What is SSL, what’s a CA and what do I need it for?
SSL or nowadays TLS is used to encrypt communication and validate the identity of a service provider.
The CA is what establishes the trust in a certificate.
In short:
if the certificate presented (e.g. by the server) and the CA certificate (you trust in e.g. your client) fit together, one can be sure that the servers certificate was signed by the CA. Which itself is trusted to verify at least, that the domain the (server-)certificate is for, belongs to the requester (the one who put up the csr).
What’s this about?
I’ll cover how to set up your own CA with openssl and sign your own certificates (good for when you control all the clients) and how to use letsencrypt (which is pretty easy and trusted in all major browsers).
openssl CA
apt-get install openssl
mkdir my_ca
cd my_ca
openssl genrsa -aes256 -out ca-key.pem 4096Install openssl, create a folder for your CA and generate a private key for it.
openssl req -x509 -new -nodes -extensions v3_ca -key ca-key.pem -days 1024 -out ca-root.pem -sha512Fill in the questions and your password – there is your root CA Certificate. You may import this in your browser or OS cert store (debian: cp ca-root.pem /usr/local/share/ca-certificates/ && update-ca-certificates).
Your CA is ready to be used.
openssl genrsa -out servercert-key.pem 4096generate a key for the server you want a certificate for.
a good practice is to name keys and certs like “server_example_com-key.pem” and “server_example_com-cert.pem”
openssl req -new -key servercert-key.pem -out servercert.csr -sha512use the key to create a csr (certificate signing request).
Important:
CommonName = your fqdn (e.g. server.example.com)
Also leave the password empty or you will have to manually enter it with every start of your service.
openssl x509 -req -in servercert.csr -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out servercert-pub.pem -days 365 -sha512Now create the servers certificate.
If you are using a webserver like apache copy the servercert-pub.pem and the servercert-key.pem (and – if not already happened – the ca-root.pem) to the appropriate folder (e.g. /etc/ssl), configure apache to use them and you are done
letsencrypt
wget https://dl.eff.org/certbot-auto
mv /home/user/certbot-auto /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-autoLetsencrypt is pretty easy to set up and maintain.
Download their certbot and move it to /usr/local/bin/ (at least under debian there is no package for it).
Make sure, that your firewall allows access on port 443 (or on the port your service listens? I have only used it for apache so far), otherwise letsencrypts check – if you are the domain owner – fails.
/usr/local/bin/certbot-auto --apacheYou may want to back up your vhost configs if you are going to use the above commands!
The above command automatically requests and downloads Certificates for your server and edits your vhost config automatically (never broke anything on my systems).
Your SSL-Certs are now configured.
You may call it with –apache certonly, to only get the certificates and do the config by yourself.
/usr/local/bin/certbot-auto renew --dry-runif the above works, install a cronjob to let the autobot take care of automatic renewal of certs for you.
crontab -e
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renewInstall a cronjob and never again worry about certificate renewal!