Using Your Own Certificate Authority (CA)
In general, it is preferable to use a certificate that has been signed by a globally trusted root Certificate Authority (CA). There are many CAs that are trusted by all major browser and operating systems and that can be used to sign certificates for use with an https server.
If the system architecture makes using a globally trusted CA impractical, it is still possible to have client browsers and operating systems set up to trust a self-signed certificate and so avoid security errors or showing warnings to end users.
One way is to simply add the certificate to the trust store of the client browser or operating system; however this would need to be done for each certificate generated. A better approach is to create your own root Certificate Authority and use that to sign each server certificate.
To do this, an SSL certificate needs to be signed with your own Certificate Authority (CA) certificate and key, and the clients (browsers, operating systems) need to be told to trust the CA certificate. The instructions for adding a CA to a client vary according to the operating system or browser used.
Create a Certificate Authority
There are many ways to create Certificate Authority certificates; however, the OpenSSL toolkit is one of the easiest and most comprehensive. As the name suggests, OpenSSL is an open source toolkit for SSL/TLS; see the official website for details. You will need to download and install the OpenSSL product that suits your environment.
To create a CA follow these two steps:
- Generate a new key and certificate request.
- Self-sign the request to generate a CA certificate.
1. Generate new key and certificate request
This can be done in multiple steps, or by generating from an existing key file, but for simplicity a new key and new request can be generated in one command. This example shows how to create a request for a company named 'My Company'. Change this to something more appropriate for your organization:
- openssl req -new -sha256 -nodes -newkey rsa:4096 -subj "/O=My Company/CN=My Company Internal CA" -keyout MyCompanyCA.key -out MyCompanyCA.csr
2. Self-sign the request to generate a CA certificate
This step self-signs the CA certificate request, and makes the CA valid for 1 year (-days 365). Change 'MyCompany' to match the key and csr request generated in the previous step:
- openssl x509 -req -sha256 -in MyCompanyCA.csr -signkey MyCompanyCA.key -days 365 -out MyCompanyCA.crt
Create a server certificate and use the CA to sign it
Now that the MyCompanyCA.crt is generated, it can be used to sign your own certificates for a Cloud Server or WebEA.
First, as in the Self-Signed SSL Certificates Help topic, create a new certificate request. This example creates a new key and certificate request for a server named 'cloud.mycompany.com':
- openssl req -new -nodes -newkey rsa:4096 -subj "/CN=cloud.mycompany.com" -keyout cloud.mycompany.com.key -out cloud.mycompany.com.csr
Sign the new certificate request with the CA:
- openssl x509 -req -CA MyCompanyCA.crt -CAkey MyCompanyCA.key -CAcreateserial -sha256 -days 365 -in cloud.mycompany.com.csr -out cloud.mycompany.com.crt
The final step for use with a Pro Cloud Server is to concatenate the key and certificate into a 'server.pem' file:
- Windows: copy /b cloud.mycompany.com.crt+cloud.mycompany.com.key server.pem
- Linux: cat cloud.mycompany.com.crt cloud.mycompany.com.key > server.pem
For details on configuring the Pro Cloud Server to use this certificate, refer to the Using HTTPS (SSL) topic.
Allow clients to trust the root CA
The client operating system or browser now needs to have the CA certificate added to its list of trusted CAs. The instructions vary according to operating system and browser, but instructions for a few major clients are listed here. For all these steps the 'certificate' referred to is the 'MyCompanyCA.crt' generated in Step 2.
Client (Operating System, Browser)
Right-click the CA certificate file and select 'Install Certificate'. Follow the prompts to add the certificate to the trust store either for the current user only or for all users of the computer.
Linux - Ubuntu
Copy the CA certificate to /usr/local/share/ca-certificates
Update certificates with this command:
The output should show something similar to 'Adding debian:~/MyCompanyCA.pem'.
If using Wine, then close all Wine programs and restart Wine:
See Ubuntu Help for more information.
Firefox does not use the operating systems trust store, so the CA has to be added manually.
If the certificate has a '.pem' extension, then the simplest way is to drag-and-drop the CA certificate file onto Firefox; a prompt will ask you to trust the certificate.
Otherwise, manually add certificates and manage added certificates through Firefox's Privacy & Security preferences.
More information can be found on the Firefox wiki.
Chrome and Chromium do not use the operating system trust store, so the CA needs to be added manually.
Open Settings > Advanced > Manage Certificates > Authorities select 'Import'
Internet Explorer uses the Windows trust store, so adding the certificate to Windows (see the first entry in this table) is sufficient to add trust to the browser as well.
WebEA uses PHP/curl to communicate with a Pro Cloud model. If the connection between PHP and the Pro Cloud uses HTTPS, then the CA can be added to PHP's configuration to allow it to trust the certificate.
|Configuring WebEA to Trust Your Own Certificate Authority (CA)