sslca
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | |||
sslca [2007/03/14 05:41] – 125.17.11.118 | sslca [2007/03/14 08:02] (current) – old revision restored - stop your advertising please andi | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== OpenSSL ====== | ||
+ | |||
+ | //WORK IN PROGRESS// do not believe anything here yet. | ||
+ | |||
+ | The [[http:// | ||
+ | |||
+ | |||
+ | ===== Installation ===== | ||
+ | |||
+ | Well just do | ||
+ | |||
+ | #> apt-get install openssl | ||
+ | |||
+ | Of course to use the SSL Certificates for your application you may need some more stuff (eg. '' | ||
+ | |||
+ | ===== The Certificate Authority ===== | ||
+ | |||
+ | Okay first things first. We need a Certificate Authority (CA) which will sign all our certificates. If you are a professional you want to buy this service from the big players like [[http:// | ||
+ | |||
+ | For the CA we need two things: A private key and a selfsigned certificate (signed by the private key just mentioned), for issuing certifcaes you need some kind of infrastructure (a few directories), | ||
+ | |||
+ | ==== Infrastructure ==== | ||
+ | |||
+ | Your CA needs to keep a record on issued certificates. This is needed to make it possible to revoke certificates when needed. These records will be stored in ''/ | ||
+ | |||
+ | #> mkdir -p / | ||
+ | #> mkdir -p / | ||
+ | #> echo " | ||
+ | #> touch / | ||
+ | |||
+ | Openssl needs to be informed about these locations. This is done in the ''/ | ||
+ | |||
+ | <code ini> | ||
+ | [ CA_default ] | ||
+ | |||
+ | dir = / | ||
+ | certs = $dir/ | ||
+ | crl_dir | ||
+ | database | ||
+ | # | ||
+ | # several ctificates with same subject. | ||
+ | new_certs_dir | ||
+ | |||
+ | certificate | ||
+ | serial | ||
+ | # | ||
+ | # commented out to leave a V1 CRL | ||
+ | crl = $dir/ | ||
+ | private_key | ||
+ | RANDFILE | ||
+ | |||
+ | x509_extensions = usr_cert | ||
+ | |||
+ | # Comment out the following two lines for the " | ||
+ | # (and highly broken) format. | ||
+ | name_opt | ||
+ | cert_opt | ||
+ | |||
+ | # Extension copying option: use with caution. | ||
+ | # copy_extensions = copy | ||
+ | |||
+ | # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs | ||
+ | # so this is commented out by default to leave a V1 CRL. | ||
+ | # crlnumber must also be commented out to leave a V1 CRL. | ||
+ | # crl_extensions | ||
+ | |||
+ | default_days | ||
+ | default_crl_days= 30 # how long before next CRL | ||
+ | default_md | ||
+ | preserve | ||
+ | |||
+ | # A few difference way of specifying how similar the request should look | ||
+ | # For type CA, the listed attributes must be the same, and the optional | ||
+ | # and supplied fields are just that :-) | ||
+ | policy | ||
+ | </ | ||
+ | |||
+ | ==== Private Key ==== | ||
+ | |||
+ | The private key of our new CA is created with the following command. It says to create an RSA key encrypted by DES using a length of 1024 bits. You should enter a strong passphrase! You will only type this on signing certificates. | ||
+ | |||
+ | #> openssl genrsa -des3 -out / | ||
+ | Generating RSA private key, 1024 bit long modulus | ||
+ | .......................................++++++ | ||
+ | ..................................................++++++ | ||
+ | e is 65537 (0x10001) | ||
+ | Enter pass phrase for CAkey.pem: | ||
+ | Verifying - Enter pass phrase for CAkey.pem: | ||
+ | |||
+ | |||
+ | Protect the key from prying eyes: | ||
+ | |||
+ | #> chmod 400 / | ||
+ | |||
+ | ==== Selfsigned Certificate ==== | ||
+ | |||
+ | We create a new selfsigned Certificate ('' | ||
+ | |||
+ | #> openssl req -new -key / | ||
+ | Enter pass phrase for CAkey.pem: | ||
+ | You are about to be asked to enter information that will be incorporated | ||
+ | into your certificate request. | ||
+ | What you are about to enter is what is called a Distinguished Name or a DN. | ||
+ | There are quite a few fields but you can leave some blank | ||
+ | For some fields there will be a default value, | ||
+ | If you enter ' | ||
+ | ----- | ||
+ | Country Name (2 letter code) [AU]:DE | ||
+ | State or Province Name (full name) [Some-State]: | ||
+ | Locality Name (eg, city) []:Berlin | ||
+ | Organization Name (eg, company) [Internet Widgits Pty Ltd]: | ||
+ | Organizational Unit Name (eg, section) []:. | ||
+ | Common Name (eg, YOUR name) []: | ||
+ | Email Address []: | ||
+ | |||
+ | Note the '' | ||
+ | |||
+ | eg. | ||
+ | |||
+ | #> cp / | ||
+ | |||
+ | |||
+ | ===== Application Certificates ===== | ||
+ | |||
+ | This is how to generate a key/cert for the [[postfix]] MTA but it's the same for other software like Apache or an IMAP Server. | ||
+ | |||
+ | ==== Private Key ==== | ||
+ | |||
+ | First generate a new private Key again, but this time without encryptingit with DSA (we don't want to give a password) | ||
+ | |||
+ | #> openssl genrsa -out postfixKey.pem 1024 | ||
+ | |||
+ | ==== Certificate Request ==== | ||
+ | |||
+ | Now generate a certifiate request for this key. The important part is the //Common Name// it has to match the name of your mailserver! | ||
+ | |||
+ | #> openssl req -new -key postfixKey.pem -out postfixCert.req | ||
+ | You are about to be asked to enter information that will be incorporated | ||
+ | into your certificate request. | ||
+ | What you are about to enter is what is called a Distinguished Name or a DN. | ||
+ | There are quite a few fields but you can leave some blank | ||
+ | For some fields there will be a default value, | ||
+ | If you enter ' | ||
+ | ----- | ||
+ | Country Name (2 letter code) [AU]:DE | ||
+ | State or Province Name (full name) [Some-State]: | ||
+ | Locality Name (eg, city) []:Berlin | ||
+ | Organization Name (eg, company) [Internet Widgits Pty Ltd]: | ||
+ | Organizational Unit Name (eg, section) []:. | ||
+ | Common Name (eg, YOUR name) []: | ||
+ | Email Address []: | ||
+ | |||
+ | Please enter the following ' | ||
+ | to be sent with your certificate request | ||
+ | A challenge password []: | ||
+ | An optional company name []: | ||
+ | |||
+ | ==== Signing the Request ==== | ||
+ | |||
+ | Now we need to generate a signed certificate from the request. | ||
+ | |||
+ | < | ||
+ | #> openssl ca -policy policy_anything -in postfixCert.req -out postfixCert.pem -days 1825 | ||
+ | Using configuration from / | ||
+ | Enter pass phrase for / | ||
+ | Check that the request matches the signature | ||
+ | Signature ok | ||
+ | Certificate Details: | ||
+ | Serial Number: 1 (0x1) | ||
+ | Validity | ||
+ | Not Before: Dec 9 16:36:43 2004 GMT | ||
+ | Not After : Dec 8 16:36:43 2009 GMT | ||
+ | Subject: | ||
+ | countryName | ||
+ | localityName | ||
+ | organizationName | ||
+ | commonName | ||
+ | emailAddress | ||
+ | X509v3 extensions: | ||
+ | X509v3 Basic Constraints: | ||
+ | CA:FALSE | ||
+ | Netscape Comment: | ||
+ | OpenSSL Generated Certificate | ||
+ | X509v3 Subject Key Identifier: | ||
+ | 2B: | ||
+ | X509v3 Authority Key Identifier: | ||
+ | keyid: | ||
+ | DirName:/ | ||
+ | serial: | ||
+ | |||
+ | Certificate is to be certified until Dec 8 16:36:43 2009 GMT (1825 days) | ||
+ | Sign the certificate? | ||
+ | |||
+ | |||
+ | 1 out of 1 certificate requests certified, commit? [y/n]y | ||
+ | Write out database with 1 new entries | ||
+ | Data Base Updated | ||
+ | </ | ||
+ | |||
+ | Wow. Okay what did we do? We used the request ('' | ||
+ | |||
+ | The request ('' | ||
+ | |||
+ | For courier IMAP you'll need to place the key and the certificate together with some Diffie-Hellman code in a single file: | ||
+ | |||
+ | #> cat postfixKey.pem postfixCert.pem > / | ||
+ | #> openssl gendh >> / | ||
+ | #> sh / | ||
+ | |||