For whatever reason, you want to sign your own certificates for a number of domains that you run. You're probably doing this so that you can have a secure area of your site that only you log into. A self-signed certificate is definitely not a good idea if you are running a public facing encrypted site.

But we'll make this a little easier by signing each certificate with a certificate authority that we also control. This makes it really easy to download the CA and install it on computers that we may be using and avoiding the whole hassle of trying to "accept" it.

Self-signed certificates should be made as the root user. This is primarily because it'll be use by parts throughout your system. It's good to have your certificates stored in a location that is available to everybody but easily locked down. So let's make that location:

mkdir /etc/ssl.key
mkdir /etc/ssl.csr
mkdir /etc/ssl.crt
mkdir /etc/ssl.ca

We'll change the permissions on it later, once all of the certificates have been created. Now let's create the certificate authority so that we can sign our certificates. In this process it's going to ask you a bunch of information about your your signing authority. You can really fill in whatever you want. Just try to make sure that you remain consistent between each certificate that you sign, for no other reason than consistency is nice. The "common name" in this command can also be anything that you want.

openssl genrsa -des3 -out /etc/ssl.ca/ca.key 4096
openssl req -new -x509 -days 3650 -key /etc/ssl.ca/ca.key -out /etc/ssl.ca/ca.crt

That made a certificate authority file that is valid for ten years. I think that should cover you until well after the robots take over. Now let's create our first certificate:

openssl genrsa -des3 -out /etc/ssl.key/example.com.key 1024
openssl req -new -key /etc/ssl.key/example.com.key -out /etc/ssl.csr/example.com.csr
openssl x509 -req -days 3650 -in /etc/ssl.csr/example.com.csr \
    -CA /etc/ssl.ca/ca.crt -CAkey /etc/ssl.ca/ca.key \
    -set_serial 1 -out /etc/ssl.crt/example.com.crt
openssl rsa -in /etc/ssl.key/example.com.key -out /etc/ssl.key/example.com.key.insecure
mv /etc/ssl.key/example.com.key /etc/ssl.key/example.com.key.secure
mv /etc/ssl.key/example.com.key.insecure /etc/ssl.key/example.com.key

A few things to point out about this list of commands.

The first is that the value for "-set_serial" in the third command must be incremented for every certificate you generate. If you re-use a number, neither certificate will work.

The second is that when filling in details for this certificate, the "common name" must be the domain name for which you are signing the certificate. This can www.example.com or example.com or if you are feeling lazy it can be *.example.com. (Note that *.example.com will only sign one level of hostname. So that will cover foo.example.com but not foo.bar.example.com.)

The third is that there is a step in there where I create a copy of the private key and rename it to .insecure. What this step does is remove the password on the private key. If I did not do that, every time a service is started that needs access to the private key, I would have to enter a password when it started to access the private key. That's kind of annoying sometimes! So I disable that.

Now after we're done creating all of our certificates, we want to lock them up so that only authorized users can access the private ones and the public ones are accessible.

chmod 600 /etc/ssl.csr/*
chmod 600 /etc/ssl.key/*
chmod 644 /etc/ssl.crt/*
chmod 644 /etc/ssl.ca/*
chmod 700 /etc/ssl.csr
chmod 700 /etc/ssl.key
chmod 755 /etc/ssl.ca
chmod 755 /etc/ssl.crt

Once you've got these certificates you'll want to install them in four places: your local browser, your local Java installation, your server's Java installation, and your server's OpenSSL certificate location.

To get them into your browser is easy: just navigate to the ca.crt file from your browser and follow the instructions! On Mac OS, when you install it into Safari, it will just download the file. You can try to "Open" the file and that will install it into your Keychain and that will make it available to Safari and your entire operating system. On Windows, installing the certificate into Internet Explorer will also make it available to your entire operating system. You'll still have to manually install it into Firefox, Opera, Chrome, etc.

To get it into Java, you import it manually into the jssecacerts file, and that just takes this command on Windows, Linux, or Mac OS.

$JAVA_HOME/bin/keytool -import -alias root \
    -file /etc/ssl.ca/ca.crt -storepass changeit \
    -keystore $JAVA_HOME/jre/lib/security/jssecacerts \
    -noprompt -trustcacerts

And finally, to get it into your server's list of authorized certificates. On Debian this location is /etc/ssl/certs and you can link to it by just doing this:

ln -s /etc/ssl.ca/ca.crt /etc/ssl/certs/localhost.ca.crt

And now you've done it. If you need to add another certificate for a new domain name just repeat the step where you created example.org.

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. Any instructions provided in this essay are provided as-is with no warranty whatsoever and the author bears no liability resulting from any and all uses of this work. Use at your own risk.

---