Wednesday, June 20, 2007

Create your own CA with TinyCA2 (part 3)

In this final part we will add our own root CA certificate to Ubuntus pre-installed certificates. (Part 1, Part 2)

Copy your root CA certificate, that we exported in the previous part, to /usr/share/ca-certificates/. Add the file name to /etc/ca-certificates.conf and run the command:
sudo update-ca-certificates

Most of your services will now be able to find your root CA certificate.

To bring your root CA certificate to your friends, just copy the exported root certificate-file to a USB-memory.

Using your own CA you can now add support SSL to different services like CUPS, postfix(AUTH SMTP), dovecot (IMAP) etc. You can also create certificates to sign and encrypt your e-mails.

13 comments:

minWi said...

Thx for the 3-part-howto ;D

Anonymous said...

Is it me of is ubuntu missing this package?

Magnus Runesson said...

You have to activate the universe repository and the package name is tinyca.

Falk Pauser said...

making the root-cert available for the system did'nt work as described in your tutorial, instead i did:

1. copy
$ cp %{ROOT_CERT}.pem to /usr/share/ca-certificates/%{ROOT_CERT}.crt
(without the crt-prefix the certificate will be ignored by dpkg-reconfigure ca-certificates)

2. change rights
$ sudo chmod 755 /usr/share/ca-certificates/%{ROOT_CERT}.crt

3. update known ca-certificates
$ sudo dpkg-reconfigure ca-certificates
(you get a list of all available certificates found in /usr/share/ca-certificates, select your copied certificate)

4. verify
$ sudo ls -al /etc/ssl/certs | grep %{ROOT_CERT}
(this should output your new cert)

thanks for this superb tutorial!

Markus said...

Hey magnus,
thanks for this great guide.
I like it, but maybe you could tell me how to authenticate clients based on certificates.
I mean that's the point why we created a sub-ca, isn't it?
I'm looking forward for a part 4 ^^

regards Markus

Magnus Runesson said...

Markus, I am not compleatly sure that I understand what you mean with authenticate clients based on certificate.
Do you mean that each client should have each on certificate and that is used by the server to identify that it is an valid client? It is possible to use Sub-CA in this why but I have not done it. I use kerberos for those kind of things.

Markus said...

Yes, that's exactly what i mean. I think this(http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#accesscontrol) should do it. but i'm not sure because i'm new to setting up ssl.

Adam said...

I need to authenticate the Certificate through Database rather than through apache. I have already users listed in a table, rather and wants to authenticate through these users, is there any way to store these certificates in database and authenticate through tables ...?

Thx,
-Adam

Magnus Runesson said...

Adam, not that I am aware off.

Paul said...

Thanks for those useful 3 posts! I created my CA, certificates and use this from my own browser.

Now, would you know if it's secure to distribute the exported CA certificate file, by example leave it on a public part of my web site.

Would an "attacker" be able to forge new certificates from the exported CA file ?

Magnus Runesson said...

Paul, the public part (i.e. the one you import into your browser) of the certificate are no problem to make public avaliable on your site. That is the very nice thing with public key encryption. There are no possiblity for any one else to create fake certificates without having access to the private part.

You can for instance download my public certificate at www.linuxalert.org.

Learn more about PKI at wikipedia.

Anonymous said...

Does anyone know the exact meaning of "critical" and "not critical" under CA Configuration - Key Usage?

Magnus Runesson said...

I got a comment from Brenda here but I do not know why I cannot see it here. Well... Brenda got the following error:

apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
[Wed Nov 24 15:24:13 2010] [error] VirtualHost *:443 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
httpd (no pid file) not running
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
[Wed Nov 24 15:24:23 2010] [error] VirtualHost *:443 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down

I assume the problem is that a line in apache config files is missing saying Listen *:443 and that will solve the problem.