June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
4.9. Setting Up a Certifying Authority
Problem
You want to create a simple Certifying Authority (CA) and issue SSL certificates yourself.
Solution
Use CA.pl , a Perl script supplied with OpenSSL. It ties together various openssl commands so you can easily construct a new CA and issue certificates under it. To create the CA:
$ /usr/share/ssl/misc/CA.pl -newca
To create a certificate, newcert.pem, signed by your CA:
$ /usr/share/ssl/misc/CA.pl -newreq $ /usr/share/ssl/misc/CA.pl -sign
Discussion
First, realize that your newly created “CA” is more like a mockup than a real Certifying Authority:
OpenSSL provides the basic algorithmic building blocks, but the CA.pl script is just a quick demonstration hack, not a full-blown program.
A real CA for a production environment requires a much higher degree of security. It’s typically implemented in specialized, tamper-resistant, cryptographic hardware—in a secure building with lots of guards—rather than a simple file on disk! You can emulate what a CA does using OpenSSL for testing purposes, but if you’re going to use it for any sort of real application, first educate yourself on the topic of Public-Key Infrastructure, and know what kind of tradeoffs you’re making.
That being said, CA.pl is still useful for some realistic applications. Suppose you are a business owner, and you need to enable secure web transactions for your partners on a set of HTTP servers you operate. There are several servers, and the set will change over time, so you want an ...