Create your own Certificate Authority with TinyCA
If you run any sort of server that is accessible by the public, you know the importance of certificate authorities (CAs). These certificates give your users a bit of insurance that your site is actually what it claims to be and not a spoofed version of your site waiting to either snag some data or drop a small payload onto an unsuspecting users's machine.
The problem with CAs is that they can be a bit costly - especially for the administrator running a free service, or even a small business without the budget for purchasing CAs. Fortunately you don't have to shell out the money for CAs, because you can create them for free on your Linux machine with an easy to use application called TinyCA.
- Create as many CAs and sub-CAs as you need.
- Creation and revocation of x509 S/MIME certificates.
- PKCS#10 requests can be imported and signed.
- Both server and client CAs can be exported in multiple formats.
TinyCA works as a user-friendly front-end for openssl, so you don't have to issue all of the necessary commands to create and manage your CAs.
You won't find TinyCA in your distribution's repositories. You can either add the necessary repository to your /etc/apt/sources.list file or you can install from one of the binaries found on the main page. Let's use Ubuntu and Debian as an example for installation.
If you want to install using apt-get you will need to first add the repository file to your sources.list file. So open up the /etc/apt/sources.list file with your favorite editor and add the following line:
deb http://ftp.de.debian.org/debian sid main
NOTE: Replace "sid" with the version you are using. If you are using Ubuntu 9.04 the example above will work.
Now run the command:
sudo apt-get update
You will notice that apt-get complains about the lack of a gpg key. That's okay because we are going to install using the command line. Now issue the command:
sudo apt-get install tinyca
This should install TinyCA without complaint. You might have to okay the installation of some dependencies.
To run TinyCA issue the command tinyca2 and the main window will open. Upon your first run you will be greeted by the Create CA window (see Figure 1). When you already have CAs this window will not open automatically. In this window you will create a new CA.
The information you have to enter should be fairly apparent as well as unique to your needs. After you fill out the information click OK which will open up a new window (see Figure 2). This new window will contain configurations that are passed onto SSL during the creation of the certificate. Like the first window, these configurations will be unique to your needs.
After you fill this information out click the OK button and the CA will be created. Depending on the speed of your machine, the process could take a bit of time. Most likely the process will be completed within 30-60 seconds.
Managing your CAs
When your CA is complete you will be taken back to the management window (see Figure 3). In this window you can create SubCAs for your main CA, you can import CAs, open CAs, create new CAs, and (most importantly) export CAs. You can't see the Export button in Figure 3, but if you were to click the down arrow on the upper right portion of the window you would see another button you can click to export a CA.
Of course you have just created a Root Certificate. This certificate will only be used for:
- create new sub-CA:s
- revoke sub-CA:s
- renew sub-CA:s
- export the root-CA:s certificate
For anything other than the above you would want to create a SubCA. We'll discuss creating a SubCA that can actually be used for your website in the next article.
TinyCA takes a lot of work out of the creation and management of certificate authorities. For anyone that manages more than one web site or server, this tool is certainly a must have.Advertisement