When you are creating a CA and issuing certificate you are building a PKI (Public Key Infrastructure). In operating a PKI, you might want to consider crafting a certification policy, specifying the process for managing the lifecycle of your certificates, securing the CA's private key, securing the server private key, etc. You can create a policy that meets your current security objectives. Your policy would be a living document to accommodate your evolving security objectives.
Also, the more certificate management features are needed, you might want to look into a PKI tool. Certificate management tools worth to look at are OpenCA (http://www.openca.org/projects/openca/downloads.shtml), Dogtag Certificate System ( http://fedoraproject.org/wiki/Features/DogtagCertificateSystem), EJBCA ( http://ejbca.sourceforge.net/). Erwin On Thu, Aug 4, 2011 at 4:27 AM, Tomas Macek <ma...@fortech.cz> wrote: > > > On Thu, 4 Aug 2011, Bernhard Fröhlich wrote: > > Am 04.08.2011 08:23, schrieb Tomas Macek: >> >>> We have some web servers and I want to create self signed certificates >>> for them. >>> >>> What do I want: >>> - I want to create my own certification authority keys and certificate, >>> that will be imported to all web browsers of our employees >>> - I want to create certificates, that will be signed by my own >>> certification authority (previous step) and include them to the apache/httpd >>> configuration. I don't want our employees to be warned that the certificate >>> is not trusted (I cannot buy a REAL trusted certificate) >>> >>> Reading FAQ here >>> http://www.modssl.org/docs/2.**8/ssl_faq.html#ToC29<http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29>, >>> reading CA.pl from openssl-perl and discussions on inet for 2 days gave me >>> these steps, that I already performed: >>> >>> 1) creating my own CA: >>> openssl genrsa -des3 -out ca.key 1024 >>> openssl rsa -in ca.key -out ca.key.unsecure >>> mv ca.key.unsecure ca.key >>> openssl req -new -x509 -days 365 -key ca.key -out ca.crt >>> >>> 2) creating my own server key and certification request: >>> openssl genrsa -des3 -out server.key 1024 >>> openssl rsa -in server.key -out server.key.unsecure >>> mv server.key.unsecure server.key >>> openssl req -new -key server.key -out server.csr >>> >>> 3) signing the request by my own CA (see step 1): >>> openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAserial >>> ca.srl >>> >>>> server.crt >>>> >>> >>> 4) I have imported the ca.crt into the web browser >>> >>> 5) the server.key and server.crt were included to the apache/httpd >>> configuration >>> >>> After these steps the web page looks secured and no warning appears when >>> I enter the page. >>> >>> Question: >>> --------------- >>> Do you see any bad thing about these steps or can you please recommend me >>> any further step in order to make things properly? >>> >> >> The process looks good to me, though I'm not totally sure about step #3. I >> use the "openssl ca ..." command to sign my certificates, it needs a config >> file but also keeps an index file and archive structure of issued >> certificates which is (IMHO) worth the work. >> > > I have seen some users on inet using this, but configuration of openssl.cnf > is absolutely confusing for me, there are too many options and these steps > seemed to me simpler, so I have tried these steps and hoped they will be OK. > > > But, are you sure that you want to keep your CA key unprotected? I'd >> advise strongly against this. Issuing server certificates should be seldom >> enough to do it manually by entering a password... >> >> One hint: You probably won't be happy with a CA certificate expiring in >> one year, since all your created certificates will be considered invalid >> once the CA certificates becomes invalid. >> So I'm quite sure you'll want to use at least 5 years as the expiry time >> for your CA, or even more if distributing the CA certificate is some work. >> > > Thank you Ted, sure, I will prolong the 1 year to something more... 20 > years for example :-) > > Tomas
