Creating a Root CA and Signing a Certificate for Development

I’ve recently been writing some services in Java using Spring where the service will be accessed over HTTP when live.  I obviously want to use this configuration in development but I don’t want to pay for a certificate.

I could write a null implementation of TrustManager, but this will be very different to live and is something that could possibly make its way through to live.

Instead, I’ll create a self-signed root CA and sign the SSL certificate for the service myself using the new root CA.

Install OpenSSL

Firstly you will need OpenSSL installed. I used the installation of OpenSSL on my MacBook Pro that comes with OS X.  On Ubuntu you install it using:

sudo apt-get install openssl

Windows users can grab OpenSSL from here.

Create the Root Key

Next you need to create the root key.

openssl genrsa -out rootCA.key 2048

If you would like to add a password to the root key, which is highly recommended, do the following:

openssl genrsa -des3 -out rootCA.key 2048

Using the above command will ask for a password to secure the key.  You will need to enter the password each time you use the key if you secure it.

Create a Root Certificate

The next step is to create a root certificate and self-sign the certificate using the root key generated earlier.

openssql req -x509 -new -nodes -key rootCA.key -sha256 -days 712 -out rootCA.pem

You will need to answer a few questions about the root CA.  Here’s how I answered the questions:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:Lancashire
Locality Name (eg, city) []:Blackpool
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Andy McCall Ltd
Organizational Unit Name (eg, section) []:Development
Common Name (eg, YOUR name) []:Andy McCall
Email Address []:certificates@andymccall.co.uk

We now have a root CA that we can use to sign things with.  If you are using Windows, install this CA into the local machine’s root certificate store using the Microsoft Management Console (MMC).  There’s a guide at SQLServerMart that is easy enough to follow for servers, there’s also a guide here for the desktop.  For other operating systems or platforms Google is your friend.

Create a Certificate

The next step is to create the certificate that will be used to secure the service over HTTPS.  There are a number of steps to do this

Create the key

The first step is to create a private key.

openssl genrsa -out service.key 2048

Generate a Certificate Signing Request

Using the key create a certificate signing request for your service:

openssl req -new -key service.key -out service.csr

You’ll be asked a host of questions again, the important bit of information here is the common name.  This will be how you will access your service.  In this example the service is called service.local and I’ve added service.local to my hosts file.  This would also work if you used a corporate DNS and you where securing myservice.mycorporation.myinternaldns.com or if you used an IP address.  It basically has to match the address you will access the service on.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:Lancashire
Locality Name (eg, city) []:Blackpool
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Andy McCall Ltd
Organizational Unit Name (eg, section) []:Development
Common Name (eg, YOUR name) []:service.local
Email Address []:certificates@andymccall.co.uk

Do not use a challenge password with this certificate.

Sign the Certificate Signing Request Using the Root 

Now we sign the request to make to trust it:

openssl x509 -req -in service.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out service.crt -days 356 -sha256

We now have a signed certificate (service.crt) and a key file (service.key).  Under Linux servers and hardware devices, we can use these two keys together to secure our service.  Under Windows we need to import it into the certificate store first and to do that we need the files to be combined into a single Personal Information Exchange file.

Convert Certificate and Key into a Personal Information Exchange File

To import the certificate and key into the Windows certificate store we need to convert them to a Personal Information Exchange (.pfx) file.

openssl pkcs12 -export -out service.pfx -inkey service.key -in service.crt -certfile rootCA.pem

You don’t need to use an export password, but its obviously more secure if you do.  This will produce a single .pfx file that you can import into your OS.

Once the certificate is installed you can check to see if the certificate is valid:

Clicking on the Certification Path shows the chain of trust:

Finally, set your service to run under HTTPS and use the new certificate to secure the service.  Configure your endpoint within your application as service.local and you now have a correctly configured development environment that is live like.

Facebooktwittergoogle_plusredditmail

New Job!

I’ve now left AtoS IT Services.  I’m now working full time for the company I founded, Ascentico.

In case you didn’t know, in April 2013 I founded an  IT services, technology and solutions provider called Ascentico Limited. Its offices are located in Blackpool, Lancashire and offers services to small to medium sized businesses in the North West of England, and the education and local government sectors across the whole of England.  You can contact Ascentico at:

Address: Suite 2, 275 Church Street, Blackpool, FY1 3PB, Telephone: 01253 708888 Fax: 01253 200805 Webascentico.com  Emailinfo@ascentico.com

At Ascentico we offer the following services: computer repair, computer upgrades, laptop repair, laptop upgrades, server repair, computer networks, wifi problem solving, computer network installation, structured cabling, virus removal, software installation, managed services, IT project management, virtual servers, physical servers, telephone systems, web servers and web development – and lots more!  Basically, if you’ve got an IT problem then give us a call!

Facebooktwittergoogle_plusredditmail