Using XCA to create private SSL certificates

Preface

This article details using the XCA (available for at least Linux, Windows, and MacOS for creating and managing SSL certificates) software package (it is a GUI) for creating private SSL certificates for enabling end-to-end SSL on non-public servers (e.g. where Let’s Encrypt / Certbot don’t make sense or are not an option).

Obtain XCA

Launch XCA

  • The usual way for your OS (e.g. on Windows, from the ‘Start’ Menu, on GNOME on Linux, click on the XCA icon in you ‘Applications’ screen, etc).
  • This will open a window prompting for a database. If this is is to be a new certificate store (e.g. the first time using XCA or you want a separate store for new certificates) you should create one, otherwise select an existing database and enter the password for it.

Create a self-signed CA (Certificate Authority)

NB Any application that will be using SSL to access a server using a certificate signed by this private CA will need to be told to trust the private CA. This varies with application, so where I use this in other articles, I provide instructions for the particular application in use.

  1. Click on ‘New Certificate’ or press ‘Alt-N’
    Fig 1: Click on ‘New Certificate’ or press ‘Alt-N’
  2. Screenshot of XCA new certificate dialogue with default CA circled
    Fig 2: Near the bottom of the dialogue, under ‘Template for new certificate’, select ‘[default] CA’
  3. New certificate dialogue with ‘Apply all’ circled
    Fig 3: Click on ‘Apply all
  4. New certificate dialogue ‘Subject’ tab with example information entered
    Fig 4: Select the Subject tab and fill in the information as appropriate
  5. New certificate dialogue subject tab with ‘Generate a new key’ circled
    Fig 5: Click on Generate a new key'
  6. New certificate dialogue subject tab with ‘OK’ circled
    Fig 6: Click ‘OK’ or press ‘Alt-O’

Export the CA’s public key (.crt)

  1. Main screen with CA circled
    Fig 7: Select the CA
  2. Main screen with ‘Export’ button circled
    Fig 8: Click ‘Export’ button
  3. Export dialogue with filename and path circled
    Fig 9: Choose where to export CA (choose it’s filename and location) (later we’ll assume you called the file ‘ca-private-net.crt’ and you know where to find it)
  4. Dialogue with OK button circled
    Fig 10: Click the ‘OK’ button

Create a server certificate and private key

  1. Main screen with CA circled
    Fig 11: Select the CA
  2. Click on ‘New Certificate’ or press ‘Alt-N’
    Fig 12: Click on ‘New Certificate’ or press ‘Alt-N’
  3. New certificate dialogue with an existing CA selected to use as the certificate for signing
    Fig 13: Make sure ‘Use this Certificate for signing’ is set to your CA
  4. New certificate with TLS server template selected and circled (and an existing CA selected to use for signing)
    Fig 14: In the ‘Template for new certificate’ drop down, select ‘[default] TLS_server’
  5. New certificate dialogue with ‘Apply all’ circled when TLS template is selected, and with an existing CA selected for use
    Fig 15: Select ‘Click ‘Apply all’ button
  6. New certificate dialogue for a server certificate, with subject fields filled in
    Fig 16: Select the Subject tab and fill in the information as appropriate. Note that the CN (common name) should be the primary DNS name of your server.
  7. Certificate dialogue subject tab for a server certificate, with ‘Generate a newkey’circled
    Fig 17: Click ‘Generate a new key’ or press ‘Alt-G’
  8. New certificate dialogue extensions tab with SAN (Subject Alternative Name) editbuttoncircled
    Fig 18: Select the Extensions tab, and select ‘Edit’ beside X509v3 Subject Alternative Name
  9. x509v3 SAN (Subject Alternative Name) dialogue with an example DNS entry
    Fig 19: Select add and add a DNS name or IP besides the CN (common name). If there are no alternative names or IP addresses to be used, this can be left with only ‘Copy Common Name’ checked and no additional entries.
  10. Repeat ‘Add’ in this dialogue for every name (DNS) or IP by which the server will be accessed using SSL. If there none besides the CN (Common Name) , then none need to be added.
  11. x509v SAN dialogue with ‘Validate’ button circled
    Fig 20: Select ‘Validate’. If there are issues, fix them.
  12. SAN dialogue with ‘Apply’ button circled
    Fig 21: Click ‘Apply’
  13. New certificate dialogue for server certificate with ‘OK’ circled
    Fig 22: Select ‘OK’

Export the server certificate and private key

Export the server certificate

  1. Main dialogue with a CA-signed server certificate selected
    Fig 23: Select the new certificate (you will have to double-click on your CA first)
  2. Select, ‘Export’ and then use the same steps (with different names) as in Export the CA’s Public Key (.crt)

Export the server private key

  1. Main screen with ‘Private Keys’ selected and circled and a private key circled
    Fig 24: Select ‘Private Keys’ tab and select the private key associated with the certificate above
  2. Private keys tab with ‘Export’ circled
    Fig 25: Click on ‘Export’ button
  3. Export private key dialogue with filename circled
    Fig 26: Choose where to export (filename) (later we’ll assume ‘private-server.example.com.pem’)
  4. Private key export dialogue with PEM private circled
    Fig 27: Select ‘PEM private’ (NB protect this file as it contains important security information; preferably securely erase any copies once it is in the needed location on the server)
  5. Export private key dialogue with ‘OK’ buttoncircled
    Fig 28: Click ‘OK’ button

Copy the exported files to your server and/or clients

  • You will need to copy the at least the server private key and certificate to you server (details are application dependent so for articles on this site will be covered in the article for the application).
  • Clients will need the CA certificate and possibly need to per-app configuration to use it. As with the server certificate and key, for articles on this site the details will be covered in the article for the application).

Prepare your user clients to use SSL to the server

NB This is for certificates for web servers, git server, etc where a desktop user will need to access the server via SSL.

  • Because we are using a private CA your browser and other desktop clients need to be told to trust the private CA.

  1. On any Debian/Ubuntu workstation that needs to access the private CA, copy the private CA certificate (e.g. ca-private.example.com) to /usr/local/share/ca-certificates and execute update-ca-certificates

  2. Also on any Debian/Ubuntu workstation for which Firefox needs to access the server:

    mkdir -p /etc/firefox/policies
sudoedit /etc/firefox/policies/policies.json

    Note: Even when the main Firefox is an ESR release and uses /etc/firefox-esr, for adding policies (like installing certificates) it is necessary to use /etc/firefox/policies/policies.json.

    In policies.json add:

    {
  "policies": {
    "Certificates": {
      "Install": [
        "/usr/local/share/ca-certificates/ca-private.example.com.crt"
      ]
    }
  }
}

  3. On any Windows workstation that needs to access the private CA,

    1. Install the private CA into the system certificate store

      1. Windows 10 install certificatedialogue
        Fig 29: Double-click on ca-private-example.com.crt, select ‘Install certificate’ and click ‘OK’
      2. Select ‘Local Machine’ in install certificate wizard
        Fig 30: For ‘Store Location’ select ‘Local Machine’ and click ‘Next’. You may be prompted for your administrative credentials.
      3. Selection of location to install certificate in the install certificate wizard
        Fig 31: Select ‘Place all certificates in the following store’ and click ‘Browse…’
      4. Selection of which system-wide store to use in the install certificate wizard
        Fig 32: Select ‘Trusted Root Certification Authorities’ and click ‘OK’
      5. Confirmation page for install certificate wizard
        Fig 33: Confirm the details presented and click ‘Finish’

    2. For making the CA available for recent Firefox system-wide:

      1. Create a directory called C:\\ProgramData\\FirefoxCertificates
      2. Copy ca-private.example.com.crt to C:\\ProgramData\\FirefoxCertificates
      3. Create a directory called distribution in C:\\Program Files\\Mozilla Firefox, and in the distribution directory add a file called policies.json containing:
      {
  "policies": {
    "Certificates": {
        "Install": [
            "C:\\ProgramData\\FirefoxCertificates\\ca-private.example.com.crt"
        ]
    }
  }
}

    See Also Mozilla’s Github Repository for Policy Templates

See Also