Setting up OpenSSL to Create Certificates

From PeformIQ Upgrade
Revision as of 16:21, 4 February 2009 by PeterHarding (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Extracted from http://www.flatmtn.com/article/setting-openssl-create-certificates

Also see Creating PKCS12 Certificates

Setting up OpenSSL to Create Certificates

SSL

Web servers, imap servers, smtp servers can be configured to use ssl connections and there are many other uses for ssl certificates, such as encrypting email or digitally signing documents. You don't have to pay a certificate authority, such as Verisign, because you can use the OpenSSL package to create your own certificates. I do not cover the installation of OpenSSL here and I assume you know at least how to change directories, move files, use an editor, and other basics from the command-line.

_Note: The author of this page, and owner of this web site, is not to be held liable for any damage or trouble arising from following these directions. You are responsible for your own security, use, and creation of certificates._

Quick steps:

  1. Create a directory.
  2. Create two subdirectories.
  3. Create a database to keep track of each certificate signed.
  4. Make a custom config file for openssl to use.
  5. Create a root certificate.
  6. Installing the root certificate for use.
  7. Tips.
  8. Creating certificates pages.

Note: While this document covers OpenSSL under Linux, Windows-only folks can use the Win32 OpenSSL project. I found GOSSL and CertWiz, GUIs for Windows, after a quick search. I am running Red Hat Linux 8.0 and openssl 0.9.x. If you have an interal box running Apache web server with PHP and the OpenSSL libraries installed, you could also use PHPki. I would not use PHPki for creating certificates on a publicly accessable server, because your root private certificate must be installed on that server (security risk). \[Note: I found it not too hard to migrate manually to PHPki after already having created some certificates from the command line. Also you must have short tags enabled in your php.ini.\] Only command line steps will be covered here.

1) Create a directory

Let's call it sslcert:

mkdir sslcert

Now protect that directory so only the user you are running as (and root) can access it:

chmod 0700 sslcert



2) Create two subdirectories

Cd into the first directory and make two subdirectories. Let's call them certs and private.

cd sslcert
mkdir certs private



3) Create a database to keep track of each certificate signed

Type:

echo '100001' >serial
touch certindex.txt



4) Make a custom config file for openssl to use

Create a file using your ASCII text editor. We will call it openssl.cnf. Here are the basics needed for this exercise (edit as needed):

#
# OpenSSL configuration file.
#

# Establish working directory.

dir					= .

[ ca ]
default_ca				= CA_default

[ CA_default ]
serial					= $dir/serial
database				= $dir/certindex.txt
new_certs_dir				= $dir/certs
certificate				= $dir/cacert.pem
private_key				= $dir/private/cakey.pem
default_days				= 365
default_md				= md5
preserve				= no
email_in_dn				= no
nameopt					= default_ca
certopt					= default_ca
policy					= policy_match

[ policy_match ]
countryName				= match
stateOrProvinceName			= match
organizationName			= match
organizationalUnitName			= optional
commonName				= supplied
emailAddress				= optional

[ req ]
default_bits				= 1024			# Size of keys
default_keyfile				= key.pem		# name of generated keys
default_md				= md5				# message digest algorithm
string_mask				= nombstr		# permitted characters
distinguished_name			= req_distinguished_name
req_extensions				= v3_req

[ req_distinguished_name ]
# Variable name				Prompt string
#-------------------------	  ----------------------------------
0.organizationName			= Organization Name (company)
organizationalUnitName			= Organizational Unit Name (department, division)
emailAddress				= Email Address
emailAddress_max			= 40
localityName				= Locality Name (city, district)
stateOrProvinceName			= State or Province Name (full name)
countryName				= Country Name (2 letter code)
countryName_min				= 2
countryName_max				= 2
commonName				= Common Name (hostname, IP, or your name)
commonName_max				= 64

# Default values for the above, for consistency and less typing.
# Variable name				Value
#------------------------	  ------------------------------
0.organizationName_default		= My Company
localityName_default			= My Town
stateOrProvinceName_default		= State or Providence
countryName_default			= US

[ v3_ca ]
basicConstraints			= CA:TRUE
subjectKeyIdentifier			= hash
authorityKeyIdentifier			= keyid:always,issuer:always

[ v3_req ]
basicConstraints			= CA:FALSE
subjectKeyIdentifier			= hash

5) Create a root certificate

All other certificates you create will be based off of this. Because you are not a commercial certificate authority, software may complain when they use your certificates. However you can give people one of the files, the "public" one, that will be created and they can manually import it. From then on your certificates will load just like the commercial ones.

To create, while in the 'sslcert' directory, type:

openssl req -new -x509 -extensions v3_ca -keyout \
    private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf


Note the backslash () at the end of the first line. If your OS supports it, this is a way to type long command lines. Simply press <Enter> after it and you will be prompted to continue typing. Otherwise, leave it out and continue typing.

Note the_ -days 365 _option. For a root certificate you may want it to last longer than one year so that you do not have to reissue it so often. I set mine to 10 years.

You will be prompted for information and a password. Do not loose this password, make sure it is a secure one, and back up the two files that are created.

The two files that are created are cacert.pem, which is the one you can give to others for import in their browsers, and cakey.pem, which will be in the private directory.

Name Field Explanation Example
Country Name The two-letter ISO abbreviation for your country AU = United States
State or Province Name The state or province where your organization is located. Can not be abbreviated. Victoria
City or Locality The city where your organization is located. Melbourne
Organization Name The exact legal name of your organization. Do not abbreviate Xyzzy Pty Ltd
Organizational Unit Optional for additional organization information. Testing
Common Name Since this is your root certificate, call it something like: Company_Name Certificate Authority
Email Address The email address for the CA (who to contact) someone@yourdomain.com.au



6) Installing the root certificate for use

See your browser's help for how to do this. For IE, go to Tools, Options, Content tab, Certificates, Import and follow the steps. Note that we called our root certificate cacert.pem. Rename this file to cacert.crt as it is an X.509 certificate. To make it easy for people to install your root certificate, cacert.crt, place it on your web site with a URL to it. When they click on it in most modern browsers, they can choose to "Open" or "Install" and it will walk them through the install steps.

Note for Mozilla and Firefox/Thuderbird users: Mozilla apps do not use MS Windows' certificate storage. If you use Mozilla, you only need to install the certificate in the browser and it will be available to the email client. If you use Firefox and Thunderbird, or just one of the two, you will need to manually import the certificate with Thunderbird. To do this, right-click the link to the certificate and choose "Save As...". Then in "Manage Certificates", access is via "Advanced" in newer versions, click the Import button.


7) Tips

Read up on revocation lists and how to use them. One day need to revoke the root certificate, or any other certificates, and issue a new one.

The root certificate created per the example only good for 365 days. When it expires people receive a warning message. Don't forget to remake the certificate each year, or create it for more than 1 year.

Don't forget your password for the root certificate, but do not let it fall into the wrong hands.


8) Creating certificates pages

Now you are ready to create certificates. Here are my pages covering various applications of certificates and how to make those certificates: