Self Signed SSL Certificate Chains

In a previous post I talked about using SSL in a development environment and how to generate self signed root certificates that you can install on clients and servers to allow for trusted communication between systems.

Instead of using a root certificate for you application; this post explains why it is better to create a certificate chain containing.

Generate a self signed root ssl certificate

First generate a root certificate. This certificate will be used to sign other certificates.

# When asked for Common Name fill in something 
# like 'My Dev Certificate Authority'
$ openssl req -new -x509 -extensions v3_ca -keyout ca.key \
    -out ca.crt -days 3650

You will have to answer some questions and hit enter a few times. If succesfull you will now have two files; a ca.key containing the private key that is encrypted using the passphrase you entered and ca.crt containing the public key of this root certificate.

Keep the private key in a very safe place. You will not install this file anywhere. You will only need it to sign subsequent certificates.

Because we are creating self signed certificates every client needs to manually trust the root certificate. You do this by installing/importing the .crt version of this certificate. How to import a certificate depends where you want to import it. On Windows based systems you use the MMC tool. On Mac OSX you can double click on the .crt file to import it into your keychain. For unix based systems see my previous posts on ssl certificates here.

Once a client trusts this root certificate, it will automatically trust every other certificate that was signed using this root certificate.

Generate a ssl certificate for your application

Let’s assume you are working on an application myapp.example.com and you need to have it available over SSL. We will create a certificate for the common name myapp.example.com and we will sign it using the previously created root ssl certificate. Since you already installed this root certificate on your clients (e.g. your iphone mac, windows pc at work) you can immediatly start browsing your application without getting those nasty red warning messages in your browser.

First create a private key for this certificate (you will need this later when you setup apache/nginx or whatever you use)

$ openssl genrsa -out certificate.key 1024

Now create a certificate signing request using the generated private key

$ openssl req -new -key certificate.key -out certificate.csr

The last step is important; now you will need to create the public certificate using the root certificate from step (1). The certificate for myapp.example.com is created using the signing request file certificate.scr, the certificate of the root Certificate Authority ca.crt and the private key of the root Certificate Authority ca.key.

$ openssl x509 -req -days 365 -in certificate.csr -CA ca.crt \
    -CAkey ca.key -set_serial 01 -out certificate.crt
$ rm certificate.csr

When you are done with this step you can remove the signing request file. That’s it. Now you have a certificate.key and a certificate.crt file, and together with the certificate of the Central Authority ca.crt you are able to setup SSL in e.g. apache or nginx.

See Certificate chain of a website

Use the following command to see all the Certificates:

$ openssl s_client -showcerts \
    -connect example.org:443 < /dev/null 2> /dev/null | \
    sed -n '/BEGIN/,/END/p'