====== Ubuntu - Certificates - Create a Private Certificate Authority ======

Creating a private CA can be useful if you have a lot of services encrypting data for internal use but don’t need the domain to be verified by a public CA like Verisign, Thawte etc. 

By importing the CA to all computers that will use these services users won’t get the a popup in IE and Firefox saying that the certificate is invalid.

----

===== Create a CA certificate =====

Create a private key for your CA:

<code bash>
openssl genrsa -des3 -out ca.key 4096
</code>

You will need to enter passphrase.

This password will be used everytime you sign a certificate with this CA.

----

===== Prevent unauthorized users accessing to your private key! =====

<code bash>
chmod 700 ca.key
</code>

----

===== Create the top-level certificate =====

This will be shown as the top level certificate when you have signed other certificates so choose expiration day and the certificate contents carefully.

All signed certificates will expirate if the top level certificate expires so you may want to choose a few years here

<code bash>
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
</code>

Here is a sample of input values:

<code bash>
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ShareWiz
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:ShareWiz CA
Email Address []:
</code>

Common name will be shown when users are displaying details about the certificate.


===== Create a certificate request =====

Create a private key:

<code bash>
openssl genrsa -des3 -out secure.sharewiz.net.key 4096
</code>

----

Create the certificate request

<code bash>
openssl req -new -key secure.sharewiz.net.key -out secure.sharewiz.net.csr
</code>

Make sure you put your domain name in the “Common Name” field

----

===== Sign the certificate with your CA certificate =====

You will need to provide the certificate request here and the CA key.

<code bash>
openssl x509 -req -days 365 -in secure.sharewiz.net.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out secure.sharewiz.net.crt
</code>

----

===== Remove password from key (optional) =====

If using the certificate with Apache, Postfix or other services you may need to replace the password in your private key so that the service can start without user interaction.

<code bash>
openssl rsa -in secure.sharewiz.net.key -out secure.sharewiz.net.key.insecure
mv secure.sharewiz.net.key secure.sharewiz.net.key.secure
mv secure.sharewiz.net.key.insecure secure.sharewiz.net.key
</code>

----

===== Set permissions on the keys =====

<code bash>
chmod 700 secure.sharewiz.net.key
chmod 700 secure.sharewiz.net.key.secure
</code>