-
Couldn't load subscription status.
- Fork 0
Generating Keys
Socket Firewall running in proxy service mode requires a Certificate Authority (CA) to sign certificates for intercepted HTTPS connections. This guide explains how to generate the required CA certificate and private key using OpenSSL.
You'll need OpenSSL installed on your system. Most Linux distributions and macOS include it by default. Windows users can install it via Git for Windows or download it from slproweb.com.
Verify OpenSSL is installed:
openssl versionSocket Firewall needs two files in PEM format:
-
CA Certificate (
ca.crt) - The public certificate that clients will trust -
CA Private Key (
ca.key) - The private key used to sign certificates
Create a 2048-bit RSA private key:
openssl genrsa -out ca.key 4096This creates ca.key in your current directory. Keep this file secure - anyone with access to it can impersonate your proxy.
Create a self-signed certificate valid for 1 year:
openssl req -new -x509 -key ca.key -out ca.crt -days 365 \
-subj "/CN=Socket Security CA/O=Socket Security" \
-extensions v3_ca \
-config <(cat <<EOF
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
[req_distinguished_name]
[v3_ca]
basicConstraints = critical,CA:TRUE
keyUsage = critical,keyCertSign
subjectKeyIdentifier = hash
EOF
)This creates ca.crt in your current directory. You should modify the certificate's subject such that it lists your company name rather than Socket Security. You can also modify the validity period from 365 days to another value of your choosing.
What this command does:
-
-new -x509: Creates a new self-signed certificate -
-key ca.key: Uses the private key you just generated -
-out ca.crt: Saves the certificate to this file -
-days 365: Certificate is valid for 1 year -
-subj: Sets the certificate subject (Common Name and Organization) -
-extensions v3_ca: Applies CA-specific extensions -
basicConstraints = critical,CA:TRUE: Marks this as a CA certificate -
keyUsage = critical,keyCertSign: Allows the certificate to sign other certificates -
subjectKeyIdentifier = hash: Adds a unique identifier for the certificate
Check that your certificate was created correctly:
openssl x509 -in ca.crt -text -nooutYou should see output similar to:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: ...
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Socket Security CA, O=Socket Security
Validity
Not Before: ...
Not After : ...
Subject: ...
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign
X509v3 Subject Key Identifier:
...
Once you've generated ca.crt and ca.key, you can use them with Socket Firewall in service mode:
export SFW_CA_CERT_PATH=/path/to/ca.crt
export SFW_CA_KEY_PATH=/path/to/ca.key
sfw --serviceSee Service Setup for complete configuration instructions.
After generating the CA certificate, you need to install it on any system that will connect to Socket Firewall. This allows clients to trust the certificates signed by your CA.
See Client Setup for detailed installation instructions for different operating systems.
-
Keep
ca.keysecure: Store it with restricted permissions (chmod 600 ca.keyon Unix systems) -
Don't commit to version control: Add
*.keyto your.gitignore - Rotate regularly: Generate new keys periodically (e.g., annually)
- Backup safely: Store backups in a secure location with encryption
- Limit distribution: Only install the CA certificate on systems that need to use the proxy