OpenSSL and Your Root Certificate
Your objective today is to create a private key and a root certificate using OpenSSL. Afterward, you’ll install the root certificate into the trusted root store of your PC, server, and / or browser. Optionally, you will download and install OpenSSL.
Spoiler alert … OpenSSL is not driven by a GUI. It’s command line software. You open an elevated command prompt to run it. You need administrator privileges. Command line software look a little old school, but it’s surprisingly common in a lot of environments. OpenSSL is also case sensitive. If you make a typing error, a screen with all available commands and their proper spelling appears automatically. Then just try it again.
If you search the web for OpenSSL examples, you will see many different ways to accomplish what appears to be the same end result. For my purposes, I selected this approach.
Download and Install OpenSSL
First, before you do anything else, Google the internet and look up OpenSSL. You should become familiar with the programs you plan to download and run. You need confidence in the security of your computer and the best way to develop it is through a little education. If anything concerns you, then don’t download OpenSSL today. Wait until you feel comfortable, or don’t use it at all. No pressure.
You next challenge will be to find and download OpenSSL.
[March 9, 2015 Update: an SSL vulnerability called Freak has been uncovered. It has the potential to affect all SSL, including OpenSSL. To be sure you have no issues, make sure you are using OpenSSL version 1.01k or newer.]
[April 13, 2014 Heartbleed bug update: OpenSSL has a recently discovered security bug called Heartbleed that is said to have been repaired starting with version 1.01g and above. Version 1.02 will be secure, according to articles available on the internet. The bug will allow a knowledgeable hacker to pierce a part of the encryption so that much is in the clear. More information is available here.]
OpenSSL is open source software. Their site is not glitzy, but it includes a lot of information and you should look it over. This is a link to the download page on the OpenSSL web site. It takes you to a download site. Read the download section and select the most appropriate version. The light versions have all of the features required to make keys and certificates. You also may need to download a copy of the appropriate Visual C++ Redistributables.
Install the Visual C++ Redistributables (if needed) and OpenSSL. By default, OpenSSL will install in the root directory of drive c:\.
The default directories are c:\OpenSSL-Win32\ or c:\OpenSSL-Win64\.
Make The Private Key
Open an elevated command prompt. This means you right-click the ‘Command Prompt’ icon or menu selection and select ‘Run As Administrator’.
Navigate to c:\OpenSSL-Win32\bin\ or c:\OpenSSL-Win64\bin\. This is where you will do all your work.
openssl genrsa -out ca.key 2048
This generates a private key named ‘ca.key’. The key is 2048 bits long. It uses the RSA algorithm.
Make the Root Certificate
Stay in the same directory as the private key you just made.
After entering the command to make the root certificate, you will be prompted for various pieces of information. Filling in most of them are optional, but one field is important.
openssl req -new -key ca.key -out CA.crt -x509 -days 3650
(everything that follows is a prompt from OpenSSL)
Loading ‘screen’ into random state – done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:IL
Locality Name (eg, city) :Chicago
Organization Name (eg, company) [Internet Widgits Pty Ltd]:none
Organizational Unit Name (eg, section) :none
Common Name (e.g. server FQDN or YOUR name) :Advanced Home Server
Email Address :
This creates a certificate named CA.crt using the private key you just made, ca.key, and it will remain valid for 3650 days.
The field to pay special attention to is Common Name
Some SSL oriented applications ask you to create a private key and root certificate and import both using cut and paste. In effect, your root certificate is also your SSL certificate and the application uses its private key as the SSL private key. In this case, you must use your domain name as the common name.
If you plan to use create a separate SSL certificate later, you can put any name you like in that field.
The private key is usually put aside and kept in a secure location. It will be used later to sign your SSL certificate.
Importing The Root Certificates into the PC or Server
Root certificates are imported into the Trusted Root Certificate Store of each PC and server that will host or access an SSL oriented VPN, WebDAV or HTTPS site. Here’s the quick version …
- Load the Microsoft snap-in console (MMC.exe). It requires Administrator privileges.
- File / Add-Remove Snap in / Certificates / Add / Computer Account / Next / Local Computer / Finish
- Drop down the contents of ‘Certificates’. You will get a list
- Select Trusted Root Certification Authority. Underneath, select Certificates. To the right, you will see all the trusted root certificates currently in the PC or server.
- Right click Certificates in the left window / All Tasks / Import. Then follow the prompts. You will navigate to the directory that holds the root certificate you just made. Accept the default prompts. At the end, you will see the message ‘Import Successful’ and your certificate will appear in the list on the right along with the other trusted root certificates.
Import the Root Certificate into a Browser
Already complete … Internet Explorer references the root certificate store on the host pc or server.
- From the main Firefox menu, select Tools / Options / Advanced tab / View Certificates
- Select the Authorities tab / click Import / Follow the prompts
- Check the box ‘ Trust this CA to identify websites’ / OK
Now that you have a Root Certificate, what’s next?
You will need an SSL certificate. To get one for IIS, you first make a certificate signing request (CSR) from within IIS. Then you return to OpenSSL and use the private key and root certificate you just made to sign the CSR. Next, you import the resulting SSL certificate back into IIS. Finally, you bind port 443 to the SSL certificate. Then you can use HTTPS and WebDAV. An SSL based VPN will take a little more work.