SSL or nowadays TLS is used to encrypt communication and validate the identity of a service provider.
The CA is what establishes the trust in a certificate.
In short:
if the certificate presented (e.g. by the server) and the CA certificate (you trust in e.g. your client) fit together, one can be sure that the servers certificate was signed by the CA. Which itself is trusted to verify at least, that the domain the (server-)certificate is for, belongs to the requester (the one who put up the csr).<\/p>\n\n\n\n
I’ll cover how to set up your own CA with openssl and sign your own certificates (good for when you control all the clients) and how to use letsencrypt (which is pretty easy and trusted in all major browsers).<\/p>\n\n\n\n
apt-get install openssl\nmkdir my_ca\ncd my_ca\nopenssl genrsa -aes256 -out ca-key.pem 4096<\/code><\/pre>\n\n\n\nInstall openssl, create a folder for your CA and generate a private key for it.<\/p>\n\n\n\n
openssl req -x509 -new -nodes -extensions v3_ca -key ca-key.pem -days 1024 -out ca-root.pem -sha512<\/code><\/pre>\n\n\n\nFill in the questions and your password – there is your root CA Certificate. You may import this in your browser or OS cert store (debian: cp ca-root.pem \/usr\/local\/share\/ca-certificates\/ && update-ca-certificates).
Your CA is ready to be used.<\/p>\n\n\n\n
openssl genrsa -out servercert-key.pem 4096<\/code><\/pre>\n\n\n\ngenerate a key for the server you want a certificate for.
a good practice is to name keys and certs like “server_example_com-key.pem” and “server_example_com-cert.pem”<\/p>\n\n\n\n
openssl req -new -key servercert-key.pem -out servercert.csr -sha512<\/code><\/pre>\n\n\n\nuse the key to create a csr (certificate signing request).
Important:
CommonName = your fqdn (e.g. server.example.com)
Also leave the password empty or you will have to manually enter it with every start of your service.<\/p>\n\n\n\n
openssl x509 -req -in servercert.csr -CA ca-root.pem -CAkey ca-key.pem -CAcreateserial -out servercert-pub.pem -days 365 -sha512<\/code><\/pre>\n\n\n\nNow create the servers certificate.
If you are using a webserver like apache copy the servercert-pub.pem and the servercert-key.pem (and – if not already happened – the ca-root.pem) to the appropriate folder (e.g. \/etc\/ssl), configure apache to use them and you are done<\/p>\n\n\n\n
\n\n\n\nletsencrypt<\/h3>\n\n\n\nwget https:\/\/dl.eff.org\/certbot-auto\nmv \/home\/user\/certbot-auto \/usr\/local\/bin\/certbot-auto\nchmod 0755 \/usr\/local\/bin\/certbot-auto<\/code><\/pre>\n\n\n\nLetsencrypt is pretty easy to set up and maintain.
Download their certbot and move it to \/usr\/local\/bin\/ (at least under debian there is no package for it).
Make sure, that your firewall allows access on port 443 (or on the port your service listens? I have only used it for apache so far), otherwise letsencrypts check – if you are the domain owner – fails.<\/p>\n\n\n\n
\/usr\/local\/bin\/certbot-auto --apache<\/code><\/pre>\n\n\n\nYou may want to back up your vhost configs if you are going to use the above commands!<\/strong><\/p>\n\n\n\nThe above command automatically requests and downloads Certificates for your server and edits your vhost config automatically (never broke anything on my systems).
Your SSL-Certs are now configured.
You may call it with –apache certonly, to only get the certificates and do the config by yourself.<\/p>\n\n\n\n
\/usr\/local\/bin\/certbot-auto renew --dry-run<\/code><\/pre>\n\n\n\nif the above works, install a cronjob to let the autobot take care of automatic renewal of certs for you.<\/p>\n\n\n\n
crontab -e\n\n0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && \/usr\/local\/bin\/certbot-auto renew<\/code><\/pre>\n\n\n\nInstall a cronjob and never again worry about certificate renewal!
<\/p>\n","protected":false},"excerpt":{"rendered":"
What is SSL, what’s a CA and what do I need it for? SSL or nowadays TLS is used to encrypt communication and validate the identity of a service provider.The CA is what establishes the trust in a certificate. In short: if the certificate presented (e.g. by the server) and the CA certificate (you trust … <\/p>\n