Creating SSL Certificates

From ParabolaWiki
Jump to: navigation, search

This guide will help you use certtool from gnutls to create SSL certificates and secure your communications.

Note of warning: many people says the x509 model for SSL certificates is broken by design and thus advocate trust models like OpenPGP. See Monkeysphere for an example.

You need two files, a private key and a certificate. The certificate is created by signing a certificate request with a private key. If you use your own private key to sign it, the certificate will be called "self-signed" and be boo-ed all over the Web (not on the actual Internet). If your certificate request is signed by a certificate authority (or CA), it will be a valid certificate for most browsers and will cost you a couple hundred dollars a year (or you could get one from

Getting your certificate request signed by another people (not a CA) is not included in the security model.

1 Create a private key

First you need to create a private key, that will be used to encrypt data on your side.

Private keys are private. Don't share them with anybody, don't send them over unencrypted email, and give them the minimum file permissions needed: root:root 600. (Certtool does this by itself.)

We'll work under /etc/ssl, so cd into it ('#' means 'run as root').

# certtool --generate-privkey --sec-param=high --outfile private/localhost.key
If you're going to generate certs for different domains and subdomains it's best to name the cert files like the domain itself, for instance, for the keyfile will be ''. This is just for easily knowing which ones you need.

2 Self-signed certificates

If you decide to create a self-signed certificate (for instance, for a personal web server where you can tell everyone to accept your certificate, or a service that's not web, i.e. xmpp), certtool provides a special flag for it:

# certtool --generate-self-signed --load-privkey private/localhost.key \
           --outfile private/localhost.crt

You will be asked several questions, the required ones are Common Name (CN) and the days it will take to expire the certificate (not the key!).

Reply to CN with the domain you want the certificate for, and 365 is common sense for expiration days.

Subdomains aren't covered by a domain certificate, so you usually want to create an extra wildcard certificate for them, by replying '*' to CN.

3 Create a Certificate Signing Request

To get a certificate from a CA you need a Certificate Signing Request, generated with your private key:

# certtool --generate-request --load-privkey private/localhost.key \
           --outfile private/localhost.csr

Then follow your CA instructions to create a certificate.

4 Installing the certificate

Save your certificate into '/etc/ssl/certs/localhost.crt' and tell applications to use it.

The certificate should be world-readable, so ownership and permissions should be root:root 644.

5 Tips

  • Generating cryptographic data needs a certain level of system randomness (on /dev/random). Programs usually tell you 'go do something else' meaning 'use your input devices intensively'. If you want to make this process faster, install 'haveged' from repos. It's a randomness generator!