Tiny CA

This pages describes how to create certificates with the TinyCA program in order to

Your own CA

After you installed TinyCA and started it for the first time your first task is to create your own CA. You can name it like you want, e.g. "My first CA". You will be asked for a password which you will need every time you want to sign a certificate with your CA. After you created your CA you can export a CA-certificate which people can install in their browsers or email-programs to be able to check if a given certificate is really signed by your CA. Select the "CA"-tab and then click the "Export CA" button.

Sign / encrypt Emails

If you like to create certificates for your friends so they can sign and encrypt emails just switch to the "Certificates"-tab in TinyCA and hit the "New - Create Key and Certificate (Client)" button. There you enter the name of the person who should work with the certificate (be careful with non-ASCII characters), his email-address and a transport password which protects the certificate on its transport to the new owner. Now you can export it by a right-click on it and export it into a PKCD#12 (certificate & key) file. The new owner can install the file with the help of the transport password in his mail-program. After he replaced the transport password with a password of his choice he can use it to sign emails. Usually it will be necessary to tell your program that you trust the CA-certificate before you can actually use the certificate.

SSL Services

Apache

First install Apache 2. If you like you can first test SSL by running the apache2-ssl-certificate script which will create self-signed certificates and copy them to /etc/apache2/ssl/apache.pem. You'll find the Apache configuration beneath /etc/apache2/sites-available/default. Either you modify this file or you copy it and only modify the copy. (if you choose the later you must create a link from /etc/apache2/sites-enabled/ to your copy). Your configuration should look like this:

NameVirtualHost *:443
<VirtualHost *:443>
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
...
</VirtualHost>

Don't forger to add

Listen 443

to the /etc/apache2/ports.conf file. https://... should work after an Apache restart.

Now it's time to replace the self-signed certificates with your own ones. Therefore we create within TinyCA in the "Certificates"-tab a new server certificate. It's important that the "Common Name" matches with the machine part of the URL the users will enter to reach the SSL service. E.g. use secure.example.com if the URL you visitors will use will be https://secure.example.com/index.html. Otherwise they will receive warnings that the names don't match which is annoying.

Now we will export your new certificate into a PEM file e.g foo.crt and the corresponding key (from the "Keys"-tab) into a PEM file without password e.g. foo.key. Copy both to /etc/apache2/ssl/.

In newer TinyCA versions, there is in option in the export certificate dialog to also export the key with the certificate. However, this dialog lacks the option to remove the password from the key.

In the Apache configuration file replace SSLCertificateFile with these two lines:

SSLCertificateFile /etc/apache2/ssl/foo.crt
SSLCertificateKeyFile /etc/apache2/ssl/foo.key

After an Apache restart your certificates should be used. One advantage with your own CA is that if the Apache certificate expires you can just create a new one and sign it with the same CA.

Apache Errors

Check in the the Apache logs (e.g. /var/log/apache2/error.log) if Apache started without errors. I had these messages when I forgot to include the foo.key file (the key without password):

[error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib

Courier IMAP

When I installed courier-imap-ssl there was automatically created a self-signed certificate and written to /etc/courier/imapd.pem. We create a server certificate (like we did in the paragraph about Apache). Be sure that the common name is exatcly the name which the clients will use to reach courier. Again export the certificate into a PEM file e.g. foo.crt and the key into a PEM file (without password) e.g. foo.key. Merge both files to get one e.g. use

cat foo.crt foo.key > imap.pem

Your file should look like this:

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Replace your self-signed certificate with your file and restart courier.

Expired certificate

Certificates normally expires after some time. If that happens to you, just start TinyCA again, select the certificate tab, select the expired certificate and chose renew from the context menu. This will overwrite the old certificate. Now you can export it (together with the key) like we did in the Apache section above.