Create your own CA with TinyCA2 (part 3)

In this final part we will add our own root CA certificate to Ubuntus pre-installed certificates. (Part 1, Part 2)

Copy your root CA certificate, that we exported in the previous part, to /usr/share/ca-certificates/. Add the file name to /etc/ca-certificates.conf and run the command:
sudo update-ca-certificates

Most of your services will now be able to find your root CA certificate.

To bring your root CA certificate to your friends, just copy the exported root certificate-file to a USB-memory.

Using your own CA you can now add support SSL to different services like CUPS, postfix(AUTH SMTP), dovecot (IMAP) etc. You can also create certificates to sign and encrypt your e-mails.

Comments

Unknown said…
Thx for the 3-part-howto ;D
July 9, 2007 at 3:29 PM
Anonymous said…
Is it me of is ubuntu missing this package?
July 24, 2007 at 6:59 PM
Magnus Runesson said…
You have to activate the universe repository and the package name is tinyca.
August 9, 2007 at 10:15 AM
Anonymous said…
making the root-cert available for the system did'nt work as described in your tutorial, instead i did:

1. copy
$ cp %{ROOT_CERT}.pem to /usr/share/ca-certificates/%{ROOT_CERT}.crt
(without the crt-prefix the certificate will be ignored by dpkg-reconfigure ca-certificates)

2. change rights
$ sudo chmod 755 /usr/share/ca-certificates/%{ROOT_CERT}.crt

3. update known ca-certificates
$ sudo dpkg-reconfigure ca-certificates
(you get a list of all available certificates found in /usr/share/ca-certificates, select your copied certificate)

4. verify
$ sudo ls -al /etc/ssl/certs | grep %{ROOT_CERT}
(this should output your new cert)

thanks for this superb tutorial!
October 11, 2007 at 12:35 PM
Anonymous said…
Hey magnus,
thanks for this great guide.
I like it, but maybe you could tell me how to authenticate clients based on certificates.
I mean that's the point why we created a sub-ca, isn't it?
I'm looking forward for a part 4 ^^

regards Markus
June 23, 2008 at 1:50 AM
Magnus Runesson said…
Markus, I am not compleatly sure that I understand what you mean with authenticate clients based on certificate.
Do you mean that each client should have each on certificate and that is used by the server to identify that it is an valid client? It is possible to use Sub-CA in this why but I have not done it. I use kerberos for those kind of things.
June 25, 2008 at 2:58 PM
Anonymous said…
Yes, that's exactly what i mean. I think this(http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#accesscontrol) should do it. but i'm not sure because i'm new to setting up ssl.
June 25, 2008 at 4:30 PM
Anonymous said…
I need to authenticate the Certificate through Database rather than through apache. I have already users listed in a table, rather and wants to authenticate through these users, is there any way to store these certificates in database and authenticate through tables ...?

Thx,
-Adam
August 22, 2008 at 8:46 AM
Magnus Runesson said…
Adam, not that I am aware off.
August 22, 2008 at 2:53 PM
Anonymous said…
Thanks for those useful 3 posts! I created my CA, certificates and use this from my own browser.

Now, would you know if it's secure to distribute the exported CA certificate file, by example leave it on a public part of my web site.

Would an "attacker" be able to forge new certificates from the exported CA file ?
December 8, 2008 at 11:55 AM
Magnus Runesson said…
Paul, the public part (i.e. the one you import into your browser) of the certificate are no problem to make public avaliable on your site. That is the very nice thing with public key encryption. There are no possiblity for any one else to create fake certificates without having access to the private part.

You can for instance download my public certificate at www.linuxalert.org.

Learn more about PKI at wikipedia.
December 12, 2008 at 5:11 PM
Anonymous said…
Does anyone know the exact meaning of "critical" and "not critical" under CA Configuration - Key Usage?
December 30, 2008 at 1:57 PM
Magnus Runesson said…
I got a comment from Brenda here but I do not know why I cannot see it here. Well... Brenda got the following error:

apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
[Wed Nov 24 15:24:13 2010] [error] VirtualHost *:443 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
httpd (no pid file) not running
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
[Wed Nov 24 15:24:23 2010] [error] VirtualHost *:443 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down

I assume the problem is that a line in apache config files is missing saying Listen *:443 and that will solve the problem.
November 26, 2010 at 7:50 PM
Post a Comment

Popular posts from this blog

Circles in PostGIS

Image
OGC and PostGIS has no data type to represent a circle. Instead one use ST_Buffer(geom, distance) to get a geometry that covers the area within the distance to geom . So if geom is a point you get a circle. But it does not return an exact circle. The circle is approximated represented by a polygon using eight points. One can increase the precission by adding a third argument to ST_buffer that is the number of points in the polygon returned. The unit for distance depends on what SRID is used. But what if you have a geometry that you know is a circle created with the method above? There is no exact method as far as I know, but her comes a good approximation. First we want the origo of the circle. ST_Centroid(geom) comes to handy. It returns the centeroid point of the geometry, in this case the origo of the circle. To get the radius we pick out the first point in the polygon returned by ST_Buffer with PointN(ExteriorRing(geom),1) . We need to call ExteriorRing to get the polygon of
Read more

Create your own CA with TinyCA2 (part 1)

Image
A Certificate Authorities (CA) issues certificates to people and organization that gives us the possibility to know that we surf to the right web site and not a phising site. This concept can be nice to use on your private sites too, but you may not want to spend a lot of money to get a certificate for your site. Most common when one installs a web-mail server at home is using a self signed certificate. When one surf to the web-mail server from a friends computer one can not be sure that nobody listens to the traffic if one not verifies the signature of the self signed certificate. Maybe an easier and definitely a more scalable solution to this is to create ones own CA structure. When we are ready with this how to you will have installed a certificate on your web server, installed the root certificate into your Firefox, and you will have the root certificate stored on a USB-memory stick. First time you want to read your mail from a friends computer you install the root certificate f
Read more

Create your own CA with TinyCA2 (part 2)

Image
In part one of this series we created a root CA, a sub-CA and a certificate for our web site All certificates are stored in TinyCA2 s configuration. In this part we will: export the root CA:s certificate import the root CA:s certificate into Firefox export the certificate for the web site configure our web server to use the web site certificate To be able to import the root CA certificate to Firefox we must export it from TinyCA2. In the main window of TinyCA2, open the CA-menu and select Open CA. Select your root CA. Select Export CA Certificate in the toolbar, which is the second icon from the right. You may change the file name. Press Save when ready. Start Firefox, select the Edit-menu and Preferences. Click the Advanced icon and then the Encryption tab. Select View certificates and then the Authorities tab. You can see all the CA:s you trust. Click Import and select the file with your exported root certificate. You can in the Downloading Certificate window control what purpo
Read more