Prev Next

Add Trust with a Certificate Authority (CA)

In general, it is preferable to use a certificate that has been signed by a globally trusted root Certificate Authority (CA). There are many CAs that are trusted by all major browser and operating systems that can be used to sign certificates for use with a https server.

If the system architecture makes using a globally trusted CA impractical then it is still possible to have client browsers and operating systems set up to trust a self-signed certificate and avoid security errors or showing warnings to end users.

One way is to simply add the certificate to the trust store of the client browser or operating system, however this would need to be done for each certificate generated. A better approach is to create your own root Certificate Authority and use that to sign each server certificate.

To do this, a self-signed SSL certificate needs to be signed with your own Certificate Authority (CA) certificate and key. And the clients (browsers, operating systems) need to be told to trust the CA certificate. The instructions for adding a CA to a client vary by operating system or browser used.

Create a Certificate Authority

There are many ways to create CA certificates, however, the OpenSSL toolkit is one of the easiest and most comprehensive. As the name suggests, OpenSSL is an open source toolkit for SSL/TLS; see the official website for details. You will need to download and install the OpenSSL product that suits your environment.

To create a CA there are two steps:

  1. Generate new key and certificate request.
  2. Self-sign the request to generate a CA certificate.

1. Generate new key and certificate request

This can be done in multiple steps, or generated from an existing key file, but for simplicity a new key and new request can be generated in one command. The example below shows how to create a request for a company named 'My Company'. Change this to something more appropriate for your organisation:

  • openssl req -new -sha256 -nodes -newkey rsa:4096 -subj '/O=My Company/CN=My Company Internal CA' -keyout MyCompanyCA.key -out MyCompanyCA.csr

2. Self-sign the request to generate a CA certificate

This step self-signs the CA certificate request, and makes the CA valid for 1 year (-days 365). Change 'MyCompany' to match the key and csr request generated in the previous step:

  • openssl x509 -req -sha256 -in MyCompanyCA.csr -signkey MyCompanyCA.key -days 365 -out MyCompanyCA.crt

Create a server certificate and use the CA to sign it

Now that the MyCompanyCA.crt is generated, it can be used to sign your own certificates for a cloud server or WebEA.

First, similarly to Self-Signed SSL Certificates, create a new certificate request. The following example creates a new key and certificate request for a server named 'cloud.mycompany.com':

  • openssl req -new -nodes -newkey rsa:4096 -subj '/CN=cloud.mycompany.com' -keyout cloud.mycompany.com.key -out cloud.mycompany.com.csr

Sign the new certificate request with the CA:

  • openssl x509 -req -CA MyCompanyCA.crt -CAkey MyCompanyCA.key -CAcreateserial -sha256 -days 365 -in cloud.mycompany.com.csr -out cloud.mycompany.com.crt

The final step for use with a Pro Cloud Server is to concatenate the key and certificate into a 'server.pem' file:

  • Windows: copy /b cloud.mycompany.com.crt+cloud.mycompany.com.key server.pem
  • Linux: cat cloud.mycompany.com.crt cloud.mycompany.com.key > server.pem

Allow clients to trust the root CA

The client operating system or browser now needs to have the CA certificate added to its list of trusted CAs. The instructions vary by operating system and browser but instructions for a few major clients are listed below. For all these steps the 'certificate' referred to is the 'MyCompanyCA.crt' generated in Step 2 above:

Client (Operating System, Browser)

Instructions

See also

Microsoft Windows

Right click the CA certificate file and select 'Install Certificate'. Follow the prompts to add the certificate to the trust store either for the current user only or all users of the computer.

Linux - Ubuntu

Copy CA cetificate to /usr/local/share/ca-certificates

eg:

  • sudo cp ~/MyCompanyCA.crt /usr/local/share/ca-certificates/

Update certificates with the following command:

  • sudo update-ca-certificates

The output should show something similar to 'Adding debian:~/MyCompanyCA.pem'.

If using Wine then close all Wine programs and restart Wine:

  • wineserver -k

See Ubuntu Help for more information.

Firefox

Firefox does not use the operating systems trust store so the CA needs to be added manually.

If the certificate has a '.pem' extension, then the simplest way is to drag-and-drop the CA certificate file onto Firefox and a prompt will ask to trust the certificate.

Otherwise, manually add certificates and manage added certificates through Firefox's Privacy & Security preferences.

More information can be found on the Firefox wiki

Chrome/Chromium

Chrome & Chromium do not use the operating system trust store so the CA needs to be added manually.

Open Settings > Advanced > Manage Certificates > Authorities, and select Import.

Internet Explorer

Internet Explorer uses the Windows trust store so adding the certificate to Windows (see above) is sufficient to add trust to the browser as well.

WebEA

WebEA uses PHP/curl to communicate with a Pro Cloud model. If the connection between PHP and the Pro Cloud uses HTTPS, then the CA can be added to PHP's configuration to allow it to trust the certificate.

Advanced SSL