Creating an Internal Root CA

Many times we use internal domains for test or beta environments, or perhaps just internal or intranet services. SSL Certs can be expensive, especially wildcard certs, so we let it slide... Hitting that Chrome or Firefox "Just let me in, I know it's self signed!" button every time you visit a site. And while that works, even though it's annoying, it doesn't promote secure communications and best practices. If users get used to that, what if it really IS a man in the middle attack? What if you need to query those https endpoints programmatically... and not always have an "Ignore the cert" option? There is a good way around this: Create your own Root CA and sign your internal domain.

First, you start off by creating a Root CA Key. Make it strong, we're going with 4096 bit here, no less.

# <i>openssl genrsa -out exampleRootCA.key 4096</i>
Generating RSA private key, 4096 bit long modulus
......................................................................................................................++
......................................................++
e is 65537 (0x10001)</blockquote>

Now that we have that, we'll need to make a valid cert with it.

# <i>openssl req -x509 -new -nodes -key exampleRootCA.key -days 3560 -out exampleRootCA.pem -sha256</i>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:<i>US</i>
State or Province Name (full name) []:<i>Washington</i>
Locality Name (eg, city) [Default City]:<i>Walla Walla</i>
Organization Name (eg, company) [Default Company Ltd]:<i>ACME Media Solutions</i>                   
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:<i>Systems</i>
Email Address []:<i>[email protected]</i>

And export it to the right formats. the PEM is great for Firefox, the PFX for Chrome. Do what you need here, but it doesn't hurt to have wide support that you can distribute to your users. You'll need to specify a password for this, or you won't be able to import it in many browsers.

# <i>openssl pkcs12 -export -out exampleRootCA.pfx -inkey exampleRootCA.key -in exampleRootCA.pem</i>
Enter Export Password:
Verifying - Enter Export Password:</blockquote>

<install PFX into Chrome, PEM into FireFox>

Now, for your *.example.com certs to install on the server side. First, make your server's key and a CSR from it the normal way

# <i>openssl genrsa -des3 -out star_example_com.key 2048</i>
Generating RSA private key, 2048 bit long modulus
.....+++
.............+++
e is 65537 (0x10001)
Enter pass phrase for star_example_com.key: <passcode>
Verifying - Enter pass phrase for star_example_com.key: <passcode>

We remove the pass phrase with the following command, and then create a Signing Request

# <i>openssl rsa -in www.yourdomain.com.pass.key -out www.yourdomain.com.key</i>
# <i>openssl req -new -key star_example_com.key -out star_example_com.csr</i>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:<i>US</i>
State or Province Name (full name) []:<i>Washington</i>
Locality Name (eg, city) [Default City]:<i>Walla Walla</i>
Organization Name (eg, company) [Default Company Ltd]:<i>ACME Media Solutions </i>                  
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:<i>*.example.com</i>
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# <i>openssl x509 -req -in star_example_com.csr -CA exampleRootCA.pem -CAkey exampleRootCA.key -CAcreateserial -out star_example_com.crt -days 3560 -sha256</i>
Signature ok
subject=/C=US/ST=Washington/L=Walla Walla/O=ACME Media Solutions/CN=*.example.com/[email protected]
Getting CA Private Key

To Install the Root CA in your browser:

OSX

Use Spotlight to find "Keychain Access". Go to File->Import and you will be able to import your CA's pfx file. Once it's imported, you'll see it has a little red dot with an X. That means, it's not trusted yet. You can then tell it to trust that certificate for the things you want to trust it for. This is a systemwide setting. Once set, Safari, Chrome, and anything else on the system that uses the Keychain properly will be able to trust that certificate.

Chrome

You can either use ⌘ + Shift and type "Keychain Access" [Enter] OR In Chrome: Hamburger Menu -> Settings -> Show Advanced Settings -> "HTTPS/SSL: Manage certificates..."

Once the Keychain Access is up, go to "File" -> "Import Items..." Select the frmad-ca cert file and click "Open". Next, go to "login" and you should see the frmad-DC1FRMDC2-CA cert. It'll be the one with the big red circle and white X on it. Double click on it and it'll open up a window with info on that cert. Expand the 'Trust' section and change "Use System Defaults" to "Always Trust". Upon closing it, you'll need your DE-ENT Password (if that's what your machine syncs to. If not you'll need your sudo password) Now it should have a little blue circle with a white plus.

Windows 10

Download CA certificate Right-Click and choose Import/Install Certificate Choose either local machine or current user (depending on if you have admin rights to the system). Select option to "Place all cerificates in the following store" and choose "Trusted Root Certification Authorities" Click Next then Finish. You should now have a "The import was successful" dialog. There is potentially another confirmation dialog box that will open. Say "Yes". Reboot.

Firefox Users

Open Firefox Go to Settings/Options Go to Advanced and then the "Certificates" tab Select "View Certificiates" Go to "Authorities" Tab Click "Import" and select the file you downloaded Check all of the boxes and save Restart Firefox