Using XCA to Create Private SSL Certificates

Jump to Table of Contents

Preface

This article details using the XCA (available for at least Linux, Windows, and MacOS for creating and managing SSL certificates) software package (it is a GUI) for creating private SSL certificates for enabling end-to-end SSL on non-public servers (e.g. where Let’s Encrypt / Certbot don’t make sense or are not an option).

Obtain XCA

Launch XCA

  • The usual way for your OS (e.g. on Windows, from the ‘Start’ Menu, on GNOME on Linux, click on the XCA icon in you ‘Applications’ screen, etc).
  • This will open a window prompting for a database. If this is is to be a new certificate store (e.g. the first time using XCA or you want a separate store for new certificates) you should create one, otherwise select an existing database and enter the password for it.

Create a Self-Signed CA (Certificate Authority)

NB Any application that will be using SSL to access a server using a certificate signed by this private CA will need to be told to trust the private CA. This varies with application, so where I use this in other articles, I provide instructions for the particular application in use.

  1. main window with 'New Certificate circled

    Click on ‘New Certificate’ or press ‘Alt-N’

  2. screenshot of XCA new certificate dialogue with default CA circled

    Near the bottom of the dialogue, under ‘Template for new certificate’, select ‘[default] CA’

  3. new certificate dialogue with 'Apply all' circled

    Click on ‘Apply all’

  4. new certificate dialogue 'Subject' tab with example information entered

    Select the Subject tab and fill in the information as appropriate

  5. new certificate dialogue subject tab with 'Generate a new key' circled

    Click on Generate a new key'

  6. new certificate dialogue subject tab with 'OK' circled

    Click ‘OK’ or press ‘Alt-O’

Export the CA’s public key (.crt)

  1. main screen with CA circled

    Select the CA

  2. main screen with 'Export' button circled

    Click ‘Export’ button

  3. export dialogue with filename and path circled

    Choose where to export CA (choose it’s filename and location) (later we’ll assume you called the file ‘ca-private-net.crt’ and you know where to find it)

  4. dialogue with OK button circled

    Click the ‘OK’ button

Create a server certificate and private key

  1. main screen with CA circled

    Select the CA

  2. main window with 'New Certificate circled

    Click on ‘New Certificate’ or press ‘Alt-N’

  3. new certificate dialogue with an existing CA selected to use as the certificate for signing

    Make sure ‘Use this Certificate for signing’ is set to your CA

  4. new certificate with TLS server template selected and circled (and an existing CA selected to use for signing)

    In the ‘Template for new certificate’ drop down, select ‘[default] TLS_server’

  5. new certificate dialogue with 'Apply all' circled when TLS template is selected, and with an existing CA selected for use

    Select ‘Click ‘Apply all’ button

  6. new certificate dialogue for a server certificate, with subject fields filled in

    Select the Subject tab and fill in the information as appropriate. Note that the CN (common name) should be the primary DNS name of your server.

  7. certificate dialogue subject tab for a server certificate, with 'Generate a new key' circled

    Click ‘Generate a new key’ or press ‘Alt-G’

  8. new certificate dialogue extensions tab with SAN (Subject Alternative Name) edit button circled

    Select the Extensions tab, and select ‘Edit’ beside X509v3 Subject Alternative Name

  9. x509v3 SAN (Subject Alternative Name) dialogue with an example DNS entry

    Select add and add a DNS name or IP besides the CN (common name). If there are no alternative names or IP addresses to be used, this can be left with only ‘Copy Common Name’ checked and no additional entries.

  10. Repeat ‘Add’ in this dialogue for every name (DNS) or IP by which the server will be accessed using SSL. If there none besides the CN (Common Name) , then none need to be added.
  11. x509v SAN dialogue with 'Validate' button circled

    Select ‘Validate’. If there are issues, fix them.

  12. SAN dialogue with 'Apply' button circled

    Click ‘Apply’

  13. new certificate dialogue for server certificate with 'OK' circled

    Select ‘OK’

Export the server certificate and private key

Export the Server Certificate

  1. main dialogue with a CA-signed server certificate selected

    Select the new certificate (you will have to double-click on your CA first)

  2. Select, ‘Export’ and then use the same steps (with different names) as in Export the CA’s Public Key (.crt)

Export the Server Private Key

  1. main screen with 'Private Keys' selected and circled and a private key circled

    Select ‘Private Keys’ tab and select the private key associated with the certificate above

  2. private keys tab with 'Export' circled

    Click on ‘Export’ button

  3. export private key dialogue with filename circled

    Choose where to export (filename) (later we’ll assume ‘private-server.example.com.pem’)

  4. private key export dialogue with PEM private circled

    Select ‘PEM private’ (NB protect this file as it contains important security information; preferably securely erase any copies once it is in the needed location on the server)

  5. export private key dialogue with 'OK' button circled

    Click ‘OK’ button

Copy the Exported Files to Your Server and/or Clients

  • You will need to copy the at least the server private key and certificate to you server (details are application dependent so for articles on this site will be covered in the article for the application).
  • Clients will need the CA certificate and possibly need to per-app configuration to use it. As with the server certificate and key, for articles on this site the details will be covered in the article for the application).

Prepare Your User Clients to Use SSL To the Server

NB This is for certificates for web servers, git server, etc where a desktop user will need to access the server via SSL.

  • Because we are using a private CA your browser and other desktop clients need to be told to trust the private CA.
  1. On any Debian/Ubuntu workstation that needs to access the private CA, copy the private CA certificate (e.g. ca-private.example.com) to /usr/local/share/ca-certificates and execute update-ca-certificates
  2. Also on any Debian/Ubuntu workstation for which Firefox needs to access the server:
    mkdir -p /etc/firefox/policies
    sudoedit /etc/firefox/policies/policies.json
    

    In policies.json add:

    {
        "policies": {
            "Certificates": {
                 "Install": [
                     "/usr/local/share/ca-certificates/ca-private.example.com.crt"
                 ]
             }
         }
    }
    
  3. On any Windows workstation that needs to access the private CA,
    1. Install the private CA into the system certificate store
      1. Windows 10 install certificate dialogue

        Double-click on ca-private-example.com.crt, select ‘Install certificate’ and click ‘OK’

      2. Select 'Local Machine' in install certificate wizard

        For ‘Store Location’ select ‘Local Machine’ and click ‘Next’. You may be prompted for your administrative credentials.

      3. Selection of location to install certificate in the install certificate wizard

        Select ‘Place all certificates in the following store’ and click ‘Browse…’

      4. Selection of which system-wide store to use in the install certificate wizard

        Select ‘Trusted Root Certification Authorities’ and click ‘OK’

      5. Confirmation page for install certificate wizard

        Confirm the details presented and click ‘Finish’

    2. For making the CA available for recent Firefox system-wide:
      1. Create a directory called C:\\ProgramData\\FirefoxCertificates
      2. Copy ca-private.example.com.crt to C:\\ProgramData\\FirefoxCertificates
      3. Create a directory called distribution in C:\\Program Files\\Mozilla Firefox, and in the distribution directory add a file called policies.json containing:
        {
            "policies": {
                "Certificates": {
                     "Install": [
                         "C:\\ProgramData\\FirefoxCertificates\\ca-private.example.com.crt"
                     ]
                }
            }
        }
        

    See Also Mozilla’s Github Repository for Policy Templates

Table of Contents