GG3.NET

Theme: GrayTheme: RedTheme: GreenTheme: BlueUS/UK flagJP flagBG flag

The Short Introduction to SSL Certificates

Why do we need SSL?[top]

If you have to ask this question, then you probably do not need SSL at all. SSL is a technology that allows for authenticated and/or encrypted communication. However, I am not going to explain in details what SSL is. If this is the quesiton whose answer you're seeking, then you have better try a search on Google. This HOWTO is aiming at guiding you through the basic steps in creating your own SSL certificates for your own servers. This means that I am assuming that you know enough about *nix like operating systems, and that you also have an idea what SSL certificates are used for.

Prepare the tools[top]

For the purpose of this HOWTO, I will guide you through the creation of SSL certificates using the tools from the OpenSSL project. If you do not have a binary package for your system, fetch the latest sources and compile away.

Create the certificate[top]

The process of creating an SSL certificates usually goes like this:

  1. Create a private key
  2. Create a certificate request
  3. Send the certificate request to your CA
  4. Receive the certificate from your CA
Now, we'll cover each step on the way.

Create the private key

First we need to generate your key. It is also possible to generate it on the fly in the next step, but if you create it separately you have better control over the type of key you'll be creating.

The command that we'll use for creating your key isopenssl genrsaIt has several options, that you can see withopenssl genrsa -helpYou don't need most of the options, because if you are creating a key for a server, then you must not encrypt it, or your server software will be unable to use it.

Simply create the key and save it to a file.openssl genrsa -out server.key 1024You can also change 1024 to the number of bits that you want. You probably want to use one of 512, 1024, or 2048.

Make sure that nobody can read the file. Just in case runchmod 600 server.keyOnce the key is ready, you're ready to proceed.

Create a certificate request

Next, you need to create the certificate request, which is the tricky part. The command this time will beopenssl reqand it also has options that you have better look at this time.

Before running the command, however, you need to create a configuration file. This file will describe who the certificate belongs to, and what its intended purposes are. You can also use the openssl.cnf file that comes with the OpenSSL distribution.

You can use the stock openssl.cnf as a template for creating your own file, or you can create a file based on this template:[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=JP
ST=Hokkaido
L=Sapporo
O=GG3.NET
OU=Sample SSL key
CN=www.gg3.net
emailAddress=webadmin@fqdn.com

[ cert_type ]
nsCertType = server
You should put the name of the server on the CN line, and the e-mail address of the administrator (you) on the emailAddress line. You can also set prompt to yes if you want to be asked for confirmation for the value of every field. You can also change the value when you're prompted.

Once you have your configuration file ready, save it as server.cnf or something and executeopenssl req -new -nodes -key server.key -config server.cnf -days 365 -out server.reqIf the command produces no output, everything is O.K. You can check your certificate request with#opensslreq-noout-text-inserver.req-configserver.cnf
CertificateRequest:
Data:
Version:0(0x0)
Subject:C=JP,ST=Hokkaido,L=Sapporo,O=GG3.NET,OU=SampleSSLkey,CN=www.gg3.net/emailAddress=webadmin@fqdn.com
SubjectPublicKeyInfo:
PublicKeyAlgorithm:rsaEncryption
RSAPublicKey:(512bit)
Modulus(512bit):
00:a8:ca:8c:9b:55:36:7d:1e:a3:ca:d5:7f:bc:71:
a1:8d:b0:f2:5a:7d:a1:c7:02:9f:ad:ed:18:0e:8d:
14:03:15:e1:97:c7:21:bb:45:fe:73:4a:cc:89:ec:
62:c2:6a:0b:de:f2:95:35:9f:ff:d6:e3:7f:04:a0:
39:2b:3b:6e:21
Exponent:65537(0x10001)
Attributes:
a0:00
SignatureAlgorithm:md5WithRSAEncryption
23:80:7c:88:b7:52:8d:93:9c:5e:e4:7b:88:cb:ff:00:7e:28:
34:33:83:1d:de:4b:52:4c:94:6b:e9:f6:e4:64:5f:b4:61:4e:
ec:90:e7:70:eb:8e:6c:c7:a9:8a:a9:8f:ac:cd:42:f3:3f:53:
fb:1d:93:49:48:9d:10:09:94:35

Get your signed certificate

All you have to do next is send the server.req file to your CA, wait for them to get it signed and use the new file for whatever needs you have. Some software cannot read the certificate and the key from different files, so you may need to append both files to one. Just make sure that nobody can read the file.

Your own CA[top]

What happens when an average person want a certificate, but doesn't want to spend big money on one. There are of course alternatives to SSL, all with their drawbacks.

If you want to create a certificate for signing and receiving encrypted e-mail, you may prefer to think of alternatives like PGP.

The other alternative is to become your own CA. The problem with this method is that other people will not be able to automaticaly recognize your authority, and therefore not trust the certificates that you issue. However, if you can convince the people connecting to you that the certificates are indeed genuine, you can safely proceed.

Prepare the configuration

First, you will need to create a directory where you will keep the certificates that you are going to issue. You can safely use openssl.cnf, because it is used by your certificate authority command by default anyway. The relevant section of mine looks like this:[CA_default]

dir=/etc/ssl#Whereeverythingiskept
certs=$dir/certs#Wheretheissuedcertsarekept
crl_dir=$dir/crl#Wheretheissuedcrlarekept
database=$dir/index.txt#databaseindexfile.
unique_subject=no#Setto'no'toallowcreationof
#severalctificateswithsamesubject.
new_certs_dir=$dir/newcerts#defaultplacefornewcerts.

certificate=$dir/cacert.pem#TheCAcertificate
serial=$dir/serial#Thecurrentserialnumber
#crlnumber=$dir/crlnumber#thecurrentcrlnumber
#mustbecommentedouttoleaveaV1CRL
crl=$dir/crl.pem#ThecurrentCRL
private_key=$dir/private/cakey.pem#Theprivatekey
RANDFILE=$dir/private/.rand#privaterandomnumberfile

x509_extensions=usr_cert#Theextentionstoaddtothecert

#Commentoutthefollowingtwolinesforthe"traditional"
#(andhighlybroken)format.
name_opt=ca_default#SubjectNameoptions
cert_opt=ca_default#Certificatefieldoptions
I prefer to use an absolute path for dir, because this way I can sign certificates from any directory.

You also need to create the directory structure, before you can sign certificates. This simple script (taken from CA.sh that is installed with the OpenSSL package) does the job.#!/bin/sh
CATOP=/etc/ssl
mkdir${CATOP}
mkdir${CATOP}/certs
mkdir${CATOP}/crl
mkdir${CATOP}/newcerts
mkdir${CATOP}/private
echo"01">${CATOP}/serial
touch${CATOP}/index.txt

Create certificate and key

In order to use your CA, you also need to generate a separate pair of key/certificates for it. The process is almost identical to what we discussed in the previous chapter.

Generate a key for your CA.touch cakey.pem
chmod 600 cakey.pem
openssl genrsa -des3 -out cakey.pem 2048
Add the following section to your server.cnf.[v3_ca]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:true
Now create your certificateopenssl req -new -x509 -out cacert.pem -days 1825 -config ca.cnf -extensions v3_ca -key cakey.pem

Now that you have your certificates, move them to the appropriate location, as described in openssl.cnf.mv cakey.pem ${CATOP}/private/
mv cacert.pem ${CATOP}/
Now try to sign the request you made in the previous chapteropenssl ca -in server.req -out server.pem -config /etc/ssl/openssl.cnfDid it work? No? This would mean that I did not do a good job explaining. If you send me an e-mail telling me about your problem, I will try to improve this HOWTO.

Copyright[top]

Copyright 2004 by Georgi Georgiev <chutz@gg3.net>
This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/).

Get Firefox!Valid XHTML 1.0!Valid CSS!2005 GG3.NET