How to act as a Certificate Authority (the Easy Way)

Certificate (PKI) Management Tool

Are you concerned with recurring digital certificates fees or are you looking for a simple way to mass produce certificates for your embedded or IoT devices? This tutorial explains how to easily setup your own certificate authority by using a free tool we have developed!

The free certificate utility is an indispensable tool for administrators and a must-have for anyone that uses SSL Certificates for websites, servers, secure IoT device management, or Code Signing Certificates for trusted software.

As a provider of the World’s Smallest and Best-Performing SSL/TLS stack, Real Time Logic created this tool to specifically target our customer's pain points and make certificate management an easy task.

Certificate Management Tool

Download Ver. 5

See end of article for non Windows download options.

Why?

What is a well known CA

A certificate signed by a Certificate Authority (CA) that is trusted by the browser is visually displayed as trusted, usually by showing a padlock. A browser trusts the CA if the CA's public root certificate is installed in the browser and/or computer you are using. Browsers come with a set of pre-installed CA certificates and only trust sites signed by any of the pre-installed CA certificates. We will refer to the browser's pre-installed CA certificates as "well known Certificate Authorities". Examples include Comodo, GeoTrust, and Symantec.

When you must be your own CA or use the SharkTrust Service

The use of TLS enabled servers on private networks is problematic considering no well known Certificate Authority will sign IP addresses or non standard (private network) names. This leaves you with two options:

Benefits in being your own CA and using our free CA tool

Becoming a Certificate Authority (CA) simply means that you (or your customers) are in charge of the issuing process of cryptographic pairs of private keys and public certificates. With that said, anyone can literally become their own Certificate Authority and there are no implied restrictions or authorizations necessary.

There are no costs associated with being your own CA or for your customers to be their own CA.

You can find several tutorials on the internet that explain how to use the OpenSSL command line tool for setting up your own CA infrastructure. If you are new to X.509 certificate chain of trust, these tutorials will make your head spin. In addition, the OpenSSL command line tool is a bit cumbersome to use and gives difficult to understand error messages if you make mistakes.

To make it much easier to be your own CA, we created this free tool that wraps around OpenSSL and provides a graphical user interface to this command line tool. The application includes a wizard that makes it very easy to create a root CA and to create any number of certificates signed by the root CA. In other words, the application makes it very easy to create your own chain of trust. The application is self-contained, and you simply download the tool and run it on your computer.

The disadvantage of being your own CA

Being your own CA has the inconvenience that you must install your own CA root certificate in all clients (browsers/phones/tablets) that visit any of the servers with a certificate signed by your root CA. As we mentioned above, only well known CAs are installed in the browsers/computers. For this reason, being your own CA is mainly suitable for sites used by a small group of users and where IT personnel with an understanding of the certificate chain of trust are sufficiently trained in using our free PKI tool or their own PKI tools.

If you are a device manufacturer, you should consider embedding support for our SharkTrust service in your products as an even easier option for your customers. SharkTrust will greatly decrease your product's certificate management support burden, especially if your customers are non technical.

See the SharkTrust service for more information.

Free Certificate Authority Management Application (tool)

PKI

Although not required, it's good to have an understanding of Public Key Infrastructure (PKI) when using our free certificate management app. Check out our Certificate Management Tutorial if you want to get a better grasp on how PKI works.

The Certificate Management Application is a small web app that you download and run on your own computer. The app is currently available for Windows. See the end of the article if you are using another operating system such as Linux.

  1. Download the Certificate Management Application installer
  2. Start the installer and follow the instructions

The installer is a self extracting archive that extracts the necessary files and starts the web application on your computer.

Creating the Certificate Authority (CA) root certificate and private key

When you initially run the application, you will be asked to create the CA's certificate and private key. You can select a traditional RSA certificate or an Elliptic Curve certificate.

image

Elliptic Curve Cryptography (ECC) is a new technology and ECC certificates are much smaller than RSA certificates so you should select ECC if you plan on using the certificates in memory constrained devices or  setting up the certificate for a server that will communicate with memory constrained devices. A 224 bits ECC certificate is equally as strong as a 2048 bits RSA certificate. You should note that since ECC is a new technology, not all devices are able to process these new certificates. Our SharkSSL SSL/TLS stack is able to process both.

Selecting either RSA or ECC root certificates dictates how you create and sign certificates later on. Our Certificate Management Application, by design, does not let you create an ECC CA certificate and use this to sign an RSA certificate or vise versa. The complete chain will either be ECC or RSA.

image

The next step is to fill out the form for creating the CA certificate. Move your mouse over the help buttons for details about each field in the form.

Notice how we use "Real Time Logic Root Certificate" in the Common Name field. This field should have the domain name when creating and signing regular certificates, but the root CA certificate will not be used as a regular certificate so we use a more descriptive message in this field for the CA certificate.

You can create and sign certificates as soon as you have created the CA certificate and the CA's private key, but before doing so, install the CA certificate in your browser's and/or Windows' certificate store. The page you will see in your browser after clicking the "Create Key and Certificate" as shown in the figure to the left lets you download the CA certificate, which can then be installed. Your browser will not trust the certificates signed with your own CA certificate if it cannot find the CA certificate in its certificate store.

Creating, signing, and testing your first certificate

Click on the "Create Certificate" menu as soon as you have created the CA certificate and installed the CA root certificate as explained above. The form you fill in for creating and signing a certificate is the same form you used for creating your CA certificate. The difference is that the certificate you create now will be signed by using your root certificate.

image

For the following test, use the name "localhost" as the Common Name for your first certificate. You can use any name when creating and signing your own certificates, but the name localhost is the name of your local computer, that is, it is the address you type into a browser when accessing a server installed on the same computer.

Once you have created your first certificate, click on the Certificate Database (DB) menu. This page lists all the certificates you have created. When you move your mouse over a certificate, detailed information about the certificate is shown in a separate window as shown in the figure below.

image

To test the certificate, click on the certificate name. In our example, click "localhost". The page appearing after clicking on the certificate runs a script on the server and this script installs the certificate into a server listening object.

image

By clicking the URL on this page, you will be able to test your certificate. A new browser window opens and the browser should show a padlock to indicate that it trusts the certificate.

image

The above figure shows the Chrome browser trusting our certificate for "localhost". The figure also shows the certificate chain. You get to the certificate information dialog window in Chrome as follows: click the padlock, click "Connections", and then click "Certificate Information".

The cipher information shown on the page "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" shows that we use RSA and not ECC certificates, but that we use Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)key exchange algorithm. Although the certificate is an RSA certificate, the browser and the server agreed on using Elliptic Curve key exchange for the asymmetric encryption. Modern browsers favors ECDHE over plain RSA key exchange since ECDHE provides perfect forward secrecy (PFS). PFS makes sure that an observer recording the complete session will not be able to find the keys for the symmetric encryption AES should your private key at some time in the future be compromised.

Certificate Database Location

A certificate database is created for each CA certificate created. The databases are stored in the $HOME/.certmgr-db/ directory. For each CA certificate created, a subdirectory is created in .certmgr-db. These subdirectories contain the files associated with each CA database.

Each CA database directory contains the following:

  • ca.pem - the public Certificate Authority (CA) root certificate. This certificate must be installed by all clients connecting to servers signed with the CA certificate.
  • private - generated data that should be kept private, including the CA private key (ca.key).
  • keys-and-certs - All certificates created and signed with the CA certificate, including the certificates private key.
  • tmp - temporary data, including CSRs. A CSR is created during certificate creation. You may use the CSR if you wish to sign the created certificate using a well known certificate authority.

The Certificate Management Tool is internally using the OpenSSL command line tool for creating and managing the certificate databases. You may manage the databases using the command line tool if you are an OpenSSL expert.

To completely remove a database, simply delete the associated subdirectory in $HOME/.certmgr-db/

Creating, signing, and testing any certificate

You can create any number of certificates by using the procedures explained above. However, in order to quickly test a certificate with a name other than "localhost", a local DNS entry must be made in your hosts file. For example, say you create two certificates with the Common Names www.mycompany.com and MyHomeFridge. Clicking the link for these two hostnames on the certificate test page requires that you have added the two following entries to your hosts file:

127.0.0.1 www.mycompany.com
127.0.0.1 MyHomeFridge

Further reading:

IoT Security: Creating X.509 Chain of Trust

The Certificate Manager can also be used for creating certificates for an IoT solution. The following IoT Security video provides a practical example that you can follow and setup on your own computer for learning purposes. The comprehensive video tutorial guides you through the process of setting up secure and trusted communication.

The video shows how to create an Elliptic Curve Cryptography (ECC) certificate for the server, how to install the certificate in the server, and how to make the clients connecting to the server trust this certificate. The server in this video is installed on a private/personal computer on a private network for test purposes.


Running the certificate management app on non Windows computers

The certificate management app is included in the Mako Server tutorials. Download the Mako Server and use the included script to download the tutorials. After starting the Mako Server, navigate to http://localhost:portno/certmgr/

Posted in Whitepapers by bd