Root Certificate for Intranet

By | 15 June 2021
Loading...

If you need an SSL/TLS certificate for an intranet site or your local development server, you can create a self-signed SSL/TLS certificate and trust this certificate in the client browsers. But if you need multiple certificates for multiple domain names in your intranet, a better way to do it is to become your own certificate authority (CA). To do this, you create a root certificate and then use this certificate to generate and sign multiple certificates. By doing this you only need to trust the root certificate once and all the other certificates signed using this root certificate will automatically be trusted.

Below are the steps to create the root certificate and then use it to sign other certificates.

Requirement: openssl (Check out the website for documentation to learn more about the commands and options used).

Creating the Root Certificate

Step 1. Generate a private key for the CA. The command below will output a file named rootCA.key.

openssl genrsa -aes256 -out rootCA.key 2048

You will be prompted to enter a passphrase for the private key. Output will look like something below

Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
.......................+++
e is 65537 (0x10001)
Enter pass phrase for rootCA.key:
Verifying - Enter pass phrase for rootCA.key:

 

Step 2. Generate a self-signed root certificate using the key above. The command below will output a file named rootCA.pem, which is the root certificate file and it expire in 10 years (3652 days).

openssl req -x509 -new -key rootCA.key -sha256 -days 3652 -out rootCA.pem

You will be asked to enter the passphrase of the private key and some information that will be used for the certificates.

Enter pass phrase for rootCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SG
State or Province Name (full name) [Some-State]:Singapore
Locality Name (eg, city) []:Singapore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:JimmySie Online
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:JimmySie Online
Email Address []:[email protected]

Creating CA-signed Certificates

Step 3. Create a private key. This step is similar to step 1, but this time, the private key will be for the domain the certificate is for, e.g. for domain site1.jimmysie.com. The following command will output a file named site1.jimmysie.com.key.

openssl genrsa -aes256 -out site1.jimmysie.com.key 2048

You will be prompted to enter a passphrase for the private key.

Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
.......................+++
e is 65537 (0x10001)
Enter pass phrase for site1.jimmysie.com.key:
Verifying - Enter pass phrase for site1.jimmysie.com.key:

 

Step 4. Generate a Certificate Signing Request (CSR). The following command will output a file named site1.jimmysie.com.csr.

openssl req -new -key site1.jimmysie.com.key -out site1.jimmysie.com.csr

Loading...

You will be prompted to enter a passphrase for the private key and similar questions as in step 2. You can leave the challenge password empty. This password is usually used by an actual CA to verify certificate owner for revocation. However, if you choose to enter a challenge password, make sure you keep it in a secure place. You will need it if you ever need to reinstall the certificate.

Enter pass phrase for site1.jimmysie.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SG
State or Province Name (full name) [Some-State]:Singapore
Locality Name (eg, city) []:Singapore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:JimmySie Online
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:site1.jimmysie.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

Step 5. Create a v3.ext file to be used when generating certificate in step 6. Create a file named site1.jimmysie.com.ext with the following content.

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = site1.jimmysie.com

 

Step 6. Sign the CSR with the rootCA key to generate the certificate file named site1.jimmysie.com.pem. In this case, the certificate will be valid for one year (365 days).

openssl x509 -req \
-in site1.jimmysie.com.csr \
-CA rootCA.pem -CAkey rootCA.key \
-sha256 -CAcreateserial \
-days 365 -extfile site1.jimmysie.com.ext \
-out site1.jimmysie.com.pem

 

You can repeat steps 3 to 6 to generate more certificates for different domain names.

Installing the Root Certificate.

In order for the certificates generated in step 3 to 6 to be trusted by the client machine, you need to the the root certificates (rootCA.pem) as a trusted root authority. This can be done individual on clients’ machines or if your intranet is using Active Directory, you can use Group Policy to trust the CA certificate. If you are using a Mac, you can import the root certificate to KeyChain app and set the trust to “Always Trust”.

Note, that Firefox standard version (non Enterprise) doesn’t automatically trust system’s CA certificates. You can either add the certificate to Firefox’s own CA store, or ask Firefox to trust system CA certificates by going to the about:config page and set this option:

security.enterprise_roots.enabled

After you have installed the root certificates on client devices, any certificates generated using that root certificate will be automatically trusted by those devices. Using the above example, you can use the certificate site1.jimmysie.com.pem for your web server, email server or other server application that needs a certificate and it will be trusted by the client devices.

Loading...