Wild Tech Garden

Using XCA to create private SSL certificates

May 12, 2021 by Daniel F Dickinson5 minutes

This article details using the XCA GUI for creating private SSL certificates for enabling end-to-end SSL on non-public servers.

Preface

This article details using the XCA (available for at least Linux, Windows, and MacOS for creating and managing SSL certificates) software package (it is a GUI) for creating private SSL certificates for enabling end-to-end SSL on non-public servers (e.g. where Let’s Encrypt / Certbot don’t make sense or are not an option).

Obtain XCA

Launch XCA

  • The usual way for your OS (e.g. on Windows, from the ‘Start’ Menu, on GNOME on Linux, click on the XCA icon in you ‘Applications’ screen, etc).
  • This will open a window prompting for a database. If this is is to be a new certificate store (e.g. the first time using XCA or you want a separate store for new certificates) you should create one, otherwise select an existing database and enter the password for it.

Create a self-signed CA (Certificate Authority)

NB Any application that will be using SSL to access a server using a certificate signed by this private CA will need to be told to trust the private CA. This varies with application, so where I use this in other articles, I provide instructions for the particular application in use.

  1. Main window with 'New Certificate circled
    Click on 'New Certificate' or press 'Alt-N'
  2. Screenshot of XCA new certificate dialogue with default CA circled
    Near the bottom of the dialogue, under 'Template for new certificate', select '[default] CA'
  3. New certificate dialogue with 'Apply all' circled
    Click on 'Apply all'
  4. New certificate dialogue 'Subject' tab with example information entered
    Select the Subject tab and fill in the information as appropriate
  5. New certificate dialogue subject tab with 'Generate a new key' circled
    Click on Generate a new key'
  6. New certificate dialogue subject tab with 'OK' circled
    Click 'OK' or press 'Alt-O'

Export the CA’s public key (.crt)

  1. Main screen with CA circled
    Select the CA
  2. Main screen with 'Export' button circled
    Click 'Export' button
  3. Export dialogue with filename and path circled
    Choose where to export CA (choose it's filename and location) (later we'll assume you called the file 'ca-private-net.crt' and you know where to find it)
  4. Dialogue with OK button circled
    Click the 'OK' button

Create a server certificate and private key

  1. Main screen with CA circled
    Select the CA
  2. Click on 'New Certificate' or press 'Alt-N'
    Click on 'New Certificate' or press 'Alt-N'
  3. New certificate dialogue with an existing CA selected to use as the certificate for signing
    Make sure 'Use this Certificate for signing' is set to your CA
  4. New certificate with TLS server template selected and circled (and an existing CA selected to use for signing)
    In the 'Template for new certificate' drop down, select '[default] TLS_server'
  5. New certificate dialogue with 'Apply all' circled when TLS template is selected, and with an existing CA selected for use
    Click 'Apply all' button
  6. New certificate dialogue for a server certificate, with subject fields filled in
    Select the Subject tab and fill in the information as appropriate. Note that the CN (common name) should be the primary DNS name of your server.
  7. Certificate dialogue subject tab for a server certificate, with 'Generate a new key' circled
    Click on Generate a new key'
  8. New certificate dialogue extensions tab with SAN (Subject Alternative Name) edit button circled
    Select the Extensions tab, and select 'Edit' beside X509v3 Subject Alternative Name
  9. x509v3 SAN (Subject Alternative Name) dialogue with an example DNS entry
    Select add and add a DNS name or IP besides the CN (common name). If there are no alternative names or IP addresses to be used, this can be left with only 'Copy Common Name' checked and no additional entries.

  10. Repeat ‘Add’ in this dialogue for every name (DNS) or IP by which the server will be accessed using SSL. If there none besides the CN (Common Name) , then none need to be added.

  11. x509v SAN dialogue with 'Validate' button circled
    Select 'Validate'. If there are issues, fix them.
  12. SAN dialogue with 'Apply' button circled
    Click 'Apply'
  13. New certificate dialogue for server certificate with 'OK' circled
    Select 'OK'

Export the server certificate and private key

Export the server certificate

  1. Main dialogue with a CA-signed server certificate selected
    Select the new certificate (you will have to double-click on your CA first)
  2. Select, ‘Export’ and then use the same steps (with different names) as in Export the CA’s Public Key (.crt)

Export the server private key

  1. Main screen with 'Private Keys' selected and circled and a private key circled
    Select 'Private Keys' tab and select the private key associated with the certificate above
  2. Private keys tab with 'Export' circled
    Click on 'Export' button
  3. Export private key dialogue with filename circled
    Choose where to export (filename) (later we'll assume 'private-server.example.com.pem')
  4. Private key export dialogue with PEM private circled
    Select 'PEM private' (NB protect this file as it contains important security information; preferably securely erase any copies once it is in the needed location on the server)
  5. Export private key dialogue with 'OK' button circled
    Click 'OK' button

Copy the exported files to your server and/or clients

  • You will need to copy the at least the server private key and certificate to you server (details are application dependent so for articles on this site will be covered in the article for the application).
  • Clients will need the CA certificate and possibly need to per-app configuration to use it. As with the server certificate and key, for articles on this site the details will be covered in the article for the application).

Prepare your user clients to use SSL to the server

NB This is for certificates for web servers, git server, etc where a desktop user will need to access the server via SSL.

  • Because we are using a private CA your browser and other desktop clients need to be told to trust the private CA.

  1. On any Debian/Ubuntu workstation that needs to access the private CA, copy the private CA certificate (e.g. ca-private.example.com) to /usr/local/share/ca-certificates and execute update-ca-certificates

  2. Also on any Debian/Ubuntu workstation for which Firefox needs to access the server:

    mkdir -p /etc/firefox/policies
sudoedit /etc/firefox/policies/policies.json

    Note: Even when the main Firefox is an ESR release and uses /etc/firefox-esr, for adding policies (like installing certificates) it is necessary to use /etc/firefox/policies/policies.json.

    In policies.json add:

    {
  "policies": {
    "Certificates": {
      "Install": [
        "/usr/local/share/ca-certificates/ca-private.example.com.crt"
      ]
    }
  }
}

  3. On any Windows workstation that needs to access the private CA,

    1. Install the private CA into the system certificate store

      1. Windows 10 install certificate dialogue
        Open install certificate dialogue
      2. Install certificate wizard 'Store Location' dialogue
        Select 'Local Machine' in install certificate wizard, then 'Next'
      3. Certificate store selection in install certificate wizard
        Select location to install certificate
      4. Dialogue for selection of system-wide store
        Select which system-wide store to use
      5. Confirmation page for install certificate wizard
        View confirmation of certificate addition and click 'Finish'

    2. For making the CA available for recent Firefox system-wide:

      1. Create a directory called C:\\ProgramData\\FirefoxCertificates
      2. Copy ca-private.example.com.crt to C:\\ProgramData\\FirefoxCertificates
      3. Create a directory called distribution in C:\\Program Files\\Mozilla Firefox, and in the distribution directory add a file called policies.json containing:
      {
  "policies": {
    "Certificates": {
        "Install": [
            "C:\\ProgramData\\FirefoxCertificates\\ca-private.example.com.crt"
        ]
    }
  }
}

    See Also Mozilla’s Github Repository for Policy Templates

linux sysadmin-devops

Related posts

Pi Unbound: The gift of DoT

Keeping your DNS queries from your local network to public DNS servers private in transit by using DNS over TLS on a Raspberry Pi is ridiculously easy.

December 20, 2021 by Daniel F Dickinson7 minutes

Gitea Pi

This article describes setting up a Raspberry Pi Model B+ as a private Gitea (lightweight Git hosting) server.

May 16, 2021 by Daniel F Dickinson10 minutes