OpenSSL

OpenSSL is a library and PKI manager under GPL. It's quite basic and light.

Installation

The following packages are required :

  • openssl

Public/Private Key mecanism

An asymetric key is a pair of key :

  • a public key
  • a private key

Keys are complementary, any data encrypted by the private key can be read with the public key, any data encrypted with the public key can only be read with the private key.

The goal of the certificate is to prove the identity of the public key. The Certificate Autority vouch that the public key belong to the given website.

A certificate is signed by the private key of the Certificate Autority, the browser use the public key of the CA to check the validity of the website certificate.

Create a self signed certificate

How to generate a simple self-signed certificate :

Generate the RSA key

Command :

openssl genrsa -out newkey.key 1024

Example :

:/etc/ssl/demo# openssl genrsa -out newkey.key 1024
Generating RSA private key, 1024 bit long modulus
.......................++++++
.............................................++++++
e is 65537 (0x10001)
:/etc/ssl/demo# chmod 700 newkey.key
:/etc/ssl/demo# l
total 4
-rwx------ 1 root root 891 2007-12-09 22:05 newkey.key
:/etc/ssl/demo#

Generate a self-signed certificate

Command :

openssl req -new -x509 -days 365 -key newkey.key -out newcert.crt

Example :

:/etc/ssl/demo# openssl req -new -x509 -days 365 -key newkey.key -out newcert.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [France]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Matthieu Bouthors]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:demo.bouthors.fr
Email Address [matthieu@bouthors.fr]:
:/etc/ssl/demo#

Create a certificate request

How to generate a certificate request (CSR) :

Genereate the RSA key

Command :

openssl genrsa -out newkey.key 1024

Example :

:/etc/ssl/demo# openssl genrsa -out newkey.key 1024
Generating RSA private key, 1024 bit long modulus
.......................++++++
.............................................++++++
e is 65537 (0x10001)
:/etc/ssl/demo# chmod 700 newkey.key
:/etc/ssl/demo# l
total 4
-rwx------ 1 root root 891 2007-12-09 22:05 newkey.key
:/etc/ssl/demo#

Generate the certificate request

Command :

openssl req -new -key newkey.key -out newcsr.csr

Example :

:/etc/ssl/demo# openssl req -new -key newkey.key -out newcsr.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [France]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Matthieu Bouthors]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:demo.bouthors.fr
Email Address [matthieu@bouthors.fr]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
:/etc/ssl/demo#

Sign a certificate with a second one

How to sign a certificate with a CA.
:!: This method doesn't allow to manage a Certificate Revocation List (CRL)

Command :

openssl x509 -req -days 3653 -in newcsr.csr -CA cacrt.crt -CAkey cakey.key -CAserial caserial.srl -CAcreateserial -out newcrt.crt

Example :

:/etc/ssl/demo# openssl x509 -req -days 3653 -in newcsr.csr -CA demoCA.crt -CAkey demoCA.key -CAserial caserial.srl -CAcreateserial -out newcrt.crt
Signature ok
subject=/C=FR/ST=France/O=Matthieu Bouthors/CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr
Getting CA Private Key
:/etc/ssl/demo# openssl x509 -in newcrt.crt -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            c7:0f:53:50:1c:e4:e8:e7
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=FR, ST=France, O=Matthieu Bouthors, OU=Demo Root CA/emailAddress=matthieu@bouthors.fr
        Validity
            Not Before: Dec  9 21:48:28 2007 GMT
            Not After : Dec  9 21:48:28 2017 GMT
        Subject: C=FR, ST=France, O=Matthieu Bouthors, CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:96:78:c6:27:c7:50:d6:d5:a3:42:24:d2:bf:b2:
                    9c:34:98:c5:1c:6d:92:96:65:66:2e:6e:18:d7:0b:
                    09:2d:02:91:51:5c:3a:b5:fe:e8:93:c6:0d:02:88:
                    b6:d0:d6:7e:44:12:bb:8c:e6:cc:fe:5d:81:27:50:
                    d5:07:2e:a8:f8:b3:f4:4a:e3:6d:1a:77:b5:28:13:
                    f5:93:1e:57:2b:93:64:f2:e4:e1:cd:2f:e2:3e:9a:
                    b9:d6:89:64:cc:2c:a4:b1:5a:2f:24:7a:06:df:0c:
                    16:be:e3:6f:e2:25:0d:eb:f3:45:9e:40:95:74:c4:
                    2c:ee:02:25:47:39:17:9b:57
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        86:f4:ec:01:68:54:c7:da:cb:d5:4b:2c:7d:53:90:06:a0:5c:
        24:00:cf:54:01:49:3d:6d:28:2a:7c:6e:77:99:2c:74:50:a6:
        a4:68:0e:ff:0b:1e:8c:8a:58:99:64:7a:06:f6:95:49:31:7d:
        cf:3d:a2:e2:71:f1:a1:32:05:d0:63:9a:7f:d0:6b:43:85:00:
        6e:74:2e:ae:2d:da:47:8b:fc:b4:ec:4e:df:ae:99:e4:c2:35:
        9c:d3:fd:6a:8c:c3:32:7d:be:34:f7:3d:2b:94:04:1c:ff:c7:
        d0:a0:bb:23:ea:a6:71:79:3f:49:32:6f:00:b8:c8:8a:47:88:
        25:43
:/etc/ssl/demo#

View a certificate

Some useful commands to view details about certificates.

View details of a certifiate

Command :

# openssl x509 -in cert.crt -text -noout

Example :

:/etc/ssl/demo# openssl x509 -in newcert.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            9e:54:95:05:59:64:4d:48
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=FR, ST=France, O=Matthieu Bouthors, CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr
        Validity
            Not Before: Dec  9 21:07:01 2007 GMT
            Not After : Dec  8 21:07:01 2008 GMT
        Subject: C=FR, ST=France, O=Matthieu Bouthors, CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:96:78:c6:27:c7:50:d6:d5:a3:42:24:d2:bf:b2:
                    9c:34:98:c5:1c:6d:92:96:65:66:2e:6e:18:d7:0b:
                    09:2d:02:91:51:5c:3a:b5:fe:e8:93:c6:0d:02:88:
                    b6:d0:d6:7e:44:12:bb:8c:e6:cc:fe:5d:81:27:50:
                    d5:07:2e:a8:f8:b3:f4:4a:e3:6d:1a:77:b5:28:13:
                    f5:93:1e:57:2b:93:64:f2:e4:e1:cd:2f:e2:3e:9a:
                    b9:d6:89:64:cc:2c:a4:b1:5a:2f:24:7a:06:df:0c:
                    16:be:e3:6f:e2:25:0d:eb:f3:45:9e:40:95:74:c4:
                    2c:ee:02:25:47:39:17:9b:57
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                C5:10:29:AD:F2:72:C1:92:5C:2A:7B:CD:AF:60:6B:65:3B:C8:DF:F9
            X509v3 Authority Key Identifier:
                keyid:C5:10:29:AD:F2:72:C1:92:5C:2A:7B:CD:AF:60:6B:65:3B:C8:DF:F9
                DirName:/C=FR/ST=France/O=Matthieu Bouthors/CN=demo.bouthors.fr/emailAddress=matthieu@bouthors.fr
                serial:9E:54:95:05:59:64:4D:48

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        3b:3c:80:22:e7:87:e4:25:2a:32:f1:1c:18:5a:67:60:f4:fa:
        7a:83:d1:6a:5a:41:6d:64:18:7d:5c:5b:69:a1:72:c4:c3:b0:
        8f:b0:ab:c0:a1:07:98:a1:1f:b2:da:fd:63:3b:07:2f:de:58:
        17:01:f9:5d:a8:f8:56:b9:3a:e9:92:32:2f:94:be:e7:46:09:
        b2:9e:80:e8:e6:0e:35:d7:74:73:c5:f0:a9:80:8c:30:26:40:
        d4:f1:53:4f:68:5c:d0:0c:37:a5:d8:79:07:04:a5:09:9d:61:
        54:16:84:9b:0b:ba:1e:4f:6c:3a:46:2d:e7:50:77:b4:41:d6:
        c3:9d
:/etc/ssl/demo#

View details of a certificate request (CSR)

Command :

openssl req -in newcsr.csr -text -noout

Example :

:/etc/ssl/ca_bouthors.fr/csr# openssl req -in www.bouthors.fr.csr -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=FR, ST=France, O=Matthieu Bouthors, CN=www.bouthors.fr/emailAddress=matthieu@bouthors.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:f2:e6:e0:5c:20:76:ab:45:34:a0:46:64:9e:26:
                    9a:d6:f7:a0:9a:c4:37:dc:7a:88:4d:22:b4:f6:7c:
                    4f:43:21:8a:91:7d:ec:46:af:2b:58:28:2f:e5:ce:
                    90:12:c1:ed:39:31:07:0f:8e:0f:40:27:43:05:6b:
                    05:d8:1a:41:fe:a1:c3:2f:0d:42:5c:26:b6:00:b2:
                    60:87:98:b9:cd:e2:5e:4a:ad:ab:db:ed:ec:92:4c:
                    21:29:08:a5:c4:83:85:bf:a0:c6:97:a4:37:97:0c:
                    ce:1a:ed:7b:62:3b:84:6d:3f:81:da:d8:1f:62:ab:
                    94:60:74:ee:55:98:49:31:3f
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
        96:92:07:7c:88:f0:39:c6:2c:67:df:43:80:fa:22:5e:76:85:
        84:c6:54:e4:7c:53:f1:ea:a9:98:1d:e0:13:45:83:0c:73:c9:
        81:ad:96:69:da:ef:e5:c4:c6:79:45:5d:1e:85:7e:5f:29:4a:
        f0:92:ce:4e:6b:71:65:41:23:83:23:44:27:ed:5e:b2:4c:14:
        43:ff:86:6e:68:9d:29:66:fd:7a:d1:46:9f:73:64:37:6d:f4:
        83:ff:f2:00:45:dc:b1:54:7d:7c:64:3f:0b:6a:96:64:a2:e0:
        9b:ae:22:f4:6a:24:3f:4d:c2:ff:f3:57:15:89:6d:2d:ee:7f:
        f8:b5
:/etc/ssl/ca_bouthors.fr/csr#

Create a mini Certificate Autority (CA)

We will now create a CA to sign some certificates. This CA will be stored into /etc/ssl/ca_bouthors.fr/

The command openssl ca allows to manage a CA.

Modify the configuration file

Before starting, we need to configure the openssl config file because all parameters aren't available on the command line. The simpliest way is to create a new section inside /etc/ssl/openssl.cnf and to modify it.

Some custom parameters :

  • CA folder
dir             = /etc/ssl/ca_bouthors.fr
  • duration of each certificate
default_days    = 3653
  • how many days the crl is valid
default_crl_days= 365
  • some default parameters for certificate generation
countryName_default             = FR
stateOrProvinceName_default     = France
0.organizationName_default      = Matthieu Bouthors
emailAddress_default            = matthieu@bouthors.fr
  • CRL extensions :
nsCaRevocationUrl               = http://www.bouthors.fr/ca/ca_bouthors.fr.crl
crlDistributionPoints           = URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crl
issuerAltName                   = URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crt
####################################################################
[ CA_BOUTHORS.FR ]

dir             = /etc/ssl/ca_bouthors.fr # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions        = crl_ext

default_days    = 3653                  # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = sha1                  # which md to use.
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

####################################################################
[ req ]
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = FR
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = France

localityName                    = Locality Name (eg, city)

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Matthieu Bouthors

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

commonName                      = Common Name (eg, YOUR name)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64
emailAddress_default            = matthieu@bouthors.fr

# SET-ex3                       = SET extension number 3

[ req_attributes ]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20

unstructuredName                = An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType                    = server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment                       = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

nsCaRevocationUrl               = http://www.bouthors.fr/ca/ca_bouthors.fr.crl
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

crlDistributionPoints           = URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crl
issuerAltName                   = URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crt

Don't forget to change the default config :

default_ca      = CA_BOUTHORS.FR                # The default ca section

Create the folders

:/etc/ssl# mkdir ca_bouthors.fr
:/etc/ssl# cd ca_bouthors.fr
:/etc/ssl/ca_bouthors.fr# mkdir certs
:/etc/ssl/ca_bouthors.fr# mkdir crl
:/etc/ssl/ca_bouthors.fr# touch index.txt
:/etc/ssl/ca_bouthors.fr# mkdir newcerts
:/etc/ssl/ca_bouthors.fr# echo "01" > serial
:/etc/ssl/ca_bouthors.fr# echo "01" > crlnumber
:/etc/ssl/ca_bouthors.fr# mkdir private
:/etc/ssl/ca_bouthors.fr# chmod 700 private/
:/etc/ssl/ca_bouthors.fr# l
total 24
drwxr-xr-x 2 root root 4096 2007-12-09 21:54 certs
drwxr-xr-x 2 root root 4096 2007-12-09 21:55 crl
-rw-r--r-- 1 root root    3 2007-12-09 21:55 crlnumber
-rw-r--r-- 1 root root    0 2007-12-09 21:55 index.txt
drwxr-xr-x 2 root root 4096 2007-12-09 21:55 newcerts
drwx------ 2 root root 4096 2007-12-09 21:55 private
-rw-r--r-- 1 root root    3 2007-12-09 21:55 serial
:/etc/ssl/ca_bouthors.fr#

Create the CA

Generate a self signed certificate, as explained here : Create a self signed certificate

:/etc/ssl/ca_bouthors.fr# cd private/
:/etc/ssl/ca_bouthors.fr/private# openssl genrsa -out cakey.pem 1024
Generating RSA private key, 1024 bit long modulus
.......................................................++++++
........++++++
e is 65537 (0x10001)
:/etc/ssl/ca_bouthors.fr/private# cd ..
:/etc/ssl/ca_bouthors.fr# openssl req -new -x509 -days 3653 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [France]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Matthieu Bouthors]:
Organizational Unit Name (eg, section) []:bouthors.fr Root CA
Common Name (eg, YOUR name) []:
Email Address [matthieu@bouthors.fr]:
:/etc/ssl/ca_bouthors.fr# openssl x509 -in cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            92:56:59:7f:4d:35:2a:0d
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=FR, ST=France, O=Matthieu Bouthors, OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr
        Validity
            Not Before: Dec  9 21:00:35 2007 GMT
            Not After : Dec  9 21:00:35 2017 GMT
        Subject: C=FR, ST=France, O=Matthieu Bouthors, OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b2:15:0c:cf:c9:ff:f1:a2:5c:39:83:49:db:9d:
                    1a:86:c3:38:cb:d9:c6:f4:3d:7d:ae:bf:cc:11:f7:
                    3f:b3:f2:e6:cf:1d:aa:b1:0d:5f:3a:f7:51:d5:77:
                    43:75:9f:65:1d:86:7d:de:0b:c9:39:77:37:60:14:
                    85:43:ec:b3:4f:35:eb:24:97:02:68:08:89:26:8d:
                    35:c0:bd:b4:cb:12:de:4e:74:8f:17:c6:31:27:aa:
                    ff:9e:eb:a7:80:3f:8f:f6:99:f4:08:06:a2:2f:81:
                    7d:03:bd:cd:37:0f:c4:d7:5f:87:f7:b1:8e:90:ee:
                    f2:92:ae:bf:79:3a:b1:c5:31
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                3C:58:19:1E:8E:44:FA:D4:13:F5:20:EE:F5:FE:83:36:01:8F:CE:0A
            X509v3 Authority Key Identifier:
                keyid:3C:58:19:1E:8E:44:FA:D4:13:F5:20:EE:F5:FE:83:36:01:8F:CE:0A
                DirName:/C=FR/ST=France/O=Matthieu Bouthors/OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr
                serial:92:56:59:7F:4D:35:2A:0D

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        2d:05:0f:7c:9a:74:e6:0e:e1:77:71:76:8b:9a:81:7c:44:58:
        78:fd:76:3f:c4:cb:39:08:f9:d8:9e:b7:43:b4:64:91:9f:b0:
        27:1e:b4:5f:69:67:2d:60:11:18:14:52:27:d4:96:e5:cb:ab:
        ef:7c:5f:ca:6f:e9:ba:b5:f1:e3:b8:52:37:ec:48:51:92:ca:
        d7:e0:6b:ee:45:c2:56:e1:49:04:d4:77:45:fa:45:af:b8:c8:
        44:ee:b5:e6:a0:17:ed:8c:32:aa:ea:b1:93:31:e6:fa:6e:55:
        a3:4a:6f:41:8d:5d:1d:e0:c0:bd:34:e1:45:de:cd:a6:83:74:
        ba:6a
:/etc/ssl/ca_bouthors.fr#

Generate a new CSR

As explained here :Generate the certificate request.

Example :

:/etc/ssl/ca_bouthors.fr/private#  openssl genrsa -out www.bouthors.fr.key 1024
Generating RSA private key, 1024 bit long modulus
..................++++++
......++++++
e is 65537 (0x10001)
:/etc/ssl/ca_bouthors.fr/private# cd ..
:/etc/ssl/ca_bouthors.fr# mkdir csr
:/etc/ssl/ca_bouthors.fr# cd csr/
:/etc/ssl/ca_bouthors.fr/csr# openssl req -new -key ../private/www.bouthors.fr.key -out www.bouthors.fr.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [France]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Matthieu Bouthors]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.bouthors.fr
Email Address [matthieu@bouthors.fr]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
:/etc/ssl/ca_bouthors.fr/csr#

Sign the CSR with the CA

Command :

openssl ca -in newcsr.csr -out newcert.pem

Example :

:/etc/ssl/ca_bouthors.fr# openssl ca -in csr/www.bouthors.fr.csr -out certs/www.bouthors.fr.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec  9 21:18:59 2007 GMT
            Not After : Dec  9 21:18:59 2017 GMT
        Subject:
            countryName               = FR
            stateOrProvinceName       = France
            organizationName          = Matthieu Bouthors
            commonName                = www.bouthors.fr
            emailAddress              = matthieu@bouthors.fr
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                B6:7D:88:57:81:55:42:29:EB:A9:B6:21:D0:95:9F:E6:A8:71:F0:AC
            X509v3 Authority Key Identifier:
                keyid:3C:58:19:1E:8E:44:FA:D4:13:F5:20:EE:F5:FE:83:36:01:8F:CE:0A

            Netscape CA Revocation Url:
                http://www.bouthors.fr/ca/ca_bouthors.fr.crl
            X509v3 CRL Distribution Points:
                URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crl

            X509v3 Issuer Alternative Name:
                URI:http://www.bouthors.fr/ca/ca_bouthors.fr.crt
Certificate is to be certified until Dec  9 21:18:59 2017 GMT (3653 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
:/etc/ssl/ca_bouthors.fr#

Generate the CRL

Command :

openssl ca -gencrl -out crl.pem

Example :

:/etc/ssl/ca_bouthors.fr# openssl ca -gencrl -out crl.pem
Using configuration from /usr/lib/ssl/openssl.cnf
:/etc/ssl/ca_bouthors.fr# openssl crl -in crl.pem -text -noout
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=FR/ST=France/O=Matthieu Bouthors/OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr
        Last Update: Dec  9 21:21:10 2007 GMT
        Next Update: Jan  8 21:21:10 2008 GMT
        CRL extensions:
            X509v3 CRL Number:
                1
No Revoked Certificates.
    Signature Algorithm: sha1WithRSAEncryption
        57:a6:92:1d:39:18:83:4e:da:44:93:fd:73:c3:1c:ab:15:a1:
        8b:a4:d0:4d:71:69:cc:9d:b5:84:47:48:c1:f7:75:f5:dd:ee:
        20:1b:90:9f:3a:99:56:a1:6e:04:0f:b7:4f:49:c3:e3:20:77:
        db:8b:da:a6:df:0e:42:6d:e9:a5:b6:80:63:ed:f7:64:18:40:
        43:59:58:68:c5:83:9b:2d:db:e2:ab:eb:74:09:8c:89:15:c5:
        31:95:4d:d9:73:d8:d2:3d:f1:b1:25:85:46:9b:3c:c9:35:fd:
        f1:30:1d:80:19:c8:9e:dd:4e:2d:17:7e:bb:fc:04:c8:a8:ac:
        62:5a
:/etc/ssl/ca_bouthors.fr#

Revoke a certificate

To revoke a certificate, you need to know his serial number. By default, openssl store certificates inside /newcerts.

Command :

openssl ca -revoke newcerts/XX.pem

Example :

:/etc/ssl/ca_bouthors.fr# openssl ca -revoke newcerts/01.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Revoking Certificate 01.
Data Base Updated
:/etc/ssl/ca_bouthors.fr# 

Then you need to generate the CRL like this :

ender:/etc/ssl/ca_bouthors.fr# openssl ca -gencrl -out crl.pem
Using configuration from /usr/lib/ssl/openssl.cnf
:/etc/ssl/ca_bouthors.fr# openssl crl -in crl.pem -text -noout
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=FR/ST=France/O=Matthieu Bouthors/OU=bouthors.fr Root CA/emailAddress=matthieu@bouthors.fr
        Last Update: Dec  9 21:36:34 2007 GMT
        Next Update: Jan  8 21:36:34 2008 GMT
        CRL extensions:
            X509v3 CRL Number:
                3
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Dec  9 21:36:12 2007 GMT
    Signature Algorithm: sha1WithRSAEncryption
        15:78:28:8f:da:96:27:40:82:4c:8a:9c:7f:ab:d3:7b:bb:b9:
        18:25:e2:d1:6d:17:5f:fd:73:a3:0e:8f:3f:ee:9e:4b:38:3a:
        a4:46:be:79:33:37:8a:e7:96:e0:3a:1e:30:27:a2:9d:bb:43:
        d5:2c:0b:80:ed:68:39:36:f5:65:7c:f6:7d:8d:89:f0:2a:df:
        c6:34:a3:b9:17:ab:39:de:24:8e:5e:8f:49:a1:a5:78:b5:a5:
        55:69:33:69:b5:e8:87:6d:21:82:2f:7a:b1:80:48:db:62:77:
        c3:67:9e:de:0e:15:00:c5:99:d0:10:1e:0d:d9:d6:0a:d6:b7:
        99:64
:/etc/ssl/ca_bouthors.fr#

Publish the CA and the CRL

You should not forget to copy the CA certificate and the CRL on the web server, in our example :

:/etc/ssl/ca_bouthors.fr# cp crl.pem /var/http/ca/ca_bouthors.fr.crl
:/etc/ssl/ca_bouthors.fr# cp cacert.pem /var/http/ca/ca_bouthors.fr.crt

Schedule the CRL generation

To regenerate automaticaly, you can use a small script inside /etc/cron.weekly/crlopenssl :

#!/bin/sh

/usr/bin/openssl ca -gencrl -out /etc/ssl/ca_bouthors.fr/crl.pem
cp /etc/ssl/ca_bouthors.fr/crl.pem /var/http/ca/ca_bouthors.fr.crl

Backup

  • /etc/ssl/openssl.cnf
  • /etc/ssl/ca_mbo
  • /etc/cron.weekly/crlopenssl
  • /var/http/ca

Links

en/linux/openssl.txt · Last modified: 2011/01/11 23:06 by matthieu
Recent changes RSS feed Debian Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki