Lago Vista TechnologiesCreating a Certificate Authority
Most corporations and organizations use "self-signed" certificates and run their own certificate authority. This becomes apparent as you work with their internal systems in coordination with Java or proxies. This stems from the fact that purchasing certificates is costly.
Certificate Authorities
Certificate authorities can sign encryption certificates vouching for their validity. Through public / private key encryption, we can ensure that the signing was done by the authority, and the validity of the certificate signed by that authority.
The Take Away: You need to have a trusted authority relationship to have you generated certificates trusted. This is done by adding the root authorities certificate to the list.
But first, you must setup you Certificate Authority. We'll do this using OpenSSL.
1) Certificate Authority Setup
Start by cloning the "pub-cert-auth" repo from:
This will give us the basics. We'll start by running:
bash main.sh setup
It create the 'database' where OpenSSL will log all signed certificates. It also sets '01' for the first serial number.
Next, it creates the "ca.key" and "ca.crt". The "ca.key" is your PRIVATE encryption key the no one other than you should ever have access to. The "ca.crt" is your public key that is used to validate the communication came from you. These two pieces setup the public / private key combination required to be a certificate authority.
We feed the "echos" into the "openssl" command so it fills the prompts from the program: country, state, city, organization, organization unit, common name, email address.
Next, you or your client would generate a "certificate signing request" (CSR).
2) Create the CSR
We'll be creating the CSRs. Run the following:
bash main.sh create-conf server-name
Replace 'server-name' with the hostname. This will take 'template.csr.conf' and replace the "!!server!!" with the server name provided. You can edit this conf file in the "certs" folder named: certs/server-name.csr.conf. Make any final adjustments to the request before moving onto the next step.
Next, we'll create the CSR:
bash main.sh create-csr server-name
Using the config file provided, it'll create the CSR: certs/server-name.csr.
3) Sign the CSR
The next step is to sign the CSR.
bash main.sh sign-csr server-name
This will read the CSR request in, validate it based on the 'ca.conf' requirements, and the cryptographically sign the CSR. This will use our "ca.key" file to encrypt the signature. We'll also make the signature public. This way, we can validate the signature was from our CA because if decrypted with out public key, it should match the signature.
This will create a series of files:
- server-name.clean.crt - use this as the CRT file when asked
- server-name.chain.crt - this is the CRT chain - use for bundle or chain
- server-name.key - this is the encryption key that ONLY the server-name should have access to
- server-name.pfx - an encrypted compressed bundle of the three above
- server-name.pfx.secret - the password used encrypt the PFX file with
AGAIN - THIS INFORMATION IS HIGHLY SENSITIVE AND ALL SECURITY OF THE SITE IS BASED ON NO ONE KNOWING THESE VALUES!