  • create CA key and certificate and files which are related to CA:
mkdir ca # create a folder for all the CA related files

openssl genrsa -out ./ca/rootCA.key 2048 # create private key
openssl req -new -x509 -key ./ca/rootCA.key -out ./ca/rootCA.crt -days 365 # create CA certificate with a validity of 365 days

touch ./ca/index.txt # CA Database
mkdir ./ca/newcerts/ # Create the folder needed for storing signed certificates
echo 01 > ./ca/serial # Create serial number file
  • create a CA Configuration File with following contents:
# ca.conf

[ ca ] 
default_ca	= CA_default		# The default ca section

####################################################################
[ CA_default ]

dir		= .		# Where everything is kept
certs		= $dir # Where the issued certs are kept
database	= $dir/index.txt	# database index file.
new_certs_dir	= $dir/newcerts		# default place for new certs.
certificate	= $dir/rootCA.crt # The CA certificate
serial		= $dir/serial 		# The current serial number
private_key	= $dir/rootCA.key# The private key
RANDFILE	= $dir/.rand	# private random number file
unique_subject = no
default_days	= 365			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= md5		# use public key SHA512 for better security and server compatibility
preserve	= no			# keep passed DN ordering
copy_extensions = copy             # copy extenstions (alternative names etc.) in the created certificate
 
policy		= policy_anything

# For the CA policy
[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional
  • now you can sign any CSR with this configuration:
cd ./ca

openssl ca -config .\ca.conf -in [path to CSR] -out [path to output certificate]

Please keep in mind that the paths in ca.conf won’t work properly if the above command is not executed from the ./ca/ folder.

Now, you can install your CA certificate in your computer’s certificate manager (in Windows under `Trusted Root Certification Authority`) and browsers won’t complain about your certificate’s authenticity anymore.

Comments are closed, but trackbacks and pingbacks are open.