Create a CA signed certificate (for dummies, on Mac OS)

Create a CA signed certificate (for dummies, on Mac OS)

If you develop website you may need to provide https connection.
Usually you would use self signed certificates. Google is full of website which explain how to do that: http://www.google.com/#q=self+signed+certificate
In some cases it may be useful to have a certificate signed by a Certificate Authority: You may add this Certificate Authority public key to your keychain and allow your browser to behave exactly as if you were using a “real” properly signed certificate.
We will see here how to create a Certificate Authority and use it to sign a certificate on MacOS X.
This article is based on this one: http://www.systemx.fr/linux/openssl/openssl-p.html.

  1. First, check that openssl is installed:
    $ which openssl
    /opt/local/bin/openssl

  2. Then have a look at the openssl.cnf file which defines the parameters. We will use the MacOS default parameter execpt for the dir one:
    $ sudo vim /opt/local/etc/openssl/openssl.cnf
    dir = .
    Then create a new folder and change directory to it.

  3. Create some useful folders and files:
    mkdir newcerts
    mkdir certs
    mkdir req
    mkdir private
    echo "01" > serial
    touch index.txt

  4. Create you Certificate Authority:
    openssl req -new -x509 -newkey rsa:2048 -keyout private/cakey.pem -out cacert.pem -days 3650

  5. Create the certificate and the request:
    sudo openssl req -new -nodes -newkey rsa:1024 -keyout private/kwrd.key -out req/kwrd.req -days 1095
    The commonName should be the domain name for your server, such as www.my-company.com.lb. Note that you can use wildcards *.my-company.com.lb so that your certificate can be used for different sub-domains.

  6. Sign you certificate with the Certificate Authority:
    sudo openssl ca -policy policy_anything -out certs/kwrd.pem -in req/kwrd.req
    Now you should see these files:

    Certificate files

    Certificate files

  7. Install your certificate on your web server. On Apache it will looks like this:
    SSLCertificateFile /etc/ssl/certs/kwrd.pem
    SSLCertificateKeyFile /etc/ssl/private/kwrd.key

  8. On the client computers add the CA public key cacert.pem to your keychain.

    Certificate Authority certificate

    Certificate Authority certificate

Et voilà!

[Edit] You can fin here The Cheapest SSL Certificates (And Whether You Should Use Them).

Tags

Like this Article? Share it!

About the Author

Author Gravatar
Benjamin Bellamy

Paris, Beirut, NYC & Agen // e-commerce, social media, open-source & geek // follow me on twitter: @benjaminbellamy.

Related Posts

Comments are closed.