Snow Leopard SSL Certificate Authority

Posted: January 11th, 2011 | Author: | Filed under: Snow Leopard, SSL | Tags: , , , | No Comments »

As more services are introduced into your network and thus the more users you have, the need for security goes up. Maintaining your own certificate authority is a simple and free way to ensure the highest level of security while not breaking the bank.

1. Create the Certificate Authority

First we’re going to hop into a terminal on any Mac OS X Server box and navigate to `/etc/certificates` and create some directories

cd /etc/certificates/
sudo mkdir -p myCA/cert myCA/key
cd myCA

We need to create the CA signing certificate and key. After executing the first command you will be asked a series of questions. Enter them as needed.

homer:myCA jordan$ sudo openssl req -new -x509 -keyout key/myca.key -out cert/myca.crt -days 3650
Generating a 1024 bit RSA private key
writing new private key to 'key/myca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:BC
Locality Name (eg, city) []:Vancouver
Organization Name (eg, company) [Internet Widgits Pty Ltd]:YAweb2.0CA LTD
Organizational Unit Name (eg, section) []:DevOps
Common Name (eg, YOUR name) []
Email Address []

Two files are created:

  • cert/myca.crt – This is your CA’s certificate and can be publicly available and of course world readable. You will need to load this certificate into all the clients in your network.
  • key/myca.key – This is your CA’s private key. Although it is protected with a passphrase you should restrict access to it, so that only root can read it:

  • chmod 0400 /etc/certificates/myCA/key/myca.key

    2. Create the Server Key

    Next, go up one level to `/etc/certificates` We can now start creating SSL certificates for our various servers and services. Create a directory named hostname.domainname corresponding to the hostname for the computer or service you are creating the certificate for and enter the directory.

    Next up on the list is to create a key that corresponds to our server. We will do that with this command:

    openssl genrsa -des3 -out hostname.domainname.key 4096

    Again, those pass phrases are something you make up right then. You are not authenticating anything, but rather setting up a pass phrase for authenticating later. Don’t forget to store the password somewhere safe, I suggest creating a new keychain on your Mac OS X server box.

    Now, we have to create a signing request, or CSR, from the server key we just made. This signing request will usually make a trip to a genuine Certificate Authority to have the key signed and a real, verified, bonafide signed certificate returned back to us. So, to generate our signed certificate, we’ll need to first have a signing request so we can make the signed cert. See how that works?

    3. Create a Certificate Signing Request

    To create the CSR, we do this:

    openssl req -new -key hostname.domainname.key -out hostname.domainname.csr

    Now remember, kids. This is the part where we do put in our actual real information because the server does in fact belong to us. Put in the real domain where it says “Common Name (eg, YOUR name) []:”. Fill out everything correctly. So for a wildcard cert enter, *.top.level.domain

    4. Sign the Certificate

    Now, we are going to take all these files and make them do some voodoo. We are going to sign the signing request using the Certificate Authority certificate and key that we made at the beginning. What we will get is our perfectly forged signed certificate. OK, not perfectly, because we are not a real CA. But we’ll get a pretty darn good signed cert that will work for us rather nicely and be valid for 10 years! What value!

    The command we’re going to run looks like this:

    openssl x509 -req -days 3650 -in hostname..csr -CA ../myCA/myCA.crt -CAkey ../myCA/myCA.key -set_serial XX -out hostname.domainname.crt

    It will ask you for the password for the myCA.key file. Which is referenced at the top of this article. The set_serial switch is a two digit value to denote the certificate serial number. Every certificate you sign from this CA must have a unique serial number.

    5. Create a Passwordless Certificate

    Now, we have a little problem. Our hostname.key file will cause apache2 to prompt us for a password every time it starts. We need to fix it so that doesn’t happen. We’ll do that with these three commands:

    openssl rsa -in .domainname.key -out .domainname.key.insecure
    * Enter the password that you entered when creating this key
    mv hostname..key
    mv hostname.domainname.key.insecure hostname.domainname.key

    Then set permissions for the files

    chmod 0600 hostname.key hostname.csr hostname.crt

    6. Outcome

    The final list of files and their purpose is as follows:

    drwxr-xr-x 2 root root 4096 2008-06-02 13:54 .
    drwx------ 10 root root 4096 2008-06-02 13:35 ..
    -rw-r--r-- 1 root root 2049 2009-04-02 13:32 hostname.tld.crt [our server certificate]
    -rw-r--r-- 1 root root 1748 2009-04-02 13:23 hostname.tld.csr [our server signing request]
    -rw-r--r-- 1 root root 3243 2009-04-02 13:54 hostname.tld.key [our password-less server key]
    -rw-r--r-- 1 root root 3311 2009-04-02 13:13 [our passworded server key]

    7. Don’t Forget

    Don’t forget to load the myCA.crt file into your various Mac clients. This will allow the computer to verify the identity of the SSL certificates to the end user, mitigating the risk of a MITM (man in the middle) attack. To do so simply copy the file to all your workstations and double click the cert. Keychain manager should load and ask what security setting you would like, select Always Trust.