====== SSL ======
This documentation covers OpenSSL only, as it is the standard implementation for Linux.
===== Commands =====
OpenSSL commands are specified as first argument to the ''openssl'' binary. Normally each command has it's own manpage.
==== req ====
//req// covers things done with //Certificate Requests//.
=== creating a Certificate Request ===
Use this for an **unencrypted** key:
openssl req -new -nodes -keyout bincimap.key -out bincimapreq.pem
=== creating the RootCA ===
For building a RootCA, you need a self-signed certificate:
openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem
==== ca ====
//ca// is used for doing //Certificate Authority// stuff.
=== signing ===
To sign a Certificate Request (generating a certificate) use:
openssl ca -in filename.csr -out filename.crt
=== revoking ===
To revoke a certain certificate:
openssl ca -revoke filename.crt
==== x509 ====
With //x509// you can watch into certificates and other files.
=== watching a certificate ===
openssl x509 -in filename.crt -text
===== Howto: CA + Certificates =====
This is what I did to setup a RootCA and sign some certificates with it.
==== Preparations ====
=== Directory-Structure below /etc/ssl/ ===
# ls -l /etc/ssl/nwl/
total 0
drwxr-xr-x 2 root root 6 Nov 1 20:45 certs
drwxr-xr-x 2 root root 6 Nov 1 20:45 crl
drwxr-xr-x 2 root root 6 Dec 3 04:01 newcerts
drwx------ 2 root root 6 Dec 3 04:01 private
=== customizing /etc/ssl/openssl.cnf ===
* Fix pathnames to meet the directoy-structure mentioned above.
* Check Signing Policy.
* Set useful samples and defaults in the //req// - part of the file.
* The CommonName should be the FQDN of the host, at least for Apache.
==== Rocking with OpenSSL ====
=== Creating Diffie-Hellman parameters ===
# openssl dhparam -outform PEM -out /etc/ssl/nwl/dh1024.pem -2 1024
This takes quite long. There is also a faster variant of generating the params, but then you should recreate them before each use, which is likely to be forgotten.
The created file should contain the folowing lines:
-----BEGIN DH PARAMETERS-----
[...]
-----END DH PARAMETERS-----
=== Creating an initial serial ===
Peace of Cake:
# echo 00 > /etc/ssl/nwl/serial
The serial will be incremented with every certificate signed. It is also used for naming the new certificates in ///etc/ssl/newcerts//.
=== Creating the Certificate Database ===
Again Peace of Cake:
# touch /etc/ssl/nwl/index.txt
=== Creating The RootCA Itself ===
To actually create the RootCA just create a self-signed certificate:
# openssl req -x509 -newkey rsa:1024 -days 365 -keyout private/cakey.pem -out cacert.pem
**BEWARE: This does not make sense without a password!**
Use this to check the output:
# openssl x509 -in cacert.pem -text
=== Setting nsCertType to server ===
In //openssl.conf// goto **[ usr_cert ]**, and then change //nsCertType//:
nsCertType = server
After that you should generate **all** server-certificates at once, to prevent creating one with a wrong //nsCertType// later.
=== Setting nsCertType to client again ===
Just as above, change the variable back to //client//:
nsCertType = client, email
Then the file should match for later creating client-certificates when requested.
==== Always rocking with OpenSSL ====
=== Creating a Certificate Signing Request ===
To create a request with matching key:
# openssl req -new -nodes -keyout wiki.nwl.key -out wiki.nwl.csr
wiki.nwl.key should contain then:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
wiki.nwl.csr should contain:
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
=== Signing a Certificate Signing Request ===
# openssl ca -in wiki.nwl.csr -out wiki.nwl.crt
Then you can savely delete the request, as it is not needed anymore:
# rm wiki.nwl.csr
=== Creating an initial crl ===
First thing to do is initialise an index file (see //crlnumber// config
option):
# echo 00 >/etc/ssl/nwl/crlnumber
Then we create an empty initial crl:
# openssl ca -gencrl -out crl.pem
=== Correctly watching the generated files ===
# openssl rsa -in wiki.nwl.key -text
# openssl req -in wiki.nwl.csr -text
# openssl x509 -in wiki.nwl.crt -text
# openssl crl -in crl.pem -text
==== Revoking a certifikate ====
First the revocation itself (The name need not match, you can also find all created certificates in ///etc/ssl/nwl/newcerts//, where they are named by their serial.):
# openssl ca -revoke wiki.nwl.crt
after that, one needs to recreate the crl file:
# openssl ca -gencrl -out crl.pem
==== Enhancing Validity ====
=== Certificates ===
There is no way to edit an already existing certificate (and having it
automatically resigned by the CA afterwards), so a matching CSR has to be
created first:
# openssl x509 -x509toreq -in wiki.nwl.crt -out wiki.nwl.csr -signkey wiki.nwl.key
In order to keep the certificate DB sane, openssl enforces to revoke the old
certificate before the new one can be signed:
# openssl ca -revoke wiki.nwl.crt
# openssl ca -in wiki.nwl.csr -out wiki.nwl.crt
=== Certificate Authority ===
Was not necessary yet, but for instructions see this link:
http://marc.info/?l=openssl-users&m=113292902213919
=== Certificate Revocation List ===
This is quite easy. CRLs simply need to be recreated after some time (and should then be made accessible, of course). To do so:
# openssl ca -gencrl -out crl.pem
==== Creating Certificate Hash Symlinks ====
Usually certificates and revocation lists are being looked up by their hash. Ideally one creates a symlink therefore:
# ln -s wiki.nwl.crt $(openssl x509 -noout -hash -in wiki.nwl.crt).0
# ln -s crl.pem $(openssl crl -noout -hash -in crl.pem).r0
Note the mandatory suffixes ''.0'' for certificates and ''.r0'' for revocation lists.
===== Misc =====
==== PEM Files ====
Sometimes you need a so called //Pem-File//, which contains both key and certificate. Creating it is very simple though:
* create a key and certificate signing request
* sign the request, generating the certificate
* use //cat// to put them together in one singe file:
cat bincimap.key bincimap.crt >> bincimap.pem
==== HTTPS ====
=== Browserconfiguration ===
To get the Browser trust your own CA, the CA certificate must be imported into it.
==== Servercertifikates ====
Praktically all browsers check the CN of the certificate offered whether it matches the hostname requested. This is also the reason, why virtual hosting for ssl-hosts does not work.
====== Links ======
* http://gagravarr.org/writing/openssl-certs/ca.shtml