Create your own Certificate Authority with TinyCA

Jack Wallen
Sep 16, 2009
Updated • Feb 13, 2018
Linux
|
8

If you run any sort of server that is accessible by the public, you know the importance of certificate authorities (CAs). These certificates give your users a bit of insurance that your site is actually what it claims to be and not a spoofed version of your site waiting to either snag some data or drop a small payload onto an unsuspecting users's machine.

The problem with CAs is that they can be a bit costly - especially for the administrator running a free service, or even a small business without the budget for purchasing CAs. Fortunately you don't have to shell out the money for CAs, because you can create them for free on your Linux machine with an easy to use application called TinyCA.

Features

  • Create as many CAs and sub-CAs as you need.
  • Creation and revocation of x509 S/MIME certificates.
  • PKCS#10 requests can be imported and signed.
  • Both server and client CAs can be exported in multiple formats.

TinyCA works as a user-friendly front-end for openssl, so you don't have to issue all of the necessary commands to create and manage your CAs.

Installing TinyCA

You won't find TinyCA in your distribution's repositories. You can either add the necessary repository to your /etc/apt/sources.list file or you can install from one of the binaries found on the main page. Let's use Ubuntu and Debian as an example for installation.

If you want to install using apt-get you will need to first add the repository file to your sources.list file.  So open up the /etc/apt/sources.list file with your favorite editor and add the following line:
deb http://ftp.de.debian.org/debian sid main

NOTE: Replace "sid" with the version you are using. If you are using Ubuntu 9.04 the example above will work.

Now run the command:

sudo apt-get update

You will notice that apt-get complains about the lack of a gpg key. That's okay because we are going to install using the command line. Now issue the command:

sudo apt-get install tinyca

This should install TinyCA without complaint. You might have to okay the installation of some dependencies.

Using TinyCA

Figure 1
Figure 1

To run TinyCA issue the command tinyca2 and the main window will open. Upon your first run you will be greeted by the Create CA window (see Figure 1). When you already have CAs this window will not open automatically. In this window you will create a new CA.

Figure 2
Figure 2

The information you have to enter should be fairly apparent as well as unique to your needs. After you fill out the information click OK which will open up a new window (see Figure 2). This new window will contain configurations that are passed onto SSL during the creation of the certificate. Like the first window, these configurations will be unique to your needs.

After you fill this information out click the OK button and the CA will be created. Depending on the speed of your machine, the process could take a bit of time. Most likely the process will be completed within 30-60 seconds.

Managing your CAs

Figure 3
Figure 3

When your CA is complete you will be taken back to the management window (see Figure 3). In this window you can create SubCAs for your main CA, you can import CAs, open CAs, create new CAs, and (most importantly) export CAs. You can't see the Export button in Figure 3, but if you were to click the down arrow on the upper right portion of the window you would see another button you can click to export a CA.

Of course you have just created a Root Certificate. This certificate will only be used for:

  • create new sub-CA:s
  • revoke sub-CA:s
  • renew sub-CA:s
  • export the root-CA:s certificate

For anything other than the above you would want to create a SubCA. We'll discuss creating a SubCA that can actually be used for your website in the next article.

Final thoughts

TinyCA takes a lot of work out of the creation and management of certificate authorities. For anyone that manages more than one web site or server, this tool is certainly a must have.

Summary
Create your own Certificate Authority with TinyCA
Article Name
Create your own Certificate Authority with TinyCA
Description
You don't have to shell out the money for CAs, because you can create them for free on your Linux machine with an easy to use application called TinyCA.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Luc said on September 26, 2021 at 11:20 pm
    Reply

    “We’ll discuss creating a SubCA that can actually be used for your website in the next article.”

    And here we are, 12 years later. Of course, that “next article” never happened. That is an extremely common occurrence in technical blogs. Whenever you see those dreadful words, “in the next article,” you can bet your house that “the next article” will never happen.

  2. Martin said on March 15, 2010 at 1:09 pm
    Reply

    The screen shot in Figure 3 shows the toolbar with icons and also text. My TinyCA shows only icons. There seems to be nothing in preferences (or in the config file) to control this. How do you get the text? As this is something I don’t use frequently, text to supplement the icons would be helpful!

  3. CA 4 Win said on September 17, 2009 at 7:55 pm
    Reply

    Thanks, great info.
    How about a free CA apps running on windows, is there any?

    1. wegi said on October 14, 2009 at 9:26 pm
      Reply

      Yes there is XCA which offers a similar functionality on windows an MAC AFAIK.

  4. jack said on September 17, 2009 at 1:47 pm
    Reply

    Mr Biggz: That depends. With CAs you can actually create signed certificates that act like gpg keys. For very small sites you can hand out those keys to certain people and only those people could get to the site.

    otherwise it’s a matter of making sure you look at a certificate for a site and judging if the information is valid.

  5. Mr. Biggz said on September 17, 2009 at 6:20 am
    Reply

    You mention that certificates are used in preventing spoofing, wouldn’t this just make the problem worse now that anyone could make one on their own for free?

  6. dr2web said on September 17, 2009 at 12:07 am
    Reply

    thx jack ^^
    SystemRescueCD 1.3.0 Has Linux Kernel 2.6.31
    XFCE 4.6.1 and Firefox 3.5.2 are also included
    SystemRescueCD, the popular data-recovery and system-administration Linux distribution, has just been updated. Version 1.3.0 brings the latest and greatest, stable Linux kernel, 2.6.31, along with btrfs-progs 1.41.9, thus incorporating support for the new Btrfs file system, which has been undergoing development since 2007.
    http://www.dr2web.info/2009/09/systemrescuecd-130-has-linux-kernel.html

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.