OpenSSL
Contents
Generate a certificate using our own CA
1) Install openssl. On Debian,
apt-get install openssl
2) Find your openssl.cnf file. This file has default values for OpenSSL certificate generation. Here's a few locations for various distributions:
Debian: /etc/ssl/openssl.cnf RedHat 7.x+: /usr/share/ssl/openssl.cnf
Open this file in your favorite editor. We will need to change the following options:
'default_days': This is the length of time, in days, that your certificates will be valid for, and defaults to 365 days, or 1 year. I recommend setting this to '3650', as that will give you 10 years of validity on your certificates. Since this is for internal use, I am ok with the security ramifications of having a certificate valid for a long time - if you lose it or whatnot, you can revoke it without a problem.
'[ req_distinguished_name ]' section: You don't really *need* to change the options below req_distinguished_name; they just set the default options (such as location, company name, etc) for certificate generation. I find it's easier to set them here than re-type them for every certificate.
3) Create a directory to house your CA. I generally use something like /var/myca; you can really use whatever you want. Change the permissions of the directory to 700, so that people will not be able to access the private keys who aren't supposed to.
mkdir /var/myca
Generate your own CA
4) Find the command 'CA.sh' (some distributions rename it to just 'CA'; don't ask me why.) Locations on various distributions:
Debian: /usr/lib/ssl/misc/CA.sh RedHat 7.x+: /usr/share/ssl/misc/CA
Edit this file, and change the line that says 'DAYS="days 365"' to a very high number (this sets how long the certificate authority's certificate is valid.) Be sure that this number is higher than the number is Step 1; or else Windows may not accept your certificates. Note that if this number is too high, it can cause problems - I generally set it for 15-20 years.
5) Run the command 'CA.sh -newca'. Follow the prompts, as below. Example input is in red, and my comments are in blue. Be sure to not use any non-alphanumeric characters, such as dashes, commas, plus signs, etc. These characters may make things more difficult for you.
nate@example:/var/myca$ /usr/lib/ssl/misc/CA.sh -newca CA certificate filename (or enter to create) (enter) Making CA certificate ... Using configuration from /usr/lib/ssl/openssl.cnf Generating a 1024 bit RSA private key .............................................................................+++ ........................................+++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase:(enter password) This is the password you will need to create any other certificates. Verifying password - Enter PEM pass phrase:(repeat password) ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US(enter) Enter your country code here State or Province Name (full name) [Some-State]:State(enter) Enter your state/province here Locality Name (eg, city) []:City(enter) Enter your city here Organization Name (eg, company) [Internet Widgits Pty Ltd]:ExampleCo(enter) Enter your company name here (or leave blank) Organizational Unit Name (eg, section) []:(enter) OU, if you like. I usually leave it blank. Common Name (eg, YOUR name) []:CA(enter) The name of your Certificate Authority Email Address []:ca@example.com(enter) E-Mail Address
Let's also generate a crl file, which you'll need on your gateway boxes:
nate@example:/var/myca$ openssl ca -gencrl -out crl.pem
You'll need to update this CRL file any time you revoke a certificate.
That's it, you now have your own certificate authority that you can use to generate certificates.
Generate a Certificate
You will need to generate a certificate for every machine that will be making an IPSec or VPN, or any service you need
We'll be using openssl.
nate@example:/var/myca$ openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem Using configuration from /etc/ssl/openssl.cnf Generating a 1024 bit RSA private key ..............++++++ ..........................++++++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Texas Locality Name (eg, city) []:Austin Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Org Organizational Unit Name (eg, section) []:Example Org Unit Common Name (eg, YOUR name) []:myserver.com Email Address []:ldap@myserver.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: <pass> An optional company name []:.
Signing the self signed certificate
What we just did is generate a Certificate Request - this is the same type of request that you would send to Thawte or Verisign to get a generally-accepted SSL certificate. For our uses, however, we'll sign it with our own CA:
nate@example:/var/myca$ /usr/lib/ssl/misc/CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 29 22:10:15 2009 GMT
Not After : Apr 27 22:10:15 2019 GMT
Subject:
countryName = AU
stateOrProvinceName = Some-State
organizationName = Internet Widgits Pty Ltd
commonName = openldap.etnsvoice.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BE:0C:DF:30:2B:15:37:BE:F9:3C:4D:08:E6:C1:A2:BB:58:BF:FB:BA
X509v3 Authority Key Identifier:
keyid:9D:FB:17:35:83:10:47:2A:2F:28:B5:E4:F1:7D:3D:1C:A8:7C:FF:2A
Certificate is to be certified until Apr 27 22:10:15 2019 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=asdf.asdf.es
Validity
Not Before: Apr 29 22:10:15 2009 GMT
Not After : Apr 27 22:10:15 2019 GMT
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=openldap.etnsvoice.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bc:2e:f0:e9:f9:58:7a:a8:d2:43:c3:8b:db:76:
e9:d9:ea:56:bf:5b:4b:4a:0c:6a:37:a4:39:a8:2a:
ae:90:b4:3f:1b:1e:da:51:a7:a2:fb:4e:e8:59:1e:
f1:7d:f2:f6:88:f7:d0:f2:3f:21:9e:45:6f:15:be:
69:2a:0d:80:7c:2b:63:28:e3:3f:37:6a:a1:6f:4f:
87:e5:84:6d:95:d6:cc:40:9c:0e:3c:42:0d:ba:43:
e5:8f:9c:da:49:0d:6c:1f:cc:b7:33:75:74:6d:00:
d3:c5:2d:77:9f:d3:e3:2b:f5:49:c1:40:18:ed:88:
ef:a2:a9:c0:80:72:29:56:f7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BE:0C:DF:30:2B:15:37:BE:F9:3C:4D:08:E6:C1:A2:BB:58:BF:FB:BA
X509v3 Authority Key Identifier:
keyid:9D:FB:17:35:83:10:47:2A:2F:28:B5:E4:F1:7D:3D:1C:A8:7C:FF:2A
Signature Algorithm: sha1WithRSAEncryption
08:ce:1b:2e:bf:07:99:15:2f:bd:be:e6:7d:bd:95:33:0c:ef:
ac:aa:36:89:27:a4:cc:6a:5e:e8:e6:f1:a4:f0:97:f1:6a:c0:
ca:42:13:94:a5:69:62:6a:e1:13:e5:89:13:88:f9:e0:d6:76:
54:e2:97:d4:fc:b5:2f:17:d4:23:88:cd:76:b6:71:8f:20:ec:
ca:ff:6c:e3:2b:87:bb:1e:ed:c9:47:df:bf:de:fc:e6:da:ec:
04:d6:7b:a7:0a:9f:1e:4a:cf:5c:87:d2:98:be:33:f8:39:49:
01:e3:a4:62:e1:00:ab:fd:f0:66:be:d5:18:d2:13:8d:f5:37:
72:3b
-----BEGIN CERTIFICATE-----
MIICszCCAhygAwIBAgIBATANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJBVTET
MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
dHkgTHRkMRUwEwYDVQQDEwxhc2RmLmFzZGYuZXMwHhcNMDkwNDI5MjIxMDE1WhcN
MTkwNDI3MjIxMDE1WjBmMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0
ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMR8wHQYDVQQDExZv
cGVubGRhcC5ldG5zdm9pY2UubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQC8LvDp+Vh6qNJDw4vbdunZ6la/W0tKDGo3pDmoKq6QtD8bHtpRp6L7TuhZHvF9
8vaI99DyPyGeRW8VvmkqDYB8K2Mo4z83aqFvT4flhG2V1sxAnA48Qg26Q+WPnNpJ
DWwfzLczdXRtANPFLXef0+Mr9UnBQBjtiO+iqcCAcilW9wIDAQABo3sweTAJBgNV
HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp
Y2F0ZTAdBgNVHQ4EFgQUvgzfMCsVN775PE0I5sGiu1i/+7owHwYDVR0jBBgwFoAU
nfsXNYMQRyovKLXk8X09HKh8/yowDQYJKoZIhvcNAQEFBQADgYEACM4bLr8HmRUv
vb7mfb2VMwzvrKo2iSekzGpe6ObxpPCX8WrAykITlKVpYmrhE+WJE4j54NZ2VOKX
1Py1LxfUI4jNdrZxjyDsyv9s4yuHux7tyUffv9785trsBNZ7pwqfHkrPXIfSmL4z
+DlJAeOkYuEAq/3wZr7VGNITjfU3cjs=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
Copy the files wherever you need it
Next, move the output files to names that make a bit more sense for future reference.
Self Signed certificate nate@example:/var/myca$ mv newcert.pem /etc/ldap/ssl/servercrt.pem
Request (key file) nate@example:/var/myca$ mv newreq.pem /etc/ldap/ssl/serverkey.pem
CA Certificate nate@example:/var/myca$ cp demoCA/cacert.pem /etc/ldap/ssl/cacert.pem
Checking if a certificate is correctly installed
The comand openssl permits to follow the certificate chaing. Sometimes, we need also to inform of the intermediates cetificates on our web services to get the proper response from an ssl connection.
To be able to check this, we need to run the command:
openssl s_client -CApath /etc/ssl/certs -connect www.rediris.es:443
gerard@saigon:~$ openssl s_client -CApath /etc/ssl/certs -connect www.rediris.es:443
CONNECTED(00000003)
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify return:1
depth=2 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
verify return:1
depth=1 /C=NL/O=TERENA/CN=TERENA SSL CA
verify return:1
depth=0 /C=ES/O=RedIRIS/CN=www.rediris.es
verify return:1
---
Certificate chain
0 s:/C=ES/O=RedIRIS/CN=www.rediris.es
i:/C=NL/O=TERENA/CN=TERENA SSL CA
1 s:/C=NL/O=TERENA/CN=TERENA SSL CA
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFfzCCBGegAwIBAgIQW2cmQuEOFerVxs4zt6QIqjANBgkqhkiG9w0BAQUFADA2
MQswCQYDVQQGEwJOTDEPMA0GA1UEChMGVEVSRU5BMRYwFAYDVQQDEw1URVJFTkEg
U1NMIENBMB4XDTExMDUxMzAwMDAwMFoXDTE0MDUxMjIzNTk1OVowODELMAkGA1UE
BhMCRVMxEDAOBgNVBAoTB1JlZElSSVMxFzAVBgNVBAMTDnd3dy5yZWRpcmlzLmVz
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtYN2O/5VBcNQRPKkCBxA
amW54jjpqfEvUoypsLI8I/mIPBgfHfkCEuOOflAnhjBJ3wm33DYowrfcHKVrNskZ
B+Wki8d1v20GuA/dPZSeqCJCJ8n+oeIWUGlW5fVmwMBHSsYTC9bEBSHqJMhEeRdM
cZ++/x+jW2Ch5m/bxD1oP1FsE8MxMLT4wCT4A6w4X33h65YvCd/kWhbqk372FWU5
uRrvpDqan1+Sb0cV8dCH+BZLceEh01TGA1TJUKjQD51YlxRTkm03KnvN+PwuWyRG
OKR3jNdT8ypQR4O6gKlfinqcP6NBLSeZ5gf8PKZ3X1d4K+oPKpoGi/xb3y37nJ0r
ZQIDAQABo4IChTCCAoEwHwYDVR0jBBgwFoAUDL2TaAzz3qujSWsrN1dH6pDjue0w
HQYDVR0OBBYEFKYKctz1dy40sZXqcFlVUKUmEzpnMA4GA1UdDwEB/wQEAwIFoDAM
BgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAYBgNV
HSAEETAPMA0GCysGAQQBsjEBAgIdMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9j
cmwudGNzLnRlcmVuYS5vcmcvVEVSRU5BU1NMQ0EuY3JsMG0GCCsGAQUFBwEBBGEw
XzA1BggrBgEFBQcwAoYpaHR0cDovL2NydC50Y3MudGVyZW5hLm9yZy9URVJFTkFT
U0xDQS5jcnQwJgYIKwYBBQUHMAGGGmh0dHA6Ly9vY3NwLnRjcy50ZXJlbmEub3Jn
MIIBOwYDVR0RBIIBMjCCAS6CDnd3dy5yZWRpcmlzLmVzghNjbXdlYmJlci5yZWRp
cmlzLmVzgg1ldS5yZWRpcmlzLmVzghNpbnRyYW5ldC5yZWRpcmlzLmVzgg1qby5y
ZWRpcmlzLmVzgg1uaS5yZWRpcmlzLmVzgg9wYXBpLnJlZGlyaXMuZXOCDnBrLmly
aXNncmlkLmVzgg9wa2kuaXJpc2dyaWQuZXOCDnNjcy5yZWRpcmlzLmVzgg5zaXIu
cmVkaXJpcy5lc4IQc3RhdHMucmVkaXJpcy5lc4IPd2lraS5yZWRpcmlzLmVzgg53
d3cuZWR1cm9hbS5lc4IPd3d3LmlyaXNncmlkLmVzgg93d3cucmVkaXJpcy5jb22C
D3d3dy5yZWRpcmlzLm5ldIINeW8ucmVkaXJpcy5lczANBgkqhkiG9w0BAQUFAAOC
AQEApdwEKvQu4TnwJlEMjQvBZb03bKk400592U4QZIIfw51S/ZHgqf1pwCHXuVCd
Vj6VfJBIW/NohcfqlgiCxpEKUl11gepK72rkaATUNknkXMApZdMefoEE8xna/rNf
JWPx5gDj7v9xxzbv6ACAFBK72V3vyjg01yHoqgsWX7aj51plEOqR/UI8Icz2QaTP
D0ebKapFPbpE6zsOSBpOE8vKyTicos7Co/72PPapSl+zVcPBO080zqj//y3kBK7q
syrviWjZDmrJrWFzSS9fKbOlLo3G98j+Wo9qtuC/CCwZpZsyKPDb6Zb5oGyiW71G
jXzsDDqyd4ld7XqwFssS52CMZg==
-----END CERTIFICATE-----
subject=/C=ES/O=RedIRIS/CN=www.rediris.es
issuer=/C=NL/O=TERENA/CN=TERENA SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3831 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 4007369CD90F2A4A20BE40697EC03662435B5EF816E005F2872CC03E16658016
Session-ID-ctx:
Master-Key: 642271C6E76C9D6483A80F7A4F751880D256DB42F63A1494B105D0852B2BD7F16E24684BB5872C83EC62AA0C6A5C103E
Key-Arg : None
Start Time: 1319539520
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
