How to become your own CA?

1) Get the packages Apache 1.3.27, mod_ssl-2.8.14-1.3.27, openssl-0.9.7a

2) Under my server setup, I created a directory : /var/www/src and moved all the tar.gz files in this directory. 

3) Then I ran gunzip to unzip the files and then tar -xvf <source.tar>

4) This created the followign directories:
/var/www/src/apache_1.3.27
/var/www/src/mod_ssl-2.8.14-1.3.27
/var/www/src/openssl-0.9.7a

5) First make openssl using the commands:
$ ./config
$ make
$ make test
$ make install
This takes a long time and usually without any erorrs. But you have to monitor the screens. Best is to redirect the output and errors to a file and then search for the word : Error in the file. 

6) For changing the configuration options (ie., to make integrate mod_ssl with Apache), run the command : (Refer to the INSTALL file which contains the details)
./configure --with-apache=../apache_1.3.27
--with-ssl=../openssl-0.9.x \
--prefix=../apache_1.3.27 

7) This created the configure scripts so that the mod_ssl is integrated with Apache during the make of Apache.

8) Now we have to make Apache using the commands:
$ cd apache_1.3.x 
$ make 
$ make certificate 
$ make install

9) Cleanup to remove all source files : (Its better to do this after all the work is over as you may need to refer to the files and / or make one or more of the things for practice or to understand in details later on). 
$ rm -rf mod_ssl-2.8.x-1.3.x
$ rm -rf apache_1.3.x 
$ rm -rf openssl-0.9.7a

10) We are through with making Apache Web Server with the mod_ssl. Next comes the creation of the certificate and signing them so that the installed certificates are valid. For this we would be using the openssl package. 

11) Go to the directory /usr/local/ssl/bin. This directory would have the file "openssl"

12) Run the following command to generate the Key Pair for your server : 
./openssl req -new -nodes -keyout private.key -out public.csr
A run through of the data requests are the Company Name, Country, City, Section, Common Name and the Challenge Password. 
This would create two files : private.key and public.csr. The files are the private key and Certificate Signing Requests. The csr file is to be given to the CA for signing with its Root CA Certificate. 

12a) The private key should be encrypted using des3 using the command : 
./openssl rsa -in private.key -des3 -out secureprivate.key
This encrypts the private key with the password of your choice. 

14) How to become your own CA?
This is one important part of the whole excercise where the signing of the certificate is done by yourself rather than any third party like Verisign or Thawte. 

15) At this stage i got slightly confused, so I recreated the keys once again.

16) I first create the CA Root Keys using the command : 
./CA.sh -newca from the directory : /usr/local/ssl/misc/

17) All CA related stuff got created in the subdirectory demoCA:
It consists of files:
cacert.pem - the CA certificate;
crl.pem -the current CRL;
index.txt -database index file;
serial - the current serial number;
subdirectories:
certs/ -location of the issued certificates (reserved);
crl/ - location of the issued CRL (reserved);
newcerts/ - contains copies of signed certificates;
private/ - contains cakey.pem file with RSA private key of this CA,
protected by pass phrase. It's recommended to set relevant
permissions for whole private/ subdirectory.

18) The cacert.pem is actually the root CA certificate. 

19) Issuing the certificates: When CA is asked to issue a certificate, it expects that the public key and some information about the entity are provided in form of Certificate Signing Request (CSR). If all required information is provided correctly it's possible
to sign the CSR by this CA and so create the certificate. The actual procedure for doing this is first copying the public.csr from the /var/www/src/openssl-0.9.7a/public.csr to the directory /usr/local/ssl/misc/ as "newreq.pem" 

20) The command user is ./CA.sh -sign. The output file was the "File Signed by the Root CA", newcert.pem. 

21) Additional information which may not be of much use at this stage: 
a) To revoke a certificate run "./CA.sh -revoke <number>", where <number> is the certificate serial number listed in database index file (index.txt). To generate a CRL run "xCA.sh -gencrl" which will place it into crl.pem file.
b) Renewal of a CA Certificate : ./CA.sh -renewca. This replaces the existing cacert.pm file by a new one, which may be included in the trusted CA lists instead of old version of the certificate of this CA. 

22) Now comes the stage where you have to identify the various files that have been generated and should be used for the Certification of the Web Site. Till now we have generated quite a few files from various places, out of which we need exactly three files to be put in proper places in the server and references to them created in the httpd.conf file so that the certification is valid.

23) Let us first see what all files we have created:
i) Encrypted Private Key: secureprivate.key. Make this permission 400 and copy it to the directory: /var/www/src/apache1.3.27/conf/ssl.crt/ (as secureprivate.key)

ii) The Root CA Certificate : /usr/local/ssl/misc/demoCA/cacert.pem. This again has to be copied to the directory: 
/var/www/src/apache1.3.27/conf/ssl.crt/ (as cacert.crt)

iii) The file newcert.pem generated in Step 20. This is actually the public.csr generated earlier signed by the key of Root CA. 
This again has to be copied to the directory: 
/var/www/src/apache1.3.27/conf/ssl.crt/ (as serversigned.crt). 

24) Next is the necessary changes to be incorporated in the httpd.conf:
Check if the following lines are present:
<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>.
In case they are not present, there must have been somethingwrong in the Apache compilation time.

25) In side the followign directive: <VirtualHost _default_:443> add the lines : 
SSLCertificateFile /var/www/src/apache_1.3.27/conf/ssl.crt/serversigned.crt 
SSLCertificateKeyFile /var/www/src/apache_1.3.27/conf/ssl.crt/secureprivate.key
SSLCACertificateFile /var/www/src/apache_1.3.27/conf/ssl.crt/cacert.crt

26) Go to /var/www/src/bin and run ./apachectl startssl

27) This should start the web server after verification of the PEM Passphrase which you had asked to create the secureprivate.key. 

28) Now point the browser to the web site and Bingo!! you have done it. (http://your.server.com:/)

29) Now put the following in the browser address bar: https://your.server.com:/ This should display a popup screen saying that the certificate is valid but the Root CA is not added in your list. 

30) Click on Ok and then click on the padlock at the bottom of the browser window. This would give you details of the security. At this stage just install the certificate in your store (in your browser) and you have a site in place.

Highly grateful to the following sites for inputs:
i)  http://www.sis.uncc.edu/~billchu/classes/spring01/itis5166/https.rtf -- For compilation and integration of Apache, OpenSSL and mod_ssl
ii) Verisign Site for getting the details on creation of public.csr and private key.
iii) http://bsdftpd-ssl.sc.ru/doc/all/cert-howto.txt -- For becoming CA. Really great site. Helped a lot with simplistic approach without high funda stuff. 
iv) http://www.itsecurity.com/asktecs/may2301.htm for a indepth analysis onthe CA concept. Very compact writing by some really knowledgeable people. But you have to read this a few times to really understand who is what. 
v) http://pintday.org/hack/crypto/ca.shtml -- For some more reading and explanations on OpenSSL and CA. Nice reading!!
vi) http://info.hkntec.net/workshop/2002/wk1/day5.html -- For creating a hell of a lot of confusion. Do not read this page unless you have a solid understanding of the whole concept. 
vii)Google for always giving me a page for whatever I searched for.