After reading how CloudFlare handles their PKI and that LetsEncrypt will use it I wanted to give CFSSL a shot.
Reading the project’s documentation doesn’t really help in building your own CA, but searching the Internet I found Fernando Barillas’ blog explaining how to create your own root certificate and how to create intermediate certificates from this.
I took it a step further I wrote a script generating new certificates for several services with different intermediates and possibly different configurations (e.g. depending on your distro and services certain cyphers (e.g. using ECC) may not be supported).
I also streamlined generating service specific key, cert and chain files. 😀
Have a look at the full Gist or just the most interesting part:
You’ll still have to deploy them yourself.
Fixed some issues with this Gist.
- Fixed a bug where intermediate CA certificates weren’t marked as CAs any more
- Updated the example CSRs and the script so it can now be run without errors
- Cleaned up
renew-certs.sh by extracting functions for generating root CA, intermediate CA and service keys.
I recently finished introducing custom CA infrastructure in two instances. Each having two sub CAs, two Servers and a bunch of users. The “create your own CA” part was quite easy after I found a dated but still accurate tutorial. In hindsight it is quite silly why I didn’t do this before.
On the server side I had to make it work on:
Each expecting its own Format/Packing of certificates, keys and certificate chains. :/
On the client side I had to produce installation and configuration howtos for Windows and OS X and a bunch of popular browsers and email clients. Then there is the “user education” part … this is still in progress, but its looking good.
All in all, I’m happy with the result. 🙂
So my IMAP server certificate expired today … so I needed to renew it. I use self-signed certificates for services I run myself.
First you need your config file. If you don’t have this you will be prompted to do so. (the Ubuntu Wiki has a nice introduction)
[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
OU=Automatically-generated IMAP SSL key
[ cert_type ]
nsCertType = server
Then you generate the new certificate (expiring in 365 days) using the config file from above (imapd.cnf) and have it save it into imapd.pem.
openssl req -x509 -days 365 -nodes -newkey rsa:2048 -config imapd.cnf -keyout imapd.pem -out imapd.pem
Restart your service.
If you need to check the new key’s fingerprint you can get it with the following command.
openssl x509 -in imapd.pem -fingerprint