Roll Your Own Certifiate Authority
Created my own certificate authority. Here are the notes.
First off, save time and tedium by using TinyCA. The dialog boxes have the appropriate defaults, and generally do the right thing. Otherwise, I find myself pecking out complicated openssl invocations, transcribed from the mod_ssl FAQ.
My VIAO Z505 is still kicking, running W2k and FC 4 Linux. Used the latter to host the certificate authority of The Engine Room, LLC. I installed TinyCA Version 2 from the RPM. The RPM did not have the correct dependencies. I had to install with –nodeps to circumvent warnings about perl-MIME-Base64, probably a typo, and then when I ran TinyCA for the first time, it was missing perl-gettext.
Once running, it build a certificate authority in my home directory under ~/.TinyCA/ . I’d rather it were somewhere where I won’t forget it exists, but this directory appears to hard coded in the tinyca2 script.
I created a certificate authority for The Engine Room, LLC, and then created certificates for imap.engrm.com, engrm.com, and *.engrm.com. The wildcard certificate was an experiment. I’d run across the notion somewhere in my reading last week, and it is accepted by OS X Mail. I see now that proper certificate authorities will sign such a certificate for a goodly sum.
I’m getting ahead of myself. Before I can use the certificates, I export them from TinyCA. When I export the server certificates, I export them once as PEM certificate to a file name like imap.engrm.com.crt and once as PEM certificate, with key and fingerprint, to a file name like imap.engrm.com.key. The certificate key will be password protected. I also exported the certificate authority certificate as PEM to a file named ca.engrm.com.crt, and one as DER to ca.engrm.com.der.
The certificates for Dovecot IMAP and Apache are kept under /etc/pki in Fedora Core 4 Linux. To suppress the unlocking of the server key at server startup, I decrypted it by running the following as root.
cp engrm.com.key engrm.com.key.org umask 377 openssl rsa -in engrm.com.key.org -out engrm.com.key
The key must be set to chmod 400. The umask above well see that it is created with read only permissions for the user only. The keys are kept in their own directory, and that directory is is readable only to root.
Adding the certificate of the CA to the OS X keychain system is not well documented, but very easy. From bash I run the following command.
sudo certtool i ca.engrm.com.crt v k=/System/Library/Keychains/X509Anchors
I’m sure that the above command could be added to an Apple installer script of some sort.
I’ve also added the certificate authority to my authorities in Mozilla, but going through the preferences dialog.