Awhile back, I linked to an article that explains how to become your own certificate authority. It’s a good article and following the instructions yields the desired results. As to why I wanted to be my own certificate authority, I just felt it was a superior implementation to self-signed certificates. Once the upfront work was put in for generating the config file and the root certificate, the rest is a matter of a few commands.
Well, I was a bit naive about that last bit. I also have to at least pay attention to advances in cryptography, including whether current techniques are becoming unsecure. Turns out the MD5 hashing algorithm used to sign SSL certificates is now considered broken, more or less.
Unfortunately for me, MD5 is the hashing function the above linked resource defaults to when creating the certificates. Fortunately for me, I’m not exactly a high value target for hackers. That said, I knew my certificates were going to be expiring soon anyway, so I decided to make the necessary mods to improve my situation.
I decided to change the hashing algorithm to SHA256, something that’s seems to be considered secure for the next decade or so. In order to make that change, the openssl.cnf file that’s created needs a few modifications. It is sufficient to modify all of the md5 references in the file to sha256.
One gotcha that did trip me up, however, was that I created my new root certificate with a new, more descriptive name. So to with the corresponding private key file. This was all well and good, but I forgot to update the config file appropriately as well. In particular, under the CA_default section of the file, the certificate and private_key lines need to reflect the appropriate new file names.
As a result, I thought I had generated new signed certificates for my mail server with the updated root certificate. But when I updated the Wife’s iPad, I was getting an error that the certificates weren’t considered trustworthy. It took me awhile before I realized my mistake- I’d simply created new certificates that were signed with the old root certificates, so I hadn’t improved anything.
Now that I’ve straightened things out, things are playing nicely again and I can forget about this stuff until next year. When I’ll probably go through this all again.