Monday, October 19, 2009

Creating my own Root CA, HTTPS Server and Client certificates, with XCA

The following assumes XCA 0.7.0

Prelim:
Before doing anything, you need to create the XCA database. Pick a strong password.


A. To create the Root Certificate

1. Select the 'Certificates' tab.
2. Click on 'New Certificate' on the left side.

3. Select the 'Source' tab.
4. Signing -> 'Create a self signed certificate with the serial 1'
5. Signature algorithm -> 'SHA 1' ( I read something about older system having problems with the better 'SHA 256' )
6. Template -> '[default] CA'. Click Apply!! Do not forget to apply.

7. Select the 'Subject' tab.
8. At the very least, fill in 'Internal Name', 'Common name', e.g. 'MyCA' for both.
9. Private Key -> click 'Generate a new key'

10. Select the 'Extensions' tab
11. Make sure the 'Time range' is 10 years or so. If changed, be sure to 'Apply'

12. Select the 'Key Usage' tab.
13. If you clicked 'Apply' to CA template (step 6), you should see 'Certificate Sign' and 'CRL Sign' highlighted.

14. Select the 'Netscape' tab.
15. If you clicked 'Apply' to CA template (step 6), you should see 'SSL CA', 's/MIME CA' and 'Object Signing CA' highlighted.

16. Click 'OK' bottom right corner

'MyCA' should now be listed under the main 'Certificates' tab



B. To create the HTTPS Server certificate

1. Select the 'Certificates' tab.
2. Right Click on the 'MyCA' entry -> 'New Certificate'

3. Select the 'Source' tab.
4. Signing -> 'Use this certificate for signing: MyCA'
5. Signature algorithm -> 'SHA 1'
6. Template -> '[default] HTTPS_server'. Click Apply!! Do not forget to apply.

7. Select the 'Subject' tab.
8. At the very least, fill in 'Internal Name', 'Common name', e.g. 'www.mydomain.com' for both. The common name MUST exactly match the full domain name of the webserver to be protected.
9. Private Key -> click 'Generate a new key'

10. Select the 'Extensions' tab
11. Make sure the 'Time range' is appropriate. The default of 365 days may be too short. If changed, be sure to 'Apply'!!

12. Select the 'Key Usage' tab.
13. If you clicked 'Apply' to HTTPS_server template (step 6), you should see 'Digital Signature', 'Non Repudiation' and 'Key Encipherment' highlighted.

14. Select the 'Netscape' tab.
15. If you clicked 'Apply' to HTTPS_server template (step 6), you should see 'SSL Server' highlighted.

16. Click 'OK' bottom right corner,

The new certificate for 'www.mydomain.com' should now be listed below MyCA under 'Certificates' tab ( once Tree View is selected )



C. To create the HTTPS Client certificate

1. Select the 'Certificates' tab.
2. Right Click on the 'MyCA' entry -> 'New Certificate'

3. Select the 'Source' tab.
4. Signing -> 'Use this certificate for signing: MyCA'
5. Signature algorithm -> 'SHA 1'
6. Template -> '[default] HTTPS_client'. Click Apply!! Do not forget to apply.

7. Select the 'Subject' tab.
8. At the very least, fill in 'Internal Name', 'Common name', e.g. 'Tester' for both.
9. Private Key -> click 'Generate a new key'

10. Select the 'Extensions' tab
11. Make sure the 'Time range' is appropriate. The default of 365 days may be too short. If changed, be sure to 'Apply'!!

12. Select the 'Key Usage' tab.
13. If you clicked 'Apply' to HTTPS_client template (step 6), you should see 'Digital Signature', 'Key Encipherment' and 'Data Encipherment' highlighted.

14. Select the 'Netscape' tab.
15. If you clicked 'Apply' to HTTPS_client template (step 6), you should see 'SSL Client' and 'S/MIME' highlighted.

16. Click 'OK' bottom right corner,

The new certificate for 'Tester' should now be listed below MyCA under 'Certificates' tab ( once Tree View is selected )



D. Exporting the server certificate

For apache, I exported as 'PEM Cert + Key' format, giving me the 'www.mydomain.com.pem' file. I also needed to configure the 'MyCA.crt' so that Apache would trust the client certificates signed my 'MyCA'



E. Exporting the client certificates

In order for a client browser to trust the certificate for 'www.mydomain.com', it needs a copy of the Root Certificate, i.e. 'MyCA'

It is possible to include the Root Certificate with the client certificate, by exporting the client certificate ('Tester') as "PKCS #12 with Certificate Chain"

This gives the file 'Tester.p12' that Internet Explorer is happy to import.

BUT, I encountered problems with Firefox (3.5.4). When importing, it still would not trust 'www.mydomain.com'. It turns out that although the import process itself is successful, and the Client and Root certificate are listed under 'Your Certificates' and 'Authorities', Firefox does not seem to find the Root certificate when it makes a https connections to www.mydomain.com.

The solution to this was to first export 'MyCA' in the 'PEM' format as MyCA.crt, and then export the Client Certificate 'Tester' in the 'PKCS #12' format.

Then I imported both separately into Firefox, MyCA.crt as an 'Authority' and Tester.p12 under 'Your Certificates'

And since this method also works for IE, I do this in all cases, so I dont need different certificates for IE and Firefox.



F. One other point...

In the case where client certificates are being used for https access to subversion via TortoiseSVN, it made things easier (although less secure when transferring the .p12 files), to leave the password blank when exporting to the .p12 file format.

Doing this means there is no need to import private keys into TortoiseSVN to be able to open the .p12 file, or being constantly asked for the password for this file whenever using subversion.

Additionally, in order for TortoiseSVN to trust the https server certificate installed on www.mydomain.com, I needed to install my Root Authority cert in TrotiseSVN.

To do this, I need to edit the client's subversion\servers file. In the [globals] section, right at the end of the file, I pointed the 'ssl-authority-files' parameter at a local copy of the 'MyCA.crt' root certificate file.

2 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. I am doing work for Exporting the client certificates.Your blog helped me to easily execute.I bookmarked your page as its quite informative for future reference.Thanks a ton. Clearly outlined steps are always easy to follow.
    electronic signature Microsoft

    ReplyDelete