A certificate authority (CA) issues digital certificates that certifies the ownership of a public key by the named subject of the certificate. Trusted certificates are typically used to make secure connections to a server over the Internet. A certificate is required in order to avoid the case that a malicious party which happens to be on the path to the target server pretends to be the target. Such a scenario is commonly referred to as a man-in-the-middle attack.
In general people use trusted CA’s on the internet, like VeriSign, but there are cases where you need your own CA, like to add extra security to an intranet or VPN or maybe you don't want to pay for one.
First we will start by installing the openssl utility, if you are using CentOS / Fedora / RHEL, you can do this using yum like this:
# yum install openssl
If you are using Ubuntu / Debian you can use apt-get like this:
# apt-get install openssl
Creating your own CA
To create your own CA you can use the script that comes with the openssl package, for this first go to an empty directory and then run the script like this:
For CentOS / Fedora / RHEL
# /usr/share/ssl/misc/CA.pl -newca
Ubuntu / Debian
# /usr/lib/ssl/misc/CA.pl -newca
The script will run you through all the steps of creating your new CA, it doesn’t matter very much what you enter in the fields and all entries are self-explanatory.
The full process will look something like this:
Now that you have your own certificate authority (CA) you can create digital certificates for servers on your LAN, for VPN clients or for whatever service you need to use with SSL. That means you have to do two steps:
First you will need to create a private key and a certificate request:
# /usr/lib/ssl/misc/CA.pl -newreq
You will be asked the same questions as in the newca option, as shown below:
Now you can sign that certificate with your CA using the following command:
# /usr/lib/ssl/misc/CA.pl -sign
Now you can use this certificate for any purpose you wish.