Introduction
"OpenSSL is a free and open-source cryptographic library that provides several
command-line tools for handling digital certificates. Some of these tools can be used to act
as a certificate authority.
A certificate authority (CA) is an entity that signs digital certificates. Many
websites need to let their customers know that the connection is secure, so they pay an
internationally trusted CA (eg, VeriSign, DigiCert) to sign a certificate for their domain.
In some cases it may make more sense to act as your own CA, rather than paying a CA
like DigiCert. Common cases include securing an intranet website, or for issuing certificates
to clients to allow them to authenticate to a server (eg, Apache, OpenVPN)."
(Source:
OpenSSL Certificate Authority by Jamie Nguyen)
You can find a lot of such descriptions to build your own CA on the Internet. But the
description of Jamie Nguyen is my personal favourite.
Chain of trust
To make it short. There are 3 participants in the "Chain of trust" story:
- Root Certificate
- Intermediate Certificate
- End-entity Certificate
(Source: Wikipedia)
But what is the relationship between the 3 participants? This can be better explained using an
example. So let’s take a closer look at the certificate for the domain "example.com":
The certificate was issued by intermediate entity "DigiCert SHA2 Secure Server CA"
for the end entity "www.example.org". That may be a little confusing now that the
certificate for the domain "com" was issued for "org". But we will take a
deeper look in the next pictures:
The following assignment for the 3 participants results from the "Certificate Hierarchy":
Root Certificate
|
= DigiCert Global Root CA
|
Intermediate Certificate
|
= DigiCert SHA2 Secure Server CA
|
End-entity Certificate
|
= www.example.org
|
And here is the solution to the confusion with the domain names:
The "Subject Alt Name" is the magic, the certificate is valid for all these
names here. Next we generate all of these certificates for our own use with the
TinyONE Server.
How to config
This certification authority uses Elliptic Curve Cryptography (ECC) for the certificates.
The root and intermediate certificate should be generated for the fictional company "Example":
Root Certificate
|
= Example Non-Public ECC Root CA
|
Intermediate Certificate
|
= Example Non-Public ECC CA
|
The certificate should be valid for the following URLs:
End-entity Certificate #1
|
= tiny94E296.local
|
End-entity Certificate #2
|
= tiny.local
|
Note: The CA which is built here is a "Self-signed Certificate Authority".
This means that the certificate is not easily recognized by the browsers. More on this in
section "How to use"
Note: The CA here is command line based. If you want to use a CA with GUI, please take a
look at XCA.
Download and unzip the build script in a directory of your choice. If the scripts are to be executed
under Windows, MSYS2 is still required for the
execution. OpenSSL must also be installed under MSYS2. In case of a Linux or macOS machine, make
sure that OpenSSL is also installed.
Open the file "00-set-config.sh" with your prefered editor and change the following lines
as follows:
export root_c="DE"
export root_st="Hesse"
export root_o="Example"
With these settings the country (c), state (st) and the name of the organization (o) is set.
Thats all of the changes whats we need for the moment.
How to use
The directory where the build script was unzip should look like:
The first script, "00-set-config.sh" must be startet with ". 00-set-config.sh"
(dot space 00-set-config.sh). all other can be startet with "./" (dot slash) like
"./01-create-openssl-root-cnf.sh"
Execute all scripts from 00 to 03, in this order. This creates the root and intermediate
keys and there certificates. Furthermore a new directory "ca" is created where all the keys and
certificates are stored.
Next, the key and certificate for "tiny94E296.local" will be created. Therefore use:
./create-device-xxxxxx.sh 94E296
The private key and the certificates for the TinyONE Server are now under:
ecc-rootca-build-script/ca/device/94E296
Copy the files described here into the
"certs" directory of the TinyONE Server.
But there was something else. Since the certificate for the server was created by a self-signed CA, it
is not yet accepted by the browser. Therefore, the root certificate must first be imported into the
browser. The root certificate is "ca.cert.pem" and is located at:
ecc-rootca-build-script/ca/certs
Unfortunately, you will have to find yourself how this root certificate is imported into the browser,
because there exist different ways for the different browsers.
Download
The repository can be found on GitHub at
ecc-rootca-build-script.
|