openssl.conf
Table of Contents
OpenSSL
WORK IN PROGRESS do not believe anything here yet.
The SSL Certificates HOWTO helps a little.
Installation
Well just do
#> apt-get install openssl
Of course to use the SSL Certificates for your application you may need some more stuff (eg. libapache-mod-ssl
).
The Certificate Authority
Okay first things first. We need a Certificate Authority (CA) which will sign all our certificates. If you are a professional you want to buy this service from the big players like Verisign, Thawte or some SSL Reseller. If you want it for your private server keep reading.
For the CA we need two things: A private key and a selfsigned certificate (signed by the private key just mentioned), for issuing certifcaes you need some kind of infrastructure (a few directories), too.
Infrastructure
Your CA needs to keep a record on issued certificates. This is needed to make it possible to revoke certificates when needed. These records will be stored in /etc/ssl/CA
for the following examples. Lets initialize this “Database”:
#> mkdir -p /etc/ssl/CA/private #> mkdir -p /etc/ssl/CA/newcerts #> echo "01" > /etc/ssl/CA/serial #> touch /etc/ssl/CA/index.txt
Openssl needs to be informed about these locations. This is done in the /etc/ssl/openssl.conf
. This ini-style file already contains a section called [ CA_default ]]
. The only thing you should need to change there is the dir
value. The following shows the mentioned section and how it should look like.
[ CA_default ] dir = /etc/ssl/CA # !!! change this certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number #crlnumber = $dir/crlnumber # the current crl number must be # commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options # Extension copying option: use with caution. # copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match
Private Key
The private key of our new CA is created with the following command. It says to create an RSA key encrypted by DES using a length of 1024 bits. You should enter a strong passphrase! You will only type this on signing certificates.
#> openssl genrsa -des3 -out /etc/ssl/CA/private/cakey.pem 1024 Generating RSA private key, 1024 bit long modulus .......................................++++++ ..................................................++++++ e is 65537 (0x10001) Enter pass phrase for CAkey.pem: Verifying - Enter pass phrase for CAkey.pem:
Protect the key from prying eyes:
#> chmod 400 /etc/ssl/CA/private/cakey.pem
Selfsigned Certificate
We create a new selfsigned Certificate (-new
) from our public key (-key
). We want a x509 cert with a live of 10 years (-days
). We have to supply the private key's passphrase and give some other informations.
#> openssl req -new -key /etc/ssl/CA/private/cakey.pem -x509 -days 3650 -out /etc/ssl/CA/cacert.pem Enter pass phrase for CAkey.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:Berlin Organization Name (eg, company) [Internet Widgits Pty Ltd]:splitbrain.org Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) []:ca.splitbrain.org Email Address []:ca@splitbrain.org
Note the -x509
option tells openssl to create a selfsigned certificate instead of just a request. This certificate will used by clients to check the signature of other certificates. So you should make this certificate publically available.
eg.
#> cp /etc/ssl/cacert.pem /var/www/certificate.crt
Application Certificates
This is how to generate a key/cert for the postfix MTA but it's the same for other software like Apache or an IMAP Server.
Private Key
First generate a new private Key again, but this time without encryptingit with DSA (we don't want to give a password)
#> openssl genrsa -out postfixKey.pem 1024
Certificate Request
Now generate a certifiate request for this key. The important part is the Common Name it has to match the name of your mailserver!
#> openssl req -new -key postfixKey.pem -out postfixCert.req You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:Berlin Organization Name (eg, company) [Internet Widgits Pty Ltd]:splitbrain.org Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) []:hex.splitbrain.org Email Address []:postmaster@splitbrain.org
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Signing the Request
Now we need to generate a signed certificate from the request.
#> openssl ca -policy policy_anything -in postfixCert.req -out postfixCert.pem -days 1825 Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for /etc/ssl/CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Dec 9 16:36:43 2004 GMT Not After : Dec 8 16:36:43 2009 GMT Subject: countryName = DE localityName = Berlin organizationName = splitbrain.org commonName = hex.splitbrain.org emailAddress = postmaster@splitbrain.org X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 2B:4B:2A:10:13:18:11:8F:23:ED:9B:52:57:04:D0:C7:9E:CD:61:02 X509v3 Authority Key Identifier: keyid:0A:9B:C1:79:B6:34:0E:EE:76:3B:B3:D2:43:38:6F:29:7B:8A:D4:15 DirName:/C=DE/L=Berlin/O=splitbrain.org/CN=ca.splitbrain.org/emailAddress=ca@splitbrain.org serial:D8:1D:E7:27:AA:4A:F5:00 Certificate is to be certified until Dec 8 16:36:43 2009 GMT (1825 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Wow. Okay what did we do? We used the request (-in
) to generate a certificate (-out
). We specified a policy (-policy
) about which attributes are mandatory (none besides the common name 1)). Openssl took some more infos from the config file (eg. The CA's private Key and Certificate). The -days
option told openssl for how long the issued certificate should be valid (5 years).
The request (postfixCert.req
) is no longer needed and should be deleted. The private key and the issued certificate should now be installed to the appropiate place for the application (eg. /etc/postfix/
2)) make sure that the private key isn't readable by anyone but root.
For courier IMAP you'll need to place the key and the certificate together with some Diffie-Hellman code in a single file:
#> cat postfixKey.pem postfixCert.pem > /etc/courier/imapd.pem #> openssl gendh >> /etc/courier/imapd.pem #> sh /etc/init.d/courier-imap-ssl restart