Personal tools
You are here: Home / cmgui / Wiki / Create your own Certificate Authority
Navigation
Log in


Forgot your password?
 

Create your own Certificate Authority

Largely borrowed from
http://w.csie.org/~piaip/docs/CreateMozApp/mozilla-chp-12-sect-5.html but updated where those instructions didn't work for me.
Used Network Security Service tools version 3.11.5 with work around for

bad installation on Ubuntu which means you must link the nss directory into whereever you run signtool from:

ln -s /usr/lib/nss .

Create the certificate authority root:

mkdir ~/signingdir

certutil -S -s "CN=mysite.org, O=mysite.org" -n "mysite.org"
-t ",,C" -x -d ~/signingdir -1 -2 -5

Generating key.  This may take a few moments...

          0 - Digital Signature
          1 - Non-repudiation
          2 - Key encipherment
          3 - Data encipherment
          4 - Key agreement
          5 - Cert signing key
          6 - CRL signing key
          Other to finish
5
          0 - Digital Signature
          1 - Non-repudiation
          2 - Key encipherment
          3 - Data encipherment
          4 - Key agreement
          5 - Cert signing key
          6 - CRL signing key
          Other to finish
9
Is this a critical extension [y/N]?
n
Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]:

Is this a critical extension [y/N]?
n
          0 - SSL Client
          1 - SSL Server
          2 - S/MIME
          3 - Object Signing
          4 - Reserved for future use
          5 - SSL CA
          6 - S/MIME CA
          7 - Object Signing CA
          Other to finish
7
          0 - SSL Client
          1 - SSL Server
          2 - S/MIME
          3 - Object Signing
          4 - Reserved for future use
          5 - SSL CA
          6 - S/MIME CA
          7 - Object Signing CA
          Other to finish
9
Is this a critical extension [y/N]?
n

Save this for later:

certutil -L -d ~/signingdir -n "mysite.org" -a -o mysite.org.cacert

Create the signing certificate authority:

certutil -S -n "certs.mysite.org" -s "CN=certs.mysite.org, O=certs.mysite.org" -c "mysite.org" -v 96 -t ",,C" -d ~/signingdir -1 -2 -5

Generating key.  This may take a few moments...

          0 - Digital Signature
          1 - Non-repudiation
          2 - Key encipherment
          3 - Data encipherment
          4 - Key agreement
          5 - Cert signing key
          6 - CRL signing key
          Other to finish
5
          0 - Digital Signature
          1 - Non-repudiation
          2 - Key encipherment
          3 - Data encipherment
          4 - Key agreement
          5 - Cert signing key
          6 - CRL signing key
          Other to finish
9
Is this a critical extension [y/N]?
n
Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]:

Is this a critical extension [y/N]?
n
          0 - SSL Client
          1 - SSL Server
          2 - S/MIME
          3 - Object Signing
          4 - Reserved for future use
          5 - SSL CA
          6 - S/MIME CA
          7 - Object Signing CA
          Other to finish
7
          0 - SSL Client
          1 - SSL Server
          2 - S/MIME
          3 - Object Signing
          4 - Reserved for future use
          5 - SSL CA
          6 - S/MIME CA
          7 - Object Signing CA
          Other to finish
9
Is this a critical extension [y/N]?
n
Export this so that it can be imported as an authority by anyone willing to

trust your signing authority:

certutil -L -d ~/signingdir -n "certs.mysite.org" -a -o certs_mysite_org.cacert

Generate a signing certificate for a particular user:

certutil -S -n "certs.mysite.org/me" -s "CN=certs.mysite.org/me, O=certs.mysite.org" -c "certs.mysite.org" -v 96 -t ",,C" -d ~/signingdir -1 -2 -5

Generating key.  This may take a few moments...

          0 - Digital Signature
          1 - Non-repudiation
          2 - Key encipherment
          3 - Data encipherment
          4 - Key agreement
          5 - Cert signing key
          6 - CRL signing key
          Other to finish
0
          0 - Digital Signature
          1 - Non-repudiation
          2 - Key encipherment
          3 - Data encipherment
          4 - Key agreement
          5 - Cert signing key
          6 - CRL signing key
          Other to finish
5
          0 - Digital Signature
          1 - Non-repudiation
          2 - Key encipherment
          3 - Data encipherment
          4 - Key agreement
          5 - Cert signing key
          6 - CRL signing key
          Other to finish
9
Is this a critical extension [y/N]?
n
Is this a CA certificate [y/N]?
n
Enter the path length constraint, enter to skip [<0 for unlimited path]:

Is this a critical extension [y/N]?
n
          0 - SSL Client
          1 - SSL Server
          2 - S/MIME
          3 - Object Signing
          4 - Reserved for future use
          5 - SSL CA
          6 - S/MIME CA
          7 - Object Signing CA
          Other to finish
3
          0 - SSL Client
          1 - SSL Server
          2 - S/MIME
          3 - Object Signing
          4 - Reserved for future use
          5 - SSL CA
          6 - S/MIME CA
          7 - Object Signing CA
          Other to finish
9
Is this a critical extension [y/N]?
n

Export with pk12util:

pk12util -o me.pk12 -n "certs.mysite.org/me" -d ~/signingdir

Now that we can make a completely separate signing data base that imports just the public certificate authority and the signed certificate:

certutil -N -d .

pk12util -i me.pk12 -n "certs.mysite.org/me" -d .

certutil -A -n "certs.mysite.org" -t "u,u,Cu" -i ~/signingdir/certs_mysite_org.cacert -d .

Now you can sign jars as follows:

signtool -d . -p password -k "certs.mysite.org/me" -Z chrome_access_signed.jar chrome_access_signed