Signing certificates for Apache or NGINX and Trusting them in your browser.

I know there are a ton of postings on how to sign your own SSL certificates. I just think there’s too much out there (including in my own blog) and none that are very simple. Recently, I figured that I would do it myself (again).

Are you sick of seeing something like this Screen Shot 2016-05-17 at 5.36.16 PM in your browser bar?

Rather see something like this? Screen Shot 2016-05-17 at 5.36.32 PM

I’ll show you how to do it for free.

First off, We create a Certificate Authority. This is the guy that will vouch for your server to say that he is who he is.

You create the new CA by running:

On Mac OS X:
/System/Library/OpenSSL/misc/CA.sh -newca
or on an Ubuntu system:
/usr/lib/ssl/misc/CA.pl -newca

Here’s the output:

alyu1-mbpr:~ alyu$ /System/Library/OpenSSL/misc/CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
...................+++
...............................................................................................................+++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ShocKNetworK
Organizational Unit Name (eg, section) []:Security
Common Name (e.g. server FQDN or YOUR name) []:alton-mbp.shocknetwork.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /opt/local/etc/openssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
 Serial Number: 9449349124978877974 (0x8322d4f6e103a616)
 Validity
 Not Before: May 17 23:00:51 2016 GMT
 Not After : May 17 23:00:51 2019 GMT
 Subject:
 countryName = US
 stateOrProvinceName = California
 organizationName = ShocKNetworK
 organizationalUnitName = Security
 commonName = alton-mbp.shocknetwork.com
 emailAddress = [email protected]
 X509v3 extensions:
 X509v3 Subject Key Identifier:
 C5:5E:16:99:96:81:1F:1D:BE:D2:FE:81:B0:57:34:A1:19:24:D8:AF
 X509v3 Authority Key Identifier:
 keyid:C5:5E:16:99:96:81:1F:1D:BE:D2:FE:81:B0:57:34:A1:19:24:D8:AF

X509v3 Basic Constraints:
 CA:TRUE
Certificate is to be certified until May 17 23:00:51 2019 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

Next, you go and get the certificate request. With typical Linux applications, you would request a certificate with the following command:

On Mac OS X:
/System/Library/OpenSSL/misc/CA.sh -newreq
or on an Ubuntu system:
/usr/lib/ssl/misc/CA.pl -newreq

Output:

alyu1-mbpr:~ alyu$ /System/Library/OpenSSL/misc/CA.sh -newreq
Generating a 2048 bit RSA private key
.........................+++
........+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Riverbed
Organizational Unit Name (eg, section) []:Tech Marketing Lab
Common Name (e.g. server FQDN or YOUR name) []:alton-web-server.pod3.techmktg.lab
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem

Now, let’s sign the certificate you just requested.

On Mac OS X:
/System/Library/OpenSSL/misc/CA.sh -sign
or on an Ubuntu system:
/usr/lib/ssl/misc/CA.pl -sign

Output:

alyu1-mbpr:~ alyu$ /System/Library/OpenSSL/misc/CA.sh -sign
Using configuration from /opt/local/etc/openssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
 Serial Number: 10013577564278676468 (0x8af75fbd91a6dbf4)
 Validity
 Not Before: May 23 00:34:03 2016 GMT
 Not After : May 23 00:34:03 2017 GMT
 Subject:
 countryName = US
 stateOrProvinceName = California
 localityName = San Francisco
 organizationName = Riverbed
 organizationalUnitName = Tech Marketing Lab
 commonName = alton-web-server.pod3.techmktg.lab
 emailAddress = [email protected]
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 F1:A4:7E:2E:DA:2B:29:96:6C:B6:F1:2C:C5:CD:43:34:6D:2B:75:5E
 X509v3 Authority Key Identifier:
 keyid:43:52:6A:22:33:C4:67:E9:3B:17:DF:DD:20:5D:77:59:E1:C4:EC:67

Certificate is to be certified until May 23 00:34:03 2017 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number: 10013577564278676468 (0x8af75fbd91a6dbf4)
 Signature Algorithm: sha256WithRSAEncryption
 Issuer: C=US, ST=California, O=Riverbed, OU=Security, CN=securityserver.riverbed.com/[email protected]
 Validity
 Not Before: May 23 00:34:03 2016 GMT
 Not After : May 23 00:34:03 2017 GMT
 Subject: C=US, ST=California, L=San Francisco, O=Riverbed, OU=Tech Marketing Lab, CN=alton-web-server.pod3.techmktg.lab/[email protected]
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 Public-Key: (2048 bit)
 Modulus:
 00:9a:17:37:3b:68:4a:5c:60:73:c5:5f:bb:40:39:
 b0:ed:eb:df:76:f1:1c:37:c0:3a:71:82:5d:d6:1c:
 04:a1:24:1c:d6:26:c0:cc:f3:1f:51:f9:b8:d4:65:
 f2:fb:ec:6e:87:42:12:e5:ec:0c:38:53:91:62:8a:
 2e:1e:be:33:e9:f4:ce:8d:92:f8:81:cd:bd:52:67:
 85:c6:ec:85:d2:29:33:37:a2:fb:d9:23:0c:47:62:
 d8:8b:03:12:12:ff:9f:61:83:a7:9b:18:37:8c:37:
 87:f1:dc:66:bc:6c:2c:19:87:dc:29:c1:8e:ab:d3:
 cf:6d:d5:2c:a8:9e:11:ea:81:b9:c0:d0:5d:28:a0:
 d8:fe:dd:fe:e2:4d:ad:a5:74:9a:42:40:c8:e8:9e:
 92:37:c2:39:ec:4c:21:1c:88:69:ec:5c:77:1e:f0:
 48:0e:8a:df:69:4b:af:6e:c4:cb:4f:80:02:e4:38:
 ea:ee:ad:bd:82:df:ae:47:a5:e5:39:7e:6f:18:65:
 12:bd:a1:79:f7:f7:73:1a:8d:71:17:31:5b:f7:66:
 eb:e6:80:1e:4b:bf:65:33:7d:e7:2c:94:38:8c:13:
 ee:06:99:56:fd:f7:70:24:a0:4d:d5:c4:0f:df:48:
 84:88:83:4f:c3:59:50:d2:e9:9b:f4:bc:02:c1:c1:
 3f:ad
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 F1:A4:7E:2E:DA:2B:29:96:6C:B6:F1:2C:C5:CD:43:34:6D:2B:75:5E
 X509v3 Authority Key Identifier:
 keyid:43:52:6A:22:33:C4:67:E9:3B:17:DF:DD:20:5D:77:59:E1:C4:EC:67

Signature Algorithm: sha256WithRSAEncryption
 72:85:da:b3:57:f6:4d:49:df:33:ae:f3:bd:58:99:d2:fc:ca:
 af:03:63:07:3a:16:f9:69:ea:50:db:97:30:d5:fe:71:a8:90:
 4a:3c:88:04:49:b7:a3:14:6d:e1:14:8e:96:80:77:e8:6f:9c:
 26:07:35:75:fa:d2:e5:48:93:b7:0c:64:7f:d4:29:32:f8:da:
 f1:6f:12:1b:8f:50:d3:e8:79:e0:ff:f0:86:80:bc:14:73:52:
 21:c5:71:f2:70:ba:7b:db:11:4c:b7:9c:9e:b8:66:ed:4f:d8:
 9b:b6:c3:d1:18:c6:e7:a2:25:f6:80:3d:02:b8:98:56:9c:80:
 81:76:cb:f1:4a:c7:0d:4a:8b:7e:7b:41:e0:82:95:b5:bf:34:
 2f:6f:8e:91:cf:43:40:c0:91:4d:43:9c:4a:c6:2f:bf:69:de:
 5d:fa:a9:ed:1c:63:eb:85:a1:97:fa:53:95:f0:ac:a1:55:db:
 72:61:eb:3f:dc:ff:2b:77:38:f5:c2:9e:26:ca:41:b4:67:b2:
 9a:5d:b7:84:23:0d:89:b4:f3:f1:1b:e2:f5:55:f9:4b:bf:24:
 40:2d:77:55:4d:b8:b0:76:23:50:e2:bc:74:9f:38:4c:27:42:
 a2:4d:3f:67:dc:ea:b3:d3:69:ee:85:2c:eb:ab:a0:f1:d2:29:
 a5:45:c1:a1
-----BEGIN CERTIFICATE-----
MIIEUTCCAzmgAwIBAgIJAIr3X72Rptv0MA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UECgwIUml2ZXJiZWQx
ETAPBgNVBAsMCFNlY3VyaXR5MSQwIgYDVQQDDBtzZWN1cml0eXNlcnZlci5yaXZl
cmJlZC5jb20xJDAiBgkqhkiG9w0BCQEWFWFsdG9uLnl1QHJpdmVyYmVkLmNvbTAe
Fw0xNjA1MjMwMDM0MDNaFw0xNzA1MjMwMDM0MDNaMIG9MQswCQYDVQQGEwJVUzET
MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzERMA8G
A1UECgwIUml2ZXJiZWQxGzAZBgNVBAsMElRlY2ggTWFya2V0aW5nIExhYjErMCkG
A1UEAwwiYWx0b24td2ViLXNlcnZlci5wb2QzLnRlY2hta3RnLmxhYjEkMCIGCSqG
SIb3DQEJARYVYWx0b24ueXVAcml2ZXJiZWQuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAmhc3O2hKXGBzxV+7QDmw7evfdvEcN8A6cYJd1hwEoSQc
1ibAzPMfUfm41GXy++xuh0IS5ewMOFORYoouHr4z6fTOjZL4gc29UmeFxuyF0ikz
N6L72SMMR2LYiwMSEv+fYYOnmxg3jDeH8dxmvGwsGYfcKcGOq9PPbdUsqJ4R6oG5
wNBdKKDY/t3+4k2tpXSaQkDI6J6SN8I57EwhHIhp7Fx3HvBIDorfaUuvbsTLT4AC
5Djq7q29gt+uR6XlOX5vGGUSvaF59/dzGo1xFzFb92br5oAeS79lM33nLJQ4jBPu
BplW/fdwJKBN1cQP30iEiINPw1lQ0umb9LwCwcE/rQIDAQABo3sweTAJBgNVHRME
AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQU8aR+LtorKZZstvEsxc1DNG0rdV4wHwYDVR0jBBgwFoAUQ1Jq
IjPEZ+k7F9/dIF13WeHE7GcwDQYJKoZIhvcNAQELBQADggEBAHKF2rNX9k1J3zOu
871YmdL8yq8DYwc6Fvlp6lDblzDV/nGokEo8iARJt6MUbeEUjpaAd+hvnCYHNXX6
0uVIk7cMZH/UKTL42vFvEhuPUNPoeeD/8IaAvBRzUiHFcfJwunvbEUy3nJ64Zu1P
2Ju2w9EYxueiJfaAPQK4mFacgIF2y/FKxw1Ki357QeCClbW/NC9vjpHPQ0DAkU1D
nErGL79p3l36qe0cY+uFoZf6U5XwrKFV23Jh6z/c/yt3OPXCnibKQbRnsppdt4Qj
DYm08/Eb4vVV+Uu/JEAtd1VNuLB2I1DivHSfOEwnQqJNP2fc6rPTae6FLOuroPHS
KaVFwaE=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

Now, you probably want to remove the passphrase from the certificate so that Apache or Nginx doesn’t ask you to input it each time you start the service. You can do this by running first backing up the key.pem and then running:

openssl rsa -in newkey.pem -out key.pem

alyu1-mbpr:~ alyu$ cp newkey.pem newkey.pem.orig
alyu1-mbpr:~ alyu$ openssl rsa -in newkey.pem -out key.pem
Enter pass phrase for newkey.pem:
writing RSA key

Make sure you get the “writing RSA key” message. If you don’t, you’ll get a message like this:

alyu1-mbpr:~ alyu$ openssl rsa -in newkey.pem -out key.pemd
Enter pass phrase for newkey.pem:
unable to load Private Key
140735125303376:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:
140735125303376:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
140735125303376:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
140735125303376:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:141:

You now have the necessary files. You’ll want to protect the files in some directory on the system and make them readable only by the web server.

cacert.pem – in the demoCA folder. You can rename it to cacert.crt and just double click on it in Windows or open it with the keychain in Mac and add it to your trusted certificates list.

newcert.pem – this is your certificate. In Apache, it will go with the “SSLCertificateFile” line in the /etc/apache2/sites-enabled/<site> file. In NGINX, it goes in the “ssl_certificate” line in the /etc/nginx/sites-enabled/<site> file.

key.pem – this is your private key file. In Apache, it will go with the SSLCertificateKeyFile” line in the same file. In NGINX, it goes in the ssl_certificate_key line.

Enable SSL on the web server and you should be all set!

 

 

 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.