User Tools

Site Tools


sslca

OpenSSL

WORK IN PROGRESS do not believe anything here yet.

The SSL Certificates HOWTO helps a little.

Installation

Well just do

#> apt-get install openssl

Of course to use the SSL Certificates for your application you may need some more stuff (eg. libapache-mod-ssl).

The Certificate Authority

Okay first things first. We need a Certificate Authority (CA) which will sign all our certificates. If you are a professional you want to buy this service from the big players like Verisign, Thawte or some SSL Reseller. If you want it for your private server keep reading.

For the CA we need two things: A private key and a selfsigned certificate (signed by the private key just mentioned), for issuing certifcaes you need some kind of infrastructure (a few directories), too.

Infrastructure

Your CA needs to keep a record on issued certificates. This is needed to make it possible to revoke certificates when needed. These records will be stored in /etc/ssl/CA for the following examples. Lets initialize this “Database”:

#> mkdir -p /etc/ssl/CA/private
#> mkdir -p /etc/ssl/CA/newcerts
#> echo "01" > /etc/ssl/CA/serial
#> touch /etc/ssl/CA/index.txt

Openssl needs to be informed about these locations. This is done in the /etc/ssl/openssl.conf. This ini-style file already contains a section called [ CA_default ]]. The only thing you should need to change there is the dir value. The following shows the mentioned section and how it should look like.

[ CA_default ]
 
dir             = /etc/ssl/CA           # !!! change this
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.
 
certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
#crlnumber      = $dir/crlnumber        # the current crl number must be
                                        # commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file
 
x509_extensions = usr_cert              # The extentions to add to the cert
 
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options
 
# Extension copying option: use with caution.
# copy_extensions = copy
 
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions        = crl_ext
 
default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = md5                   # which md to use.
preserve        = no                    # keep passed DN ordering
 
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

Private Key

The private key of our new CA is created with the following command. It says to create an RSA key encrypted by DES using a length of 1024 bits. You should enter a strong passphrase! You will only type this on signing certificates.

#> openssl genrsa -des3 -out /etc/ssl/CA/private/cakey.pem 1024
Generating RSA private key, 1024 bit long modulus
.......................................++++++
..................................................++++++
e is 65537 (0x10001)
Enter pass phrase for CAkey.pem:
Verifying - Enter pass phrase for CAkey.pem:

Protect the key from prying eyes:

#> chmod 400 /etc/ssl/CA/private/cakey.pem

Selfsigned Certificate

We create a new selfsigned Certificate (-new) from our public key (-key). We want a x509 cert with a live of 10 years (-days). We have to supply the private key's passphrase and give some other informations.

#> openssl req -new -key /etc/ssl/CA/private/cakey.pem -x509 -days 3650 -out /etc/ssl/CA/cacert.pem
Enter pass phrase for CAkey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:Berlin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:splitbrain.org
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:ca.splitbrain.org
Email Address []:ca@splitbrain.org

Note the -x509 option tells openssl to create a selfsigned certificate instead of just a request. This certificate will used by clients to check the signature of other certificates. So you should make this certificate publically available.

eg.

#> cp /etc/ssl/cacert.pem /var/www/certificate.crt

Application Certificates

This is how to generate a key/cert for the postfix MTA but it's the same for other software like Apache or an IMAP Server.

Private Key

First generate a new private Key again, but this time without encryptingit with DSA (we don't want to give a password)

#> openssl genrsa -out postfixKey.pem 1024

Certificate Request

Now generate a certifiate request for this key. The important part is the Common Name it has to match the name of your mailserver!

#> openssl req -new -key postfixKey.pem -out postfixCert.req
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:Berlin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:splitbrain.org
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:hex.splitbrain.org
Email Address []:postmaster@splitbrain.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Signing the Request

Now we need to generate a signed certificate from the request.

#> openssl ca -policy policy_anything -in postfixCert.req -out postfixCert.pem -days 1825 
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec  9 16:36:43 2004 GMT
            Not After : Dec  8 16:36:43 2009 GMT
        Subject:
            countryName               = DE
            localityName              = Berlin
            organizationName          = splitbrain.org
            commonName                = hex.splitbrain.org
            emailAddress              = postmaster@splitbrain.org
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                2B:4B:2A:10:13:18:11:8F:23:ED:9B:52:57:04:D0:C7:9E:CD:61:02
            X509v3 Authority Key Identifier: 
                keyid:0A:9B:C1:79:B6:34:0E:EE:76:3B:B3:D2:43:38:6F:29:7B:8A:D4:15
                DirName:/C=DE/L=Berlin/O=splitbrain.org/CN=ca.splitbrain.org/emailAddress=ca@splitbrain.org
                serial:D8:1D:E7:27:AA:4A:F5:00

Certificate is to be certified until Dec  8 16:36:43 2009 GMT (1825 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Wow. Okay what did we do? We used the request (-in) to generate a certificate (-out). We specified a policy (-policy) about which attributes are mandatory (none besides the common name 1)). Openssl took some more infos from the config file (eg. The CA's private Key and Certificate). The -days option told openssl for how long the issued certificate should be valid (5 years).

The request (postfixCert.req) is no longer needed and should be deleted. The private key and the issued certificate should now be installed to the appropiate place for the application (eg. /etc/postfix/2)) make sure that the private key isn't readable by anyone but root.

For courier IMAP you'll need to place the key and the certificate together with some Diffie-Hellman code in a single file:

#> cat postfixKey.pem postfixCert.pem > /etc/courier/imapd.pem
#> openssl gendh >> /etc/courier/imapd.pem
#> sh /etc/init.d/courier-imap-ssl restart
1)
The policy is defined in the openssl.conf
sslca.txt · Last modified: 2007/03/14 08:02 by andi