¶ Create Root CA
Create your certificate authority. With this Root CA you can issiue and validate other certificates.
openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
This will create two files:
The rootCA.crt is the root certificate to validate other certificates, install this certificate to your clients.
The rootCA.key is the matching private key. Keep this file safe and don't loose it!
¶ Install Root Certificate to Client PCs
This step will show how to install the certificate to Windows based machines.
You can provide the rootCA.crt to all your clients, for example as a download.
Then simply double-click the rootCA.crt file and click
- Install Certificate...
- Local Machine
- Place all certificates in the following
- Select Trusted Root Certification Authorities -> Enterprise
¶ Create Certificate
Now you can issue certificates for your company services.
Create the following script as createCertificate.sh or something similar:
#! /bin/bash
DOMAIN=$1
# create key
openssl genrsa -out ${DOMAIN}.key 2048
# create signing request
openssl req -new -sha256 -key ${DOMAIN}.key -subj "/C=US/ST=NY/L=NYC/O=MyOrg Inc./CN=${DOMAIN}" -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${DOMAIN}")) -out ${DOMAIN}.csr
# create cert
openssl x509 -req -in ${DOMAIN}.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out ${DOMAIN}.crt -days 500 -sha256 -extfile <(printf "subjectAltName=DNS:${DOMAIN}")
cat ${DOMAIN}.crt rootCA.crt > ${DOMAIN}.bundle.crt
and make it executable:
chmod +x createCertificate.sh
You can create a certificate for intranet.mycomapny.org with the following command:
./createCertificate.sh intranet.mycomapny.org
The script will create some files:
intranet.mycomapny.org.key: private keyintranet.mycomapny.org.csr: certificate signing request (used during creation of certificate)intranet.mycomapny.org.crt: certificate for your domainintranet.mycomapny.org.bundle.crt: the certificate chain (inlcuding root CA certificate)
¶ Configure Firefox to use Windows Root CAs
Firefox does not use Windows Trusted Store, but its own from Mozilla. To enable firefox to use the CA the following setting has to be made to every single client PC.
In firefox type about:config and set the following property:
security.enterprise_roots.enabled=true