Hello Everyone. Today I’m going to explain you how to create a CA certificate on your own. This guidance is compatible with Linux-based systems. Those who don’t have a Linux based OS on your computer, please try this out in Virtual machine.

Important! This is quite different from the practical scenario. You’re the client, server and CA itself. Hope you’ll enjoy this.

Prerequisite

OpenSSL

Step 01

Download caserver.zip to your desktop.

Step 02

cd ~/Desktop

Unzip caserver.zip file into Desktop.

unzip caserver.zip

Step 03 – Create CA

Now you’re going to create your own CA. Sounds good! Let’s try it.

./createCA.sh

Give a password to protect your CA key pairs-private and public keys.

Important! It should be more than 4 characters. You’re not allowed to lose the security of key pairs because of a weak password 😉

This caserver.zip is provided by my ISS lecturer for our assignment. So I didn’t go to change the content. You can give your details to those fields as you wish, otherwise you can leave them with default values.

Important! But you cannot leave the Common Name field blank. Email Address field as well. Enter a working email address and Common name represents the CA.

If you get this at the end, Well done!

Step 04 – Web-server

This step will create the private key and its certificate of the server.

./createHostCert.sh

I gave the same email address for my convenience.

This challenge password is to make sure the server-who sent this public key has access to its private key. In my own account this challenging methodology is used to verify the ownership of shared public key.

Hope you remember the pass phrase you entered. You it to proceed.

Well, you’re done with the server-side.

Step 05 – Client

./createUserCert.sh

This step will create your own certificate and private key. Those are packed into usr.pfx file. This PFX bundle is included with your private key and a public key certificate.

Note: The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key into a single encryptable file. PFX files are usually found with the extensions .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys. – ssl.com

This Export Password will be needed when import this usr.pfx to the browser.

This password is different from pass phrase. But you have to enter the pass phrase you enter at the very begging to process the steps which ask for pass phrase.

Very well. Now you’re done. It’s time to upload this to the browser.

Step 06 – Import the certificate to browser

Go to your caserver directory and click on usr.pfx.

Important! Now you have to enter your “Export Password” here.

Then click the “Import” button.

Important! If it asks for permission give your root password.

Press OK. And it’s done!

Now see how will the certificate looks like.

Step 07 – Browser view

Go to customize and control in your chromium browser. The settings>advanced setting

Click “Manage certificates“.

Click Import button and select your usr.pfx file and enter your Export password and press enter. Now you’re done!

Click “View” to view your certificate.

This is what I got. Cheers!

I needed to explain how to do these steps correctly and I have emphasized common mistakes we’re doing under ‘Important!’ phrase. This is not what really happens. There must be more than 1 parties. In this case there must be 3 parties on 3 different machines. Just practice how to do this without making any mistakes.

I made mistakes and learned from them, to write this post to make your steps accurately 🙂

I’m planning to explain what really happens here in my next blog post. Stay secured! 🙂