The commands listed below are some that we use often, but many more exist. Check the man pages and documentation for more details and information.
As an example, we'll show you how to create certificates for your Apache Web Server and/or your own CA Certifying Authority to sign your Certificate Signing Request yourself.
:
All commands listed below are assumed to be made in the /etc/ssl/ directory.
Create a RSA private key protected with a passphrase for your Apache Server.
[root@deep ]/ssl#openssl genrsa -des3 -out server.key 1024
|
Generating RSA private key, 1024 bit long modulus
......................+++++
.....+++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
Please backup this server.key file and remember the pass-phrase you had to enter at a secure location.
|
Generate a Certificate Signing Request CSR with the server RSA private key.
[root@deep ]/ssl# openssl req -new -key server.key -out server.csr
|
Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Quebec]:
Locality Name (eg, city) [Montreal]:
Organization Name (eg, company) [Open Network Architecture]:
Organizational Unit Name (eg, section) [Internet Department]:
Common Name (eg, YOUR name) [www.openna.com]:
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
|
:
Make sure you enter the FQDN, Fully Qualified Domain Name of the server when OpenSSL prompts you for the CommonName, i.e. when you generate a CSR for a website which will be
later accessed via https://www.mydomain.com/, enter www.mydomain.com here.
After generation of your Certificate Signing Request; CSR, you have two choices:
the first is to send this certificate to a commercial Certifying Authority (CA) like Verisign or Thawte for signing. You usually have to post the CSR into a web form, pay for the signing, await the signed Certificate and store
it into a server.crt file. The result is then a real Certificate, which can be used for Apache.
Second, you can use your own CA and now have to sign the CSR yourself by this CA. This solution is economical, and allows an organization to host their own CA server and generate as many
certificates as they need for internal use without paying any cent to a commercial CA. Unfortunately. using your own CA to generate certificates cause problems in electronic commerce, because customers need to have some trust
in your organization by the use of recognized commercial CA.
See below on how to sign a
CSR with your
CA yourself.
Create a RSA private key for your CA.
[root@deep ]/ssl# openssl genrsa -des3 -out ca.key 1024
|
Generating RSA private key, 1024 bit long modulus
...........................+++++
............................................+++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
Please backup this ca.key file and remember the pass-phrase you had to enter at a secure location.
|
Create a self-signed CA certificate x509 structure with the RSA key of the CA.
[root@deep ]/ssl# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
|
Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Quebec]:
Locality Name (eg, city) [Montreal]:
Organization Name (eg, company) [Open Network Architecture]:
Organizational Unit Name (eg, section) [Internet Department]:CA Marketing
Common Name (eg, YOUR name) [www.openna.com]:
Email Address [[email protected]]:
|
[root@deep ]/ssl# mv server.key private/
[root@deep ]/ssl# mv ca.key private/
[root@deep ]/ssl# mv ca.crt certs/
|
:
The req command creates a self-signed certificate when the -x509 switch is used.
Signing a certificate request. We create and use our own Certificate Authority -CA,
Prepare the script for signing which is needed because the openssl ca command has some strange requirements, and the default OpenSSL config doesn't allow one easily to use openssl ca
directly. The script named sign.sh is distributed with the floppy disk under the openssl directory. Use this script for signing.
Now you can use this CA to sign server CSR's in order to create real SSL Certificates for use inside an Apache Webserver assuming you already have a server.csr at hand:
[root@deep ]/ssl# /usr/bin/sign.sh server.csr
|
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'CA'
stateOrProvinceName :PRINTABLE:'Quebec'
localityName :PRINTABLE:'Montreal'
organizationName :PRINTABLE:'Open Network Architecture'
organizationalUnitName :PRINTABLE:'Internet Department'
commonName :PRINTABLE:'www.openna.com'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Dec 1 14:59:29 2000 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
|
This signs the CSR and results in a server.crt file.
[root@deep ]/ssl# mv server.crt certs/
|
Now you have two files:
server.key and
server.crt. These can now, for example, be used as follows, inside your Apache server's
httpd.conf file:
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
|
-
Our web server public key
-
Our web server private key
The
server.csr file is no longer needed.
[root@deep ]/ssl# rm -f server.csr
|
:
If you receive error message during signature of the certificate, it's probably because you've entered the wrong FQDN, Fully Qualified Domain Name for the server when OpenSSL prompted you for
the CommonName; the CommonName must be something like my.domain.com and not domain.com. Also, since you generate both the certificate
and the CA certificate, it's important that at least one piece of information differs between both files, or you may encounter problems during the signature of the certificate request.