OpenSSL

From wiki.techunit.org
Jump to: navigation, search

Introduction

  • Realized on Debian 8 (Jessie).
  • openssl version : 1.0.1

Goal of this page is to provide a simple guide to create SSL certificates and a simple CA with OpenSSL.

Self Signed Certificate

Private key generation

#openssl genrsa -des3 -out private.key 2048

Generating RSA private key, 2048 bit long modulus
...........+++
.............+++
e is 65537 (0x10001)
Enter pass phrase for private.key:
Verifying - Enter pass phrase for private.key:

Self Signed Certificate creation

# openssl req -new -x509 -days 3650 -key private.key -sha256 -extensions v3_ca -out self_wildcard_example_com.crt
Enter pass phrase for private.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:FRANCE
Locality Name (eg, city) []:PARIS
Organization Name (eg, company) [Internet Widgits Pty Ltd]:techUnit
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:*.example.com
Email Address []:contact@example.com

Create a Certificate of Authority (CA)

  • Copy config file
cp /etc/ssl/openssl.cnf /etc/ssl/myCA.cnf

Configure CA

  • Edit /etc/ssl/myCA.cnf
  • Recommended
#Change default directory
dir             = /etc/ssl/CA              # Where everything is kept
default_days    = 3650
  • Optional : you can change default values to create certificates faster
0.organizationName_default = My Organization
localityName_default = NEW YORK
stateOrProvinceName_default = NEW YORK
countryName_default = US
emailAddress_default = email@mydomain.net

Create directory tree

mkdir -p /etc/ssl/CA/{certs,crl,private,newcerts}
chmod 700 /etc/ssl/CA/
echo 0000 > /etc/ssl/CA/serial
touch /etc/ssl/CA/index.txt

Generate CA Key and Certificate

cd /etc/ssl/CA/
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -config /etc/ssl/myCA.cnf

#----

Generating a 2048 bit RSA private key
...............+++
......................................................................................................+++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [FRANCE]:
Locality Name (eg, city) []:
Organization Name (eg, company) [techUnit]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ca.example.com
Email Address [contact@example.com]:

Server Certificate

Certificate Signing Request (CSR)

Before creating a server certificate, you need to create a CSR.

cd /etc/ssl/CA
mkdir csr

openssl req -new -nodes -out csr/wildcard_example_com.req.pem \
-keyout private/wildcard_example_com.key.pem -config /etc/ssl/myCA.cnf

#----

Generating a 2048 bit RSA private key
...+++
...............+++
writing new private key to 'private/www.mydomain.net.key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [FRANCE]:
Locality Name (eg, city) []:
Organization Name (eg, company) [techUnit]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:*.example.com
Email Address [contact@example.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Server Certificate

openssl ca -out certs/wildcard_example_com.crt.pem -days 365 -config /etc/ssl/myCA.cnf \
-infiles csr/wildcard_example_com.req.pem

#----

Using configuration from /etc/ssl/myCA.cnf
Enter pass phrase for /etc/ssl/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar  8 14:35:02 2016 GMT
            Not After : Mar  8 14:35:02 2017 GMT
        Subject:
            countryName               = FR
            stateOrProvinceName       = FRANCE
            organizationName          = techUnit
            commonName                = *.example.com
            emailAddress              = contact@example.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                77:E6:C9:59:A9:11:9F:B9:84:C6:DD:5B:EA:F4:A7:F2:08:19:AB:1D
            X509v3 Authority Key Identifier: 
                keyid:57:24:11:FA:A1:26:EC:28:42:7B:8A:D8:35:25:42:B4:01:28:88:4D

Certificate is to be certified until Mar  8 14:35:02 2017 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Sources

Elliot
techUnit's cofounder