Generar su propia CA (Autoridad Certificadora)

Completa esta sección si quieres crear una CA (Autoridad Certificadora), y firmar un

certificado de servidor en ella. Los pasos para hacer un certificado de servidor también
están incluidos aquí.

Aquí, tomarás el lugar de VeriSign, Thawte, etc. Primero, crearás la clave de la CA, Y
luego harás el certificado como tal.

Los Common Name (CN) de la CA y los Certificados de servidor NO deben coincidir o si

no ocurrirá una colisión de nombres y tendrás errores luego. En este paso, proveerás las
entradas del CA. En un paso siguiente, proveerás las entradas del servidor. En este
ejemplo, he agregado “CA” al campo CN del CA, para distinguirlo del campo CN del
servidor. Usa sin embargo, el esquema que quieras, sólo asegúrate de que las entradas
del Servidor y el CA, no son idénticas.

CA:
Common Name (CN): www.somesite.edu CA
Organización (O): Somesite
Unidad Organizacional (OU): Desarrollo

Servidor:
Common Name (CN): www.somesite.edu
Organización (O): Somesite
Unidad Organizacional (OU): Desarrollo

Si no tienes un FQDN (Fully Qualified Domain Name), deberías usar la IP del sitio al
cual ingresarás vía SSL para el Common Name (CN). Pero, de nuevo, asegúrate de que
algo diferencia la entrada CN de la CA, del CN del Servidor.

openssl genrsa -des3 -out ca.key 4096

openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Generate a server key and request for signing (csr).

This step creates a server key, and a request that you want it signed (the .csr file) by a
Certificate Authority (the one you just created in Step #1B above.)

Think carefully when inputting a Common Name (CN) as you generate the .csr file below.
This should match the DNS name, or the IP address you specify in your Apache
configuration. If they don't match, client browsers will get a "domain mismatch" message
when going to your https web server. If you're doing this for home use, and you don't have
a static IP or DNS name, you might not even want worry about the message (but you sure
will need to worry if this is a production/public server). For example, you could match it to
an internal and static IP you use behind your router, so that you'll never get the "domain
mismatch" message if you're accessing the computer on your home LAN, but will always
get that message when accessing it elsewhere. Your call -- is your IP stable, do you want
to repeat these steps every time your IP changes, do you have a DNS name, do you
mainly use it inside your home or LAN, or outside?
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr

Sign the certificate signing request (csr) with the self-created Certificate Authority
(CA) that you made earlier.

Note that 365 days is used here. After a year you'll need to do this again.

Note also that I set the serial number of the signed server certificate to "01". Each time you
do this, especially if you do this before a previously-signed certificate expires, you'll need
to change the serial key to something else -- otherwise everyone who's visited your site
with a cached version of your certificate will get a browser warning message to the effect
that your certificate signing authority has screwed up -- they've signed a new key/request,
but kept the old serial number. There are a couple ways to rectify that. crl's (certificate
revocation list) is one method, but beyond the scope of the document. Another method is
for all clients which have stored the CA certificate to go into their settings and delete the
old one manually. But for the purposes of this document, we'll just avoid the problem. (If
you're a sysadmin of a production system and your server.key is compromised, you'll
certainly need to worry.)

The command below does a number of things. It takes your signing request (csr) and
makes a one-year valid signed server certificate (crt) out of it. In doing so, we need to tell it
which Certificate Authority (CA) to use, which CA key to use, and which Server key to sign.
We set the serial number to 01, and output the signed key in the file named server.crt. If
you do this again after people have visited your site and trusted your CA (storing it in their
browser), you might want to use 02 for the next serial number, and so on. You might
create some scheme to make the serial number more "official" in appearance or makeup
but keep in mind that it is fully exposed to the public in their web browsers, so it offers no
additional security in itself.

openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out
server.crt

To examine the components if you're curious:

openssl rsa -noout -text -in server.key

openssl req -noout -text -in server.csr
openssl rsa -noout -text -in ca.key
openssl x509 -noout -text -in ca.crt

How to create your own code signing

certificate and sign an ActiveX
component in Windows
All feedback and comments should be directed to support@versinique.com
Problem Overview
Users can not install an ActiveX component because it is not signed. They can not
override the security settings of Internet Explorer to allow installation.

Usual solution is to obtain a code signing certificate from a CA like Verisign or

Thawte, but this is overkill for internal networks or small scale applications

Solution Overview
This article describes how to do the following:

 Create Root CA certificate using OpenSSL

 Create Intermediate Certificate using OpenSSL
 Create Personal Code-Signing Certificate using OpenSSL
 Install Root certificate in Windows KeyStore using Internet Explorer
 Install Intermediate Certificate in Windows KeyStore using Internet
Explorer
 Install Personal Certificate using Windows KeyStore using Internet Explorer
 Sign an ActiveX CAB file using Microsoft Signtool

Limitations
Once signed you can distribute the ActiveX component to any user, BUT the user
must install the Root CA and Intermediate Certificates as well for installation to be
allowed.

If you want users to install an ActiveX component without the Root and
Intermediate certificates then buy a code-signing certificate online from Thawte or
Verisign.

Step 1 : Download and Install OpenSSL

 Download OpenSSL distribution [Click here to find]
 Install the OpenSSL software to c:\openssl (or c:\program files\openssl if
you like to keep installations consistent)

Step 2 : Create Root CA Certificate

 Open a DOS Command Prompt
 Navigate to the OpenSSL Binaries directory type
CD c:\openssl\bin
  Create the private key. Type
openssl genrsa -des3 -out ca.key 4096
 When prompted enter a *very* strong password
 And then verify the password
 Create the public key. Type
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
 When prompted enter the *very* strong password
 For Country Name enter the international standard two letter abbreviation
(use GB, NOT UK if in the UK)
 For State enter the state name in full, or for UK the county name
 For Locality, enter where your company is registered, town or city
 For organisation name enter either the full company name e.g. Mycompany
LTD
 For organisation unit enter Development or Support
 For common name use your domain name e.g mycompany.com
 For email address enter a valid address e.g. support@mycompany.com

Step 3 : Create and Sign Intermediate Certificate

 Create the private key. Type
openssl genrsa -des3 -out server.key 4096
 When prompted enter a *very* strong password (can be the same as before)
 And then verify the password
 Create a certificate request for signing by the Root CA. Type
openssl req -new -key server.key -out server.csr
 Enter the *very* strong password
 Repeat the information entered above for the Root CA certificate, EXCEPT
for the common name add "www." e.g. www.mycompany.com
 When prompted for Challenge Password press Enter to skip
 When prompted for Optional Company Name press Enter to skip
 Sign the request with the Root CA and make a public key. Type
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key
-set_serial 01 -out server.crt
 When prompted enter the *very* strong password used to create the CA
certificate

Step 4 : Create a combined cert that simplifies

SignTool
 Combine the two certificates into a single package. Type
openssl pkcs12 -export -out exported.pfx -inkey server.key -in server.crt
 When prompted enter the *very* strong password used to create the
Intermediate certificate
  Repeat password for Export Password, and Export Password verify

Step 5: Install Root CA certificate using Internet

Explorer
 Launch Internet Explorer
 Select Tools->Internet Options from the menu bar
 Select Content Tab
 Click CERTIFICATES
 Select the Trusted Root Certification Authorities Tab
 Click IMPORT
 Click NEXT>
 Click BROWSE to locate the required filename
 Browse to C:\openssl\bin and highlight ca.crt
 Click OPEN
 Click NEXT>
 Ensure Place all certificates in the following store is selected
 Ensure Certificate store: = Trusted Root Certification Authorities
 Click NEXT>
 Click FINISH
 Click YES to trust
 Click OK

Step 6: Install Intermediate certificate using Internet

Explorer
 Change tabs to Intermediate Certification Authorities
 Click IMPORT
 Click NEXT>
 Click BROWSE to locate the required filename
 Browse to C:\openssl\bin and highlight server.crt
 Click OPEN
 Click NEXT>
 Ensure Place all certificates in the following store is selected
 Ensure Certificate store: = Intermediate Certification Authorities
 Click NEXT>
 Click FINISH
 Click OK

Step 7: Install Personal certificate using Internet

Explorer
Note: This simplifies code signing with signtool for the developer, but end
users do not need to do this

 Change tabs to Personal

 Click IMPORT
 Click NEXT>
 Click BROWSE to locate the required filename
 Change the file extension type to Personal Information Exchange *.pfx,
*.p12
 Browse to C:\openssl\bin and highlight exported.pfx
 Click OPEN
 Click NEXT>
 Enter the *very* strong password entered when EXPORTING the key (in
these instructions its the same password used to create the intermediate key)
 Ensure Place all certificates in the following store is selected
 Ensure Certificate store: = Personal
 Click NEXT>
 Click FINISH
 Click OK

Step 8 : Download and Install Microsoft Platform

SDK
 Download SDK [Click here to find]
 To reduce the download size use the Web Install (download and run PSDK-
x86.exe), Perform custom install and select only Microsoft Windows Core
SDK. Remove AMD and Documentation sub-options
 Install the Microsoft Platform SDK tools into c:\program files\microsoft
platform sdk

Step 9 : Sign ActiveX CAB file (or exe etc)

 Open a DOS Command Prompt
 Change to the SDK binaries directory. Type
CD c:\program files\microsoft platform sdk\bin
 Launch the signing tool wizard. Type
signtool signwizard
 Click NEXT
 Browse and select the ActiveX component to sign
 Click NEXT
  Click TYPICAL
 Click NEXT
 Click SELECT FROM STORE
 Highlight the simplecodesign.com certificate
 Click OK
 Click NEXT
 Click NEXT
 Click NEXT
 Click FINISH
 Click OK

Step 10 : User Installation Instructions

 As per steps 5 and 6 and then go to the web page where the Signed ActiveX
CAB is used and installation will be allowed

Step 11 : Don't want to create certificates? Or don't

have time?
 Click here for free code signing certificate and authentication chain, and
simplified certificate installation

Step 12 : Still not found what you're looking for?

Try our search engine integrator: Scoorch and Accelerate your search experience!

Acknowledgements

It took several days to work through to this final simple solution because there was
no end-to-end document available for creating the certificates and signing an
ActiveX component. The following links proved useful in finding the solution:

Microsoft overview
Verisign notes on signtool
Dallaway on creating and signing Java Apps
Mark Foster on OpenSSL and KeyTool exchanges
Self signed cert for Apache
Self signed cert for Mobile Phones
More on self signing cert for Mobile Phones

Update history
23 May 2007 - Added more detailed SDK instructions to avoid downloading the whole
SDK
05 Feb 2007 - Added links to find the Microsoft SDK and a simple OpenSSL install for
download