Using XCA to create private SSL certificates

Preface

This article details using the XCA (available for at least Linux, Windows, and MacOS for creating and managing SSL certificates) software package (it is a GUI) for creating private SSL certificates for enabling end-to-end SSL on non-public servers (e.g. where Let’s Encrypt / Certbot don’t make sense or are not an option).

Obtain XCA

Obtain XCA for your desktop computer (https://hohnstaedt.de/xca/)
- Windows
  - https://github.com/chris2511/xca/releases/download/RELEASE.2.3.0/xca-2.3.0.msi
  - Chocolatey has an xca package
- Mac
  - https://github.com/chris2511/xca/releases/download/RELEASE.2.3.0/xca-2.3.0.dmg
  - Probably available via homebrew
- Linux
  - Check for a package in your package manager (Debian/Ubuntu-derivatives should have it available by sudo apt install -y xca for instance).
  - It is also available via Flathub (https://flathub.org) : flatpak install xca
  - Otherwise try the generic tarball: https://github.com/chris2511/xca/releases/download/RELEASE.2.3.0/xca-2.3.0.tar.gz

Launch XCA

The usual way for your OS (e.g. on Windows, from the ‘Start’ Menu, on GNOME on Linux, click on the XCA icon in you ‘Applications’ screen, etc).
This will open a window prompting for a database. If this is is to be a new certificate store (e.g. the first time using XCA or you want a separate store for new certificates) you should create one, otherwise select an existing database and enter the password for it.

Create a self-signed CA (Certificate Authority)

NB Any application that will be using SSL to access a server using a certificate signed by this private CA will need to be told to trust the private CA. This varies with application, so where I use this in other articles, I provide instructions for the particular application in use.

Fig 1: Click on ‘New Certificate’ or press ‘Alt-N’
Fig 2: Near the bottom of the dialogue, under ‘Template for new certificate’, select ‘[default] CA’
Fig 3: Click on ‘Apply all
Fig 4: Select the Subject tab and fill in the information as appropriate
Fig 5: Click on Generate a new key'
Fig 6: Click ‘OK’ or press ‘Alt-O’

Export the CA’s public key (.crt)

Fig 7: Select the CA
Fig 8: Click ‘Export’ button
Fig 9: Choose where to export CA (choose it’s filename and location) (later we’ll assume you called the file ‘ca-private-net.crt’ and you know where to find it)
Fig 10: Click the ‘OK’ button

Create a server certificate and private key

Fig 11: Select the CA
Fig 12: Click on ‘New Certificate’ or press ‘Alt-N’
Fig 13: Make sure ‘Use this Certificate for signing’ is set to your CA
Fig 14: In the ‘Template for new certificate’ drop down, select ‘[default] TLS_server’
Fig 15: Select ‘Click ‘Apply all’ button
Fig 16: Select the Subject tab and fill in the information as appropriate. Note that the CN (common name) should be the primary DNS name of your server.
$Certificate dialogue subject tab for a server certificate, with ‘Generate a new\nkey’\ncircled$
Fig 17: Click ‘Generate a new key’ or press ‘Alt-G’
$New certificate dialogue extensions tab with SAN (Subject Alternative Name) edit\nbutton\ncircled$
Fig 18: Select the Extensions tab, and select ‘Edit’ beside X509v3 Subject Alternative Name
Fig 19: Select add and add a DNS name or IP besides the CN (common name). If there are no alternative names or IP addresses to be used, this can be left with only ‘Copy Common Name’ checked and no additional entries.
Repeat ‘Add’ in this dialogue for every name (DNS) or IP by which the server will be accessed using SSL. If there none besides the CN (Common Name) , then none need to be added.
Fig 20: Select ‘Validate’. If there are issues, fix them.
Fig 21: Click ‘Apply’
Fig 22: Select ‘OK’

Export the server certificate and private key

Export the server certificate

Fig 23: Select the new certificate (you will have to double-click on your CA first)
Select, ‘Export’ and then use the same steps (with different names) as in Export the CA’s Public Key (.crt)

Export the server private key

Fig 24: Select ‘Private Keys’ tab and select the private key associated with the certificate above
Fig 25: Click on ‘Export’ button
Fig 26: Choose where to export (filename) (later we’ll assume ‘private-server.example.com.pem’)
Fig 27: Select ‘PEM private’ (NB protect this file as it contains important security information; preferably securely erase any copies once it is in the needed location on the server)
$Export private key dialogue with ‘OK’ button\ncircled$
Fig 28: Click ‘OK’ button

Copy the exported files to your server and/or clients

You will need to copy the at least the server private key and certificate to you server (details are application dependent so for articles on this site will be covered in the article for the application).
Clients will need the CA certificate and possibly need to per-app configuration to use it. As with the server certificate and key, for articles on this site the details will be covered in the article for the application).

Prepare your user clients to use SSL to the server

NB This is for certificates for web servers, git server, etc where a desktop user will need to access the server via SSL.

Because we are using a private CA your browser and other desktop clients need to be told to trust the private CA.

On any Debian/Ubuntu workstation that needs to access the private CA, copy the private CA certificate (e.g. ca-private.example.com) to /usr/local/share/ca-certificates and execute update-ca-certificates
Also on any Debian/Ubuntu workstation for which Firefox needs to access the server:
```
mkdir -p /etc/firefox/policies
sudoedit /etc/firefox/policies/policies.json
```
Note: Even when the main Firefox is an ESR release and uses /etc/firefox-esr, for adding policies (like installing certificates) it is necessary to use /etc/firefox/policies/policies.json.
In policies.json add:
```
{
  "policies": {
    "Certificates": {
      "Install": [
        "/usr/local/share/ca-certificates/ca-private.example.com.crt"
      ]
    }
  }
}
```
On any Windows workstation that needs to access the private CA,
1. Install the private CA into the system certificate store
  1. $Windows 10 install certificate\ndialogue$
    Fig 29: Double-click on ca-private-example.com.crt, select ‘Install certificate’ and click ‘OK’
  2. Fig 30: For ‘Store Location’ select ‘Local Machine’ and click ‘Next’. You may be prompted for your administrative credentials.
  3. Fig 31: Select ‘Place all certificates in the following store’ and click ‘Browse…’
  4. Fig 32: Select ‘Trusted Root Certification Authorities’ and click ‘OK’
  5. Fig 33: Confirm the details presented and click ‘Finish’
2. For making the CA available for recent Firefox system-wide:
  1. Create a directory called C:\\ProgramData\\FirefoxCertificates
  2. Copy ca-private.example.com.crt to C:\\ProgramData\\FirefoxCertificates
  3. Create a directory called distribution in C:\\Program Files\\Mozilla Firefox, and in the distribution directory add a file called policies.json containing:
```
{
  "policies": {
    "Certificates": {
        "Install": [
            "C:\\ProgramData\\FirefoxCertificates\\ca-private.example.com.crt"
        ]
    }
  }
}
```
See Also Mozilla’s Github Repository for Policy Templates