Table of Contents

SSL

This documentation covers OpenSSL only, as it is the standard implementation for Linux.

Commands

OpenSSL commands are specified as first argument to the openssl binary. Normally each command has it's own manpage.

req

req covers things done with Certificate Requests.

creating a Certificate Request

Use this for an unencrypted key:

openssl req -new -nodes -keyout bincimap.key -out bincimapreq.pem

creating the RootCA

For building a RootCA, you need a self-signed certificate:

openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem

ca

ca is used for doing Certificate Authority stuff.

signing

To sign a Certificate Request (generating a certificate) use:

openssl ca -in filename.csr -out filename.crt

revoking

To revoke a certain certificate:

openssl ca -revoke filename.crt

x509

With x509 you can watch into certificates and other files.

watching a certificate

openssl x509 -in filename.crt -text

Howto: CA + Certificates

This is what I did to setup a RootCA and sign some certificates with it.

Preparations

Directory-Structure below /etc/ssl/

# ls -l /etc/ssl/nwl/
total 0
drwxr-xr-x  2 root root 6 Nov  1 20:45 certs
drwxr-xr-x  2 root root 6 Nov  1 20:45 crl
drwxr-xr-x  2 root root 6 Dec  3 04:01 newcerts
drwx------  2 root root 6 Dec  3 04:01 private

customizing /etc/ssl/openssl.cnf

Rocking with OpenSSL

Creating Diffie-Hellman parameters

# openssl dhparam -outform PEM -out /etc/ssl/nwl/dh1024.pem -2 1024

This takes quite long. There is also a faster variant of generating the params, but then you should recreate them before each use, which is likely to be forgotten. The created file should contain the folowing lines:

-----BEGIN DH PARAMETERS-----
  [...]
-----END DH PARAMETERS-----

Creating an initial serial

Peace of Cake:

# echo 00 > /etc/ssl/nwl/serial

The serial will be incremented with every certificate signed. It is also used for naming the new certificates in /etc/ssl/newcerts.

Creating the Certificate Database

Again Peace of Cake:

# touch /etc/ssl/nwl/index.txt

Creating The RootCA Itself

To actually create the RootCA just create a self-signed certificate:

# openssl req -x509 -newkey rsa:1024 -days 365 -keyout private/cakey.pem -out cacert.pem

BEWARE: This does not make sense without a password!

Use this to check the output:

# openssl x509 -in cacert.pem -text

Setting nsCertType to server

In openssl.conf goto [ usr_cert ], and then change nsCertType:

nsCertType = server

After that you should generate all server-certificates at once, to prevent creating one with a wrong nsCertType later.

Setting nsCertType to client again

Just as above, change the variable back to client:

nsCertType = client, email

Then the file should match for later creating client-certificates when requested.

Always rocking with OpenSSL

Creating a Certificate Signing Request

To create a request with matching key:

# openssl req -new -nodes -keyout wiki.nwl.key -out wiki.nwl.csr

wiki.nwl.key should contain then:

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

wiki.nwl.csr should contain:

-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----

Signing a Certificate Signing Request

# openssl ca -in wiki.nwl.csr -out wiki.nwl.crt

Then you can savely delete the request, as it is not needed anymore:

# rm wiki.nwl.csr

Creating an initial crl

First thing to do is initialise an index file (see crlnumber config option):

# echo 00 >/etc/ssl/nwl/crlnumber

Then we create an empty initial crl:

# openssl ca -gencrl -out crl.pem

Correctly watching the generated files

# openssl rsa -in wiki.nwl.key -text
# openssl req -in wiki.nwl.csr -text
# openssl x509 -in wiki.nwl.crt -text
# openssl crl -in crl.pem -text

Revoking a certifikate

First the revocation itself (The name need not match, you can also find all created certificates in /etc/ssl/nwl/newcerts, where they are named by their serial.):

# openssl ca -revoke wiki.nwl.crt

after that, one needs to recreate the crl file:

# openssl ca -gencrl -out crl.pem

Enhancing Validity

Certificates

There is no way to edit an already existing certificate (and having it automatically resigned by the CA afterwards), so a matching CSR has to be created first:

# openssl x509 -x509toreq -in wiki.nwl.crt -out wiki.nwl.csr -signkey wiki.nwl.key

In order to keep the certificate DB sane, openssl enforces to revoke the old certificate before the new one can be signed:

# openssl ca -revoke wiki.nwl.crt
# openssl ca -in wiki.nwl.csr -out wiki.nwl.crt

Certificate Authority

Was not necessary yet, but for instructions see this link: http://marc.info/?l=openssl-users&m=113292902213919

Certificate Revocation List

This is quite easy. CRLs simply need to be recreated after some time (and should then be made accessible, of course). To do so:

# openssl ca -gencrl -out crl.pem

Usually certificates and revocation lists are being looked up by their hash. Ideally one creates a symlink therefore:

# ln -s wiki.nwl.crt $(openssl x509 -noout -hash -in wiki.nwl.crt).0
# ln -s crl.pem $(openssl crl -noout -hash -in crl.pem).r0

Note the mandatory suffixes .0 for certificates and .r0 for revocation lists.

Misc

PEM Files

Sometimes you need a so called Pem-File, which contains both key and certificate. Creating it is very simple though:

cat bincimap.key bincimap.crt >> bincimap.pem

HTTPS

Browserconfiguration

To get the Browser trust your own CA, the CA certificate must be imported into it.

Servercertifikates

Praktically all browsers check the CN of the certificate offered whether it matches the hostname requested. This is also the reason, why virtual hosting for ssl-hosts does not work.

Links