Sunday 10 March 2013

Creating your own custom Certificate Authority on OS X.


Before I go any further, this method should not be used for production servers, it is for local development only[^production] and is specific to OS X.

Creating the CA

You use a handy little perl script called, which if you’re on OS X you can find in /System/Library/OpenSSL/misc/. The commands are below, don’t type in the lines starting with a # - they’re comments to explain what the command is doing –

 # make a folder for all things ssl related mkdir -p ~/etc/ssl # issue the command to create the CA - this has to be done as root /System/Library/OpenSSL/misc/  -newca 

You’ll now be asked lots of questions, provide sensible answers and make sure you remember the password that you’re asked to enter. When you’re asked for your Organisation Name, use something sensible like ‘My Custom CA’ and don’t forget that the “common name” field is essential , if you miss it out you’ll get a huge stinky error.

When you’re all done you should see something like this –

 heck that the request matches the signature Signature ok Certificate Details:         Serial Number:             ae:c3:3d:b7:70:b5:7c:8a         Validity             Not Before: Mar 10 15:02:26 2013 GMT             Not After : Mar  9 15:02:26 2016 GMT         Subject:             countryName               = GB             stateOrProvinceName       = Some-State             organizationName          = My Custom CA             commonName                =             emailAddress              =         X509v3 extensions:             X509v3 Subject Key Identifier:                 1F:03:FC:6A:4D:4A:AC:F9:59:09:51:C0:E7:77:CB:11:A3:67:23:3C             X509v3 Authority Key Identifier:                 keyid:1F:03:FC:6A:4D:4A:AC:F9:59:09:51:C0:E7:77:CB:11:A3:67:23:3C                 DirName:/C=GB/ST=Some-State/O=My Custom CA/                 serial:AE:C3:3D:B7:70:B5:7C:8A              X509v3 Basic Constraints:                 CA:TRUE Certificate is to be certified until Mar  9 15:02:26 2016 GMT (1095 days)  Write out database with 1 new entries Data Base Updated 

Congrats, you’ve now created a CA that you can use to trust certificates and to sign certificates.

However, before you can do that you need to get your machine to acknowledge the CA. For almost every OS X ( including Chrome and Safari) this means getting the CA into the Keychain and for others such Firefox this means importing it using the preferences.

Importing Into The Keychain

Open up a Finder window and locate the demoCA directory

Now open up the Keychain app and drag the certca.pem onto the login keychain. Drag in the certificate

Now a dialog box should pop up, and you want to answer “Always Trust”. You’ll be prompted to enter your system password. Trust the CA

Now when you click on the certificate you’ll notice that it’s trusted for all users of your machine.

Now that it’s trusted you can create as sign as many certificates as you want and you’ll get no warnings about self-signed certificates.

Want to know how to create a certificate using your new custom CA?

[^production]: For production certs you can get a free class one validation from startssl (for personal sites only), $60 for class 2 certs for business, but startssl can be a pain to use so if you value time over money, drop $150 for a class 1 wildcard from alphassl and get on with your life ; )