OpenSSL

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 

How to configure OpenSSL on Fedora 14 (assuming you did a yum install openssl)

Creating the necessary directories

First of all we will create a directory tree where all certificate stuff will be kept. Fedora’s default directory is /etc/pki/tls/. So, as root, we create our own directories (I cheated and used the GUI in SSh, but for you hardcore peeps):

# mkdir -m 0755 /etc/pki/CA/support

And then we create our CA’s directory tree:

# mkdir -m 0755 \

/etc/pki/CA/support \

/etc/pki/CA/support/private \

/etc/pki/CA/support/certs \

/etc/pki/CA/support/newcerts \

/etc/pki/CA/support/crl

  • support is our Certificate Authority’s directory.
  • support/certs directory is where our server certificates will be placed.
  • support/newcerts directory is where openssl puts the created certificates in PEM (unencrypted) format and in the form cert_serial_number.pem (eg 07.pem). Openssl needs this directory, so we create it.
  • support/crl is where our certificate revokation list is placed.
  • support/private is the directory where our private keys are placed. Be sure that you set restrictive permissions to all your private keys so that they can be read only by root, or the user with whose priviledges a server runs. If anyone steals your private keys, then things get really bad.

Initial openssl configuration

We are going to copy the default openssl configuration file (openssl.cnf) to our CA’s directory (support). In Fedora, this file exists in /etc/pki/tls. So, we copy it to our CA’s dir.

This file does not need to be world readable, so we change its attributes:

# chmod 0600 /etc/pki/CA/support/openssl.cnf

We also need to create two other files. This file serves as a database for openssl:

# touch /etc/pki/CA/support/index.txt

The following file contains the next certificate’s serial number. Since we have not created any certificates yet, we set it to "01":

# echo '01' > /etc/pki/CA/support/serial

Here is a small legend with file extensions we will use for the created files and their meaning. All files that will be created will have one of these extensions:

  • KEY – Private key (Restrictive permissions should be set on this)
  • SR – Certificate Request (This will be signed by our CA in order to create the server certificates. Afterwards it is not needed and can be deleted)
  • CRT – Certificate (This can be publicly distributed)
  • PEM – We will use this extension for files that contain both the Key and the server Certificate (Some servers need this). Permissions should be restrictive on these files.
  • CRL – Certificate Revokation List (This can be publicly distributed)


Create the CA Certificate and Key

Now, that all initial configuration is done, we may create a self-signed certificate, that will be used as our CA’s certificate. In other words, we will use this to sign other certificate requests.

Change to our CA’s directory. This is where we should issue all the openssl commands because here is our openssl’s configuration file (openssl.cnf that we coppied). As root:

# cd /etc/pki/CA/support/

And then create your CA’s Certificate and Private Key. As root:

# openssl req -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825

This creates a self-signed certificate with the default CA extensions which is valid for 5 years. You will be prompted for a passphrase for your CA’s private key. Be sure that you set a strong passphrase. Then you will need to provide some info about your CA. Fill in whatever you like.

Two files are created:

  • certs/myca.crt – This is your CA’s certificate and can be publicly available and of course world readable.
  • private/myca.key – This is your CA’s private key. Although it is protected with a passphrase you should restrict access to it, so that only root can read it:

# chmod 0400 /etc/pki/CA/support/private/myca.key

More openssl configuration (mandatory)

Because we use a custom directory for our certificates’ management, some modifications to /etc/pki/CA/support/openssl.cnf are necessary. Open it in your favorite text editor as root and find the following part (around line 35):

You should modify the following settings in order to coform to our custom directory and our custom CA key and certificate:

[ CA_default ]
dir = ../../CA # Where everything is kept
dir = . # <--CHANGE TO THIS
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
#unique_subject = no

new_certs_dir = $dir/newcerts

certificate = $dir/cacert.pem # The CA certificate
certificate = $dir/certs/myca.crt # <--CHANGE TO THIS
serial = $dir/serial
#crlnumber = $dir/crlnumber

crl = $dir/crl.pem
private_key = $dir/private/cakey.pem # The private key
private_key = $dir/private/myca.key # <--CHANGE TO THIS
Generate a Certificate Request

First, we change to our CA’s directory:

# cd /etc/pki/CA/support/

Then we create the certificate request:

# openssl req -new -nodes -keyout private/server.key -out server.csr -days 365

The -nodes option is needed so that the private key is not protected with a passphrase. If you do not intend to use the certificate for server authentication, you should not include it in the above command.
You can customize the number of days you want this certificate to be valid for.

You will be prompted for the certificate’s info.

The Common Name (CN) is the info that uniquely distinguishes your service, so be sure that you type it correctly.
When prompted for some extra attributes (challenge password, optional company name) just hit the [Enter] key.

Two files are created:

  • server.csr – this is the certificate request.

  • private/server.key – this is the private key, which is not protected with a passphrase.

Sign the Certificate Request

Now we are going to sign the certificate request and generate the server’s certificate.

First, we change to our CA’s directory:

# cd /etc/pki/CA/support

Then we sign the certificate request:

# openssl ca -config openssl.cnf -out certs/server.crt -infiles server.csr

You will need to supply the CA’s private key in order to sign the request. You can check the openssl.cnf file about what policy_anything means. In short, the fields about the Country, State or City is not required to match those of your CA’s certificate.

After all this is done two new files are created:

  • certs/server.crt – this is the server’s certificate, which can be made available publicly.

  • newcerts/01.pem – This is exactly the same certificate, but with the certificate’s serial number as a filename. It is not needed.

You can now delete the certificate request (server.csr). It’s no longer needed:

# rm -f /etc/pki_jungle/myCA/server.csr

And verify that the certificate is valid for server authentication with the following:

# openssl verify -purpose sslserver -CAfile /etc/pki/CA/support/certs/myca.crt 
/etc/pki/CA/support/certs/server.crt