Roll your own certificates

I host a bunch of Internet services. Some, like this site, are for public use but most are intended for personal use. And since I want to keep them personal, security is important.

Most Internet applications can be secured by SSL certificates. This includes HTTPS access for web sites, IMAPS instead of IMAP, encrypted access to subversion repositories. The list goes on.

For a number of years I have been creating my own certificates with the help of OpenSSL. Much can be said about OpenSSL but it is not exactly point-and-click. I created a few scripts to assist me but still I found myself looking through the documentation whenever I needed to create a new certificate or renew an existing one.

To solve this I have now created the attached Bash script to wrap OpenSSL to be able to set up a two-level certificate hierarchy. The result is a menu-driven text based application that will no doubt save me time in the future. Perhaps it can help you too.

I use this to create certificates to be used by Apache, Subversion, Postfix, Dovecot, Microsoft IIS, Microsoft Exchange and a few others.

There are some limitations to this. The hierarchy will be two levels deep, not more and not less. In other words you will get a root certificate authority and one or more subordinate certificate authorities. User certificates will be signed by one of the subordinate CAs. Also, while it supports subject alternative names it only does so for DNS names (I only needed that for Exchange 2007 support). For real-world certificate authorities the certificate signing requests (CRSs) are created outside the certificate authority. Since I will be handling everything myself I have set it up so that CSRs are created inside this application. For that reason it is imperative to keep access to the CA folder structure secure so that the private keys are not compromised.

To use this script just download and extract the attached file. Inside the folder which will be created there will be two files. The file ‘ca’ is the Bash script and the other is a template configuration file. Run the script from within the folder. Certificates will be available in the folder ‘all’ and backups of the certificate hierarchy will be placed in the folder ‘backup’. For more help, please comment.

The script has been verified on Ubuntu 9.04 and Mac OS X 10.5. I don’t think there are any dependencies that aren’t already met by standard OS installations.

Download: ca_v1.tar.gz