Getting older, not necessarily wiser!
In this post we will discuss being a Certificate Authority, mainly to help us better understand the whole certificate concept. This is a high level view, so while we will talk about the whats needed, there will be no step by step tutorial. This is more of a concept discussion.
Having said that, if there is sufficient interest, I can do a walk-through of actually creating a local certificate authority for your home computer lab. While it is a good educational experience, it is not something that is required for most standard home networks.
The first thing you will need to become a certificate authority is to generate your public/private key pair. You can refer to this post for a discussion about encryption, PGP and key pairs. The public key allows encryption and verification of signature. The private key allows decryption and signing.
Your public key will basically be available to everyone. However, you are going to want to lock your private key away and only use it when absolutely necessary. If someone gets a hold of your private key, then all the certificates you have singed become suspect.
A note on encryption keys, you may have the option to attach a pass phrase or not. If you do, you would have to use it every time the key is used.
Now that we have a key pair, we can move on to creating a root certificate. This is what forms the base of our certificate authority (CA). It will be a self signed certificate, meaning the person who created it also singed it. All CA root keys have to be self signed (which is ironic because most browsers do not like self singed certificated).
In addition to creating a root certificate, a mechanism will need to be in place to track all certificates signed. This is generally done by serial number. Another function of the CA is revoking singed certificates, so the records are needed.
Now that you have a root certificate, you need to get it installed in some browsers. Actual CA root certificates generally come pre-installed on most browsers. Technically if you could get all browser makers to make your root certificate part of their install, then you would be a real certificate authority. But for the home lab, you will need to manually install your root certificate wherever it will be used.
Installing as a trusted certificate is how browsers get around the self singed issue. However it has to be installed as a root certificate. Different browsers and operating systems do this differently.
If there is going to be a large distribution of signed certificates, then it is generally a good idea to have intermediate CA’s (ICA). You protect your root certificates private keys by only signing intermediate CA certificate. It is the intermediate CA that signs the user certificates.
What happens is the intermediate CA creates a certificate with a signing request and sends it to the CA. The CA then signs the certificate with their private key and sends it back.
Note that intermediate CA certificates are also authorized to sign certificates. So they also have requirements for public and private keys, as well as record keeping.
You, as an end user, will also need public and private keys. The process is similar, however your certificate will generally not be able to sign other certificates. And your certificate will need to be available to application using your services.
Since your certificate is signed by a ICA certificate, which is singed by a CA root certificate, which your browser trusts, it will trust your end user certificate The whole chain of trust thing from this post).
Not all certificates are created equal. If you ever try to buy a certificate, you will see a wide price range.
A CA is suppose to validate a customer before signing their certificate. Low level certificates have minimal requirements, sometimes using an email or just checking that you own the domain. As you move up the certificate offering to higher priced certificate, the validation becomes more stringent, and there are usually different options also available with these certificates.
If you are running a web site, you are probably okay with a lower level certificate. If you are engaged in e commerce, you will probably need something a little more pricey. If you are setting up a corporate ID, the price can really go up.
Another thing to keep in ind is that certificates come with an expiration date. If you are generating your own, you can usually set this really far in the future or bypass it all together.
In this post we took a look at certificate authorities form a high level. For most people with a home network and maybe one server, creating your own CA is over kill. Just get a free certificate form Lets Encrypt (don’t forget to renew).
If you are an enthusiast running your own home computer lab, it might be worth your time to setup your own CA.