MyCA — DIY HTTPS Certificates

HTTPS is good for the web, but it means you need a certificate. You can get one from a commercial CA, but maybe that's too hard for your small project. So let's make our own certificates!

This page provides a simple set of tools to make certificates for web servers. You can make your own trusted root certificate, then use it to issue certificates for servers. Then all you need to do is configure your browser and servers with those certificates, and you're part of the secure web.

• FAQ
• I need to make a root certificate
• I have a root and I want to issue a server certificate
• What do I do with these certificates?

FAQ

Q. Who should use this?

A. The certificates you can make here require the user to agree to use them before they're considered secure. So they are best for sites with a small number of users, rather than a site that you intend to be visibile to the whole world. If you're experimenting with a new idea with a few friends, MyCA certificates should work fine. If you want to set up something bigger, you should probably get a certificate from a CA that the browsers will trust without requiring the user's consent. (There are several free options, and even more for a fee.)

Q. Am I exposing my private keys by using this site to make my certificates?

A. Through the magic of JavaScript, everything MyCA does is done on your computer, in your browser. MyCA never sees your private information, and will not be able to impersonate your CA or your servers. Plus, this whole thing is open source, so you can check that we're not lying.

Act I: Make a root certificate

1. Name this root:
2. Sign the root certificate
3. Download the key and certificate

Quick check

openssl x509 -in root.cert.pem -text
openssl verify -CAfile root.cert.pem root.cert.pem

Act II: Make server certificate(s)

- you need to have a root certificate before you do this step

1. Load your root:
   • Select key file:
   • Select certificate file:
2. Enter names (whitespace-separated):
   
   
3. Sign the server certificate
4. Download the key and certificate

Quick check

openssl x509 -in server.cert.pem -text
openssl verify -CAfile root.cert.pem server.cert.pem

Act III: Install the certificates

You should have the following things now: a root key, a root certificate, a server key and a server certificate. Each of these needs to be used a little differently.

• Root key (root.key.pem): This one is easy. Just save this somewhere in case you want to make more server certificates later.
• Root certificate (root.cert.pem): This certificate will need to be installed as a trusted authority in every browser that you want to be able to connect to your sites. How to do that will depend on the browser:
  • Internet Explorer: Follow the instructions from Microsoft
  • Safari: Follow the instructions from Apple
  • Firefox: Import the certificate using Settings / Advanced / Certificates / View Certificates / Import...
  • Chrome: On Windows and MacOS, follow the instructions for IE or Safari above. On Linux, you'll need to follow Google's instructions
• Server key (server.key.pem) and server certificate (server.key.pem): How you install the server key certificate is going to depend on your server setup, or your hosting provider if you're not running your own server. If you're running your own server, the Mozilla config generator can help you get set up. If you're in a hosted environment, please see your hosting provider's documentation.

Quick check

openssl s_server -accept 8080 -www \
                 -key server.key.pem -cert server.cert.pem
openssl s_client -connect localhost:8080 -CAfile root.cert.pem \
                 2>/dev/null </dev/null \
                 | grep "Verify return code"

Credits

This website is an open source project, and your help would be greatly appreciated.