Certificate Authority

From philcrump.co.uk
Jump to: navigation, search

For some of my own subdomains, I use my own CA to sign the certificates. With this CA installed I can be assured that the site I am connecting to is either approved by a Globally Trusted CA, or that I've signed it myself. This is an added bonus on top of everything being encrypted in transport.

By installing this certificate you place absolute trust in me not to MITM your connections to facebook, gmail, natwest, etc. and also that I will not allow the CA key to be compromised. I will obviously conduct best effort but no guarantees exist.

PEM Certificate: philcrumpCA.cert.pem

DER Certificate: philcrumpCA.crt

Installing the Certificate in Chrome

  • Download the PEM Certificate File from the top of this page
  • Settings -> Show Advanced Settings -> HTTPS/SSL -> Click Manage Certificates
  • Authorities -> Click Import -> Select the PEM file -> Tick Trust this certificate for identifying websites -> OK

Try the website again, the certificate should now be trusted.

You can remove the certificate at any time, this will remove the trust.

Installing the Certificate in Android

Due to the mandatory lockscreen after installing credentials on Android, I have not yet attempted this.

However I've found instructions here: jethrocarr.com/2012/01/04/custom-ca-certificates-and-android/

And some instructions on using root to bypass the mandatory lockscreen here: wiki.pcprobleemloos.nl/android/cacert

Process for signing a new SSL cert

Generate SSL Key

openssl genrsa -out ''hostname''.key.pem 4096

Generate Signing Request

openssl req -sha256 -new -key ''hostname''.key.pem -out ''hostname''.csr.pem

Sign the Request with the CA files

openssl ca -keyfile philcrumpCA.key.pem -cert philcrumpCA.cert.pem -extensions usr_cert -notext -md sha256 -in ''hostname''.csr.pem -out ''hostname''.cert.pem

Nginx config segment

        ...
        listen 443 ssl spdy;
        listen [::]:443 ssl spdy;
        spdy_headers_comp 4;
        server_name ''fullhostname'';
        add_header Strict-Transport-Security 'max-age=31536000';
        keepalive_timeout    240;
 
        ssl_certificate         /etc/nginx/ssl/''hostname''.cert.pem;
        ssl_certificate_key     /etc/nginx/ssl/''hostname''.key.pem;
        ssl_session_cache       shared:SSL:1m;
        ssl_session_timeout     48h;
        ssl_buffer_size         4k;
 
        ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers             ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
        ....

Process for creating the CA files

Generate the key, then use it to create the certificate. Keep the keyfile safe.

openssl genrsa -aes256 -out CA.key.pem 4096
chmod 400 CA.key.pem
openssl req -new -x509 -days 3650 -key CA.key.pem -sha256 -extensions v3_ca -out CA.cert.pem

Before signing any certifications, the directory for the CA index store has to be set up.

mkdir -p ./demoCA/newcerts
echo "01" > demoCA/serial
touch demoCA/index.txt