A self-signed certificate is a certificate that is signed by the person creating it rather than a trusted certificate authority. Self-signed certificates can enable the same level of encryption as a $1500 certificate signed by a trusted authority, but there are two major drawbacks: a visitor's connection could be hijacked allowing an attacker view all the data sent (thus defeating the purpose of encrypting the connection) and the certificate cannot be revoked like a trusted certificate can.
Self-signed certificates or certificates issued by a private CAs are not appropriate for use with the general public.
However, self-signed certificates can have their place:
If you are going to use a self-signed certificate for one of the situations where they are appropriate, it is much better to create your own private CA certificate. This is a more secure option that allows you to avoid warnings like the one displayed above for doing just a little bit more work.
First of all we will create a directory tree where all certificate stuff will be kept. CentOS default directory is /etc/pki/tls/. So, as root, we create our own directories:
# mkdir -m 0755 /etc/pki/myCA /etc/pki/myCA/private /etc/pki/myCA/certs /etc/pki/myCA/newcerts /etc/pki/myCA/crl
myCA is our Certificate Authority's directory.
myCA/certs directory is where our server certificates will be placed.
myCA/newcerts directory is where openssl puts the created certificates in PEM (unencrypted) format and in the form cert_serial_number.pem (eg 07.pem). Openssl needs this directory, so we create it.
myCA/crl is where our certificate revokation list is placed.
myCA/private is the directory where our private keys are placed. Be sure that you set restrictive permissions to all your private keys so that they can be read only by root, or the user with whose priviledges a server runs. If anyone steals your private keys, then things get really bad.
We are going to copy the default openssl configuration file (openssl.cnf) to our CA's directory. As root:
# cp /etc/pki/tls/openssl.cnf /etc/pki/myCA/openssl.my.cnf
This file does not need to be world readable, so we change its attributes:
# chmod 0600 /etc/pki/myCA/openssl.my.cnf
We also need to create two other files. This file serves as a database for openssl:
# touch /etc/pki/myCA/index.txt
The following file contains the next certificate's serial number. Since we have not created any certificates yet, we set it to "01":
# echo '01' > /etc/pki/myCA/serial
You should modify the following settings in order to comform to our custom directory and our custom CA key and certificate:
[ CA_default ] dir = . # <--CHANGE THIS certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt #unique_subject = no new_certs_dir = $dir/newcerts certificate = $dir/certs/myca.crt # <--CHANGE THIS serial = $dir/serial #crlnumber = $dir/crlnumber crl = $dir/crl.pem private_key = $dir/private/myca.key # <--CHANGE THIS RANDFILE = $dir/private/.rand x509_extensions = usr_cert
Now, that all initial configuration is done, we may create a self-signed certificate, that will be used as our CA's certificate. In other words, we will use this to sign other certificate requests.
Change to our CA's directory. This is where we should issue all the openssl commands because here is our openssl's configuration file (openssl.my.cnf). As root:
# cd /etc/pki/myCA/
And then create your CA's Certificate and Private Key. As root:
[root@server1 myCA]# openssl req -config openssl.my.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825 -sha256 [root@server1 myCA]# chmod 0400 /etc/pki/myCA/private/myca.key
This creates a self-signed certificate with the default CA extensions which is valid for 5 years. You will be prompted for a passphrase for your CA's private key. Be sure that you set a strong passphrase. Then you will need to provide some info about your CA. Fill in whatever you like.
First, we change to our CA's directory:
# cd /etc/pki/myCA/
You can change server in example.com or so.
Then we create the certificate request:
[root@server1 myCA]# openssl req -config openssl.my.cnf -new -newkey rsa:2048 -nodes -keyout private/server.key -out server.csr -days 365 -sha256
The -nodes option is needed so that the private key is not protected with a passphrase. If you do not intend to use the certificate for server authentication, you should not include it in the above command.
You can customize the number of days you want this certificate to be valid for.
Now we are going to sign the certificate request and generate the server's certificate.
First, we change to our CA's directory:
# cd /etc/pki/myCA/
Then we sign the certificate request:
[root@server1 myCA]# openssl ca -config openssl.my.cnf -policy policy_anything -out certs/server.crt -infiles server.csr
You will need to supply the CA's private key in order to sign the request. You can check the openssl.my.cnf file about what policy_anything means. In short, the fields about the Country, State or City is not required to match those of your CA's certificate.
After all this is done two new files are created:
certs/server.crt - this is the server's certificate, which can be made available publicly. newcerts/01.pem - This is exactly the same certificate, but with the certificate's serial number as a filename. It is not needed.You can now delete the certificate request (server.csr). It's no longer needed:
# rm server.csr
You can see the certificate's info with the following:
# openssl x509 -subject -issuer -enddate -noout -in /etc/pki/myCA/certs/server.crt
Or the following:
# openssl x509 -in /etc/pki/myCA/certs/server.crt -noout -text
And verify that the certificate is valid for server authentication with the following:
# openssl verify -purpose sslserver -CAfile /etc/pki/myCA/certs/myca.crt /etc/pki/myCA/certs/server.crt
If you do not want a certificate to be valid any more, you have to revoke it. This is done with the command:
# openssl ca -config openssl.my.cnf -revoke certs/server.crt
Then you should generate a new CRL (Certificate Revokation List):
# openssl ca -config openssl.my.cnf -gencrl -out crl/myca.crl
The CRL file is crl/myca.crl.