OpenSSL Quick Reference
From 5dollarwhitebox.org Media Wiki
Contents |
Creating SelfSigned SSL Certificates
Summary
This howto is a very basic walk-through on how to create SSL Certificates without the use of companies such as Verisign or the like. However, for ultimate security and *trust* of the certificates you use it is recommended not to use Self Signed Certificates for higher end production servers... especially if you are dealing with credit card transactions, etc.
That said, using Self Signed SSL Certificates is great for small end applications like webmail, or simple web logins where you need the data channel to be encrypted.
Please note that I am no SSL guru... don't trust me or this information for a Fortune 500 companies website... that would just be stupid.
- Author: BJ Dierkes
- Last Updated: January 31, 2006
- Contact: wdierkes [at] 5dollarwhitebox [dot] org
The System
This howto is performed on a Debian Sarge 3.1 GNU Linux system, however the 'openssl' commands/syntax should work across any recent distro.
- Debian Sarge 3.1 GNU Linux
- OpenSSL 0.9.7e-3sarge1
Needed Software
For a Debian system, you need to install the openssl package:
# apt-get update && apt-get install openssl
Creating a Certificate Authority
Before you can create and sign your own certificates, you first have to establish yourself as a "Certificate Authority". To do so, execute the following commands substituting your own information where necessary:
Create the key:
# openssl genrsa -des3 -out ca.mydomain.com.key 1024 Generating RSA private key, 1024 bit long modulus ......++++++ ...............++++++ e is 65537 (0x10001) Enter pass phrase for ca.mydomain.com.key: Verifying - Enter pass phrase for ca.mydomain.com.key:
- Note: Using the '-des3' flag is recommended for the Certificate Authority's key. Anytime you create a cert you will need to enter the passphrase... so don't forget it.
Create the Certificate Authorities Certificate
# openssl req -new -x509 -days 365 -key ca.mydomain.com.key -out ca.mydomain.com.crt ... Enter pass phrase for ca.mydomain.com.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: US State or Province Name (full name) [Some-State]: Texas Locality Name (eg, city) []: San Antonio Organization Name (eg, company) [Internet Widgits Pty Ltd]: My Company CA Organizational Unit Name (eg, section) []: Certificate Authority Common Name (eg, YOUR name) []: www.mydomain.com Email Address []: support@mydomain.com
- Please Note: You will want to use "My Company CA" for Organization Name, and "Certificate Authority" for your Organizational Unit Name here... You don't want the Organization Name/Organizational Unit to be the same for the Certificate Authoriy and the actual Company you are creating the Certificate for.
You now have a Certificate Authority key and crt which will be used to create the certificates that you will actually use. You now want to keep organized and moved these files to an apropriate location:
# mv ca.mydomain.com.key /etc/ssl/keys # mv ca.mydomain.com.crt /etc/ssl/certs
Creating Certificates
Now that you have a Certificate Authority you can create Self Signed Certificates for personal use. You can do so by following the syntax of the following commands, being sure to substitute your own information. For this example, we are going to create an SSL Cert to be used for www.mydomain.com:
Creating The Key
# openssl genrsa -out www.mydomain.com.key 1024 Generating RSA private key, 1024 bit long modulus .................................++++++ ..............++++++ e is 65537 (0x10001)
- Note: If you want this key to be encrypted, you can add the '-des3' flag. This is more secure, however any time you want to start a service (i.e. apache) with this key you will need to enter a passphrase.
Keep things tidy and move the key to a good location:
# mv www.mydomain.com.key /etc/ssl/keys
Creating The CSR (Certificate Signing Request)
Execute the following command to create a CSR to send to your Certificate Authority for signing. Don't forget to substitute your own information:
# openssl req -new -key /etc/ssl/keys/www.mydomain.com.key -out www.mydomain.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: US State or Province Name (full name) [Some-State]: Texas Locality Name (eg, city) []: San Antonio Organization Name (eg, company) [Internet Widgits Pty Ltd]: My Company Organizational Unit Name (eg, section) []: Webserver Team Common Name (eg, YOUR name) []: www.mydomain.com Email Address []: support@mydomain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
- Note: The "Common Name" needs to be the domain that will be utilizing the SSL Cert. Also, the "challenge password" and "optional company name" at the end are optional.
You now have a www.mydomain.com.csr that will be used by the Certificate Authority to create the final certificate.
Keep things tidy, move the file to a good location:
# mv www.mydomain.com.csr /etc/ssl/csrs
Signing the CSR
The final step is to sign the CSR and create a CRT (Certificate). Following the syntax of the next command will create your CRT:
# openssl x509 -req -days 365 \ -in /etc/ssl/csrs/www.mydomain.com.csr \ -CA /etc/ssl/certs/ca.mydomain.com.crt \ -CAkey /etc/ssl/keys/ca.mydomain.com.key \ -out www.mydomain.com.crt Enter pass phrase for ca.mydomain.com.key:
- Note: This is all one command. The '\' just allows you to hit enter, and continue on the next line!
- Note: You are prompted for the passphrase that you used when creating the ca.mydomain.com.key file for the Certificate Authority.
Keep things tidy and move the new certificate to a good location:
# mv www.mydomain.com.crt /etc/ssl/certs/www.mydomain.com.crt
Conclusion
And there you have it. You now have a /etc/ssl/keys/www.mydomain.com.key and a /etc/ssl/www.mydomain.com.crt that you can use for SSL. You can cat out the files to see the result of your tedious labor:
/etc/ssl/keys/www.mydomain.com.key:
# cat /etc/ssl/keys/www.mydomain.com.key -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDHOYJxffEJfPZ5qJoueeGNleGaf8IxCXX9aCi2DXrgFX8y9Tx3 6J+FEp6AFUlbYurWFYsE/HUnlc2cuwRQV8v4AQLtz7N4jfPAbVu9uvmZ4DA/3Gev KAloVVq2sb5YQP7lexR1Qh6S2GdQmIs4KfaMsBp/Qgtbl9jPVULOPNHLcwIDAQAB AoGASzECcZFGCv22DPt8inQH1CdQib5UbauTc7v/OY7m5HJYmsQCOYN7yX7YgaEH Gc3AsmJZIN2j3fflLZVMMIKigWI/NqN2AzJWDAAYMTPnmemkv8wcJDLfvDKd+FtD om1pXYMk8kPD7VzqZo7+oPGN4uSqogvpi9C/0DLaYSHC3MkCQQDstS6vuym7t5mj PUK5EBPK1C4l0QTs3pu16ckyA2lmqFImMovv0OTCDDV+tYupswGaLxvvW/U8Q9Wb y320jjiHAkEA13ZBq0p89OTD9W47dZJ8D/iQAx1qOnbOi1HOcojQBUf6gIxd6dNP dipih88Hq3HP7RhEbGiMbmbLrp0UsFaMtQJBANVTKCMZoy/Y9G6ITDSqh5vZA0nz iOPMbzpP2pHnPztUZqhJj5IO+4biJ+fsx1SFzeDdqeha0LWiUMVabAyny8sCQDye Ep+kVz921QLJvoS3b5v2rF2T+vzzy+w6WcCzaQLzWzCrTQip4KM4DXxz7I55eKwV tbpiN5Af75Hys41g7DkCQDzH3snXY9NOKwbYPhdtGSSAXRueQjp/M0Ys7o0Z2qwY 1zYG4en968NL6KweoZbzC21QC+PdjXi/SnfDEZtqSEA= -----END RSA PRIVATE KEY-----
/etc/ssl/csrs/www.mydomain.com.csr:
# cat /etc/ssl/csrs/www.mydomain.com.csr -----BEGIN CERTIFICATE REQUEST----- MIIB4jCCAUsCAQAwgaExCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVUZXhhczEUMBIG A1UEBxMLU2FuIEFudG9uaW8xEzARBgNVBAoTCk15IENvbXBhbnkxFzAVBgNVBAsT DldlYnNlcnZlciBUZWFtMRkwFwYDVQQDExB3d3cubXlkb21haW4uY29tMSMwIQYJ KoZIhvcNAQkBFhRedXBwb3J0QG15ZG9tYWluLmNvbTCbnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAxzmCcX3xCXz2eaiaLnnhjZXhmn/CMQl1/Wgotg164BV/MvU8 d+ifhRKegBVJW2Lq1hWLBPx1J5XNnLsEUFfL+AEC7c+zeI3zwG1bvbr5meAwP9xn rygJaFVatrG+WED+5XsUdUIekthnUJiLOCn2jLAaf0ILW5fYz1VCzjzRy3MCAwEA AaAAMA0GCSqGSIb3DQEBBAuAA4GBACkEBscYhsVdvBTggVRpqTm+r56VWaFkxXq0 WarOuyPQjbCLSGF2nyKIj2ZNUx9FPS32q92Raf8ThVV+YRg2VrDHzui0Pwb27OWQ msBm1tLCd29KwZtvN7pACCVxbQ8ET/cpzBmWEaGnyO1ab87WACFHAOxD34JbaS42 QQPnd/nn -----END CERTIFICATE REQUEST-----
/etc/ssl/certs/www.mydomain.com.crt:
# cat /etc/ssl/certs/www.mydomain.com.crt -----BEGIN CERTIFICATE----- MIICxTCCAi4CCQDQXSiEW8Ot3DANBgkqhkiG9w0BAQQFADCBqzELMAkGA1UEBhMC VVMxDjAMBgNVBAgTBVRleGFzMRQwEgYDVQQHEwtTYW4gQW50b25pbzEWMBQGA1UE ChMNTXkgQ29tcGFueSBDQTEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5 MRkwFwYDVQQDExB3d3cubXlkb21haW4uY29tMSMwIQYJKoZIhvcNAQkBFhRzdXBw b3J0QG15ZG9tYWluLmNvbTAeFw0wNTExMtgwODA4MTlaFw0wNjExMTgwODA4MTla MIGhMQswCQYDVQQG5wJVUzEOMAwGA1UECBMFVGV4YXMxFDASBgNVBAcTC1NhbiBB bnRvbmlvMRMwEQYDVQQKEwpNeSBDb21wYW55MRcwFQYDVQQLEw5XZWJzZXJ2ZXIg VGVhbTEZMBcGA1UEAxMQd3d3Lm15ZG9tYWluLmNvbTEjMCEGCSqGSIb3DQEJARYU c3VwcG9ydEBteWRvbWFpbi5jb20wgZ8wDQYJK0ZIhvcNAQEBBQADgY0AMIGJAoGB AMc5gnF98Ql89nmomi554Y2V4Zp/wjEJdf1oKLYNeuAVfzL1PHfon4USnoAVSVti 6tYViwT8dSeVzZy7BFBXy/gBAu3Ps3iN88BtW726+ZngMD/cZ68oCWhVWraxvlhA /uV7FHVCHpLYZ1CYizgp9oywGn9CC1uX2M9VQs480ctzAgMBAAEwDQYJKoZIhvcN AQEEBQADgYEAq/Flf/el5k2YQYqV+o1hfbrHq3zN4i25efvCrpW8v2DzCvhC67Yi vYdckFJZT5Kq0sAoWzWKA0ivwHHbIbaGQhN4p7zvTQ+M8ZOekreQ5NbOc7u3sGCr +39Np8G/slH7Ss6YY3RzQsxbvCB5D6dj/a2R4TEeKqncuMTtDYNX/IQ= -----END CERTIFICATE-----
Tips & Tricks
This is just some extra stuff for reminders and basic helpers.
Verify A Matching Certificate/Key Pair
You may find yourself needing to verify whether a Certificate and Key Pair match (i.e. whether the certificate you have was generated using the Keyfile you have). To do so you can use some openssl commands to output the Cert and Key files and compare the "modulus" which should be identical.
Find the modulus from the Certificate File:
# openssl x509 -noout -text -in www.domain.com.crt -modulus
Modulus (1024 bit):
00:be:bf:51:28:87:1d:15:0b:44:0d:53:81:2d:9a:
aa:c8:0b:a4:95:06:da:d0:1d:dc:d5:67:57:18:10:
25:d8:42:d5:59:eb:c2:45:f3:ac:ba:71:5f:12:75:
37:78:c8:d2:cc:49:7f:5b:3a:55:5f:c8:5a:99:8e:
31:c8:e0:d3:a1:ef:35:ba:e0:85:1d:e0:39:12:3c:
3b:63:c8:10:ab:7f:38:43:07:fa:8a:35:c8:28:b9:
81:d8:13:f5:ce:b8:e6:f1:1d:32:bd:f5:04:4b:ee:
1c:75:7d:be:bf:27:32:e9:c3:2c:15:5e:a5:bb:d5:
64:26:7c:d9:3e:2d:74:5c:79
There is a lot more output than this... but what you are looking for is the 'modulus'.
Find the modulus from the Key File:
# openssl rsa -noout -text -in keys/www.domain.com.key -modulus
Private-Key: (1024 bit)
modulus:
00:be:bf:51:28:87:1d:15:0b:44:0d:53:81:2d:9a:
aa:c8:0b:a4:95:06:da:d0:1d:dc:d5:67:57:18:10:
25:d8:42:d5:59:eb:c2:45:f3:ac:ba:71:5f:12:75:
37:78:c8:d2:cc:49:7f:5b:3a:55:5f:c8:5a:99:8e:
31:c8:e0:d3:a1:ef:35:ba:e0:85:1d:e0:39:12:3c:
3b:63:c8:10:ab:7f:38:43:07:fa:8a:35:c8:28:b9:
81:d8:13:f5:ce:b8:e6:f1:1d:32:bd:f5:04:4b:ee:
1c:75:7d:be:bf:27:32:e9:c3:2c:15:5e:a5:bb:d5:
64:26:7c:d9:3e:2d:74:5c:79
Again, there is a lot more output than this... but what you are looking for is the 'modulus'.
If the "modulus" doesn't match, then you do not having a matching Certificate/Key pair, and therefore you can't use the pair for SSL puproses.
Remove Passphrase From Key File
If you want to remove the passphrase from a key file, you can create a new [unpassphrased] version this way:
# cp www.domain.com.key www.domain.com.key.passphrase # openssl rsa -in www.domain.com.key.passphrase -out www.domain.com.key read RSA key Enter PEM pass phrase: <need to know passphrase to remove it> writing RSA key
That should be it. You can now use the new Key file without the passphrase.
The following was submitted by Daniel F. Schwartz:
Often, you'll have your private key and public certificate stored in the same file. If they are stored in a file called mycert.pem, you can construct a decrypted version called newcert.pem in two steps.
You'll need to type your passphrase once more:
openssl rsa -in mycert.pem -out newcert.pem openssl x509 -in mycert.pem >>newcert.pem
Testing SSL
[linuxbox /]# openssl s_client -ssl2 -connect www.5dollarwhitebox.org:443
CONNECTED(00000003)
depth=0 /C=US/ST=Texas/L=San Antonio/O=5dollarwhitebox.org/OU=Webserver Team/CN=www.5dollarwhitebox.org/emailAddress=support@5dollarwhitebox.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=Texas/L=San Antonio/O=5dollarwhitebox.org/OU=Webserver Team/CN=www.5dollarwhitebox.org/emailAddress=support@5dollarwhitebox.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=Texas/L=San Antonio/O=5dollarwhitebox.org/OU=Webserver Team/CN=www.5dollarwhitebox.org/emailAddress=support@5dollarwhitebox.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC8zCCAlwCCQDjj38pQTOjZTANBgkqhkiG9w0BAQQFADCBwjELMAkGA1UEBhMC
VVMxDjAMBgNVBAgTBVRleGFzMRQwEgYDVQQHEwtTYW4gQW50b25pbzEfMB0GA1UE
ChMWNWRvbGxhcndoaXRlYm94Lm9yZyBDQTEeMBwGA1UECxMVQ2VydGlmaWNhdGUg
QXV0aG9yaXR5MSAwHgYDVQQDExd3d3cuNWRvbGxhcndoaXRlYm94Lm9yZzEqMCgG
CSqGSIb3DQEJARYbc3VwcG9ydEA1ZG9sbGFyd2hpdGVib3gub3JnMB4XDTA1MTIy
MDA3NTcxNloXDTA2MTIyMDA3NTcxNlowgbgxCzAJBgNVBAYTAlVTMQ4wDAYDVQQI
EwVUZXhhczEUMBIGA1UEBxMLU2FuIEFudG9uaW8xHDAaBgNVBAoTEzVkb2xsYXJ3
aGl0ZWJveC5vcmcxFzAVBgNVBAsTDldlYnNlcnZlciBUZWFtMSAwHgYDVQQDExd3
d3cuNWRvbGxhcndoaXRlYm94Lm9yZzEqMCgGCSqGSIb3DQEJARYbc3VwcG9ydEA1
ZG9sbGFyd2hpdGVib3gub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+
v1Eoh14VC0QNU4EtmqqiC6SVBtrQKdzVZ1cYECXYQtVZ68JF86y6cV8SdTd4yNLM
SX9bOlVfklqZjjGO4NOh7zW64IUd4DkSPDtj3xCrfzhDB/qKNbwouYHYE/XOuObx
FjK99QRL7hx1fb6/JzLpwywVXqW71WQmfNk+LXRceQIDAQABMA0GCSqGSIb3DQEB
BAUAA4GBALiMr22FokdqOT5u4ydl1Yg86huY7n79rcN1btyavIYJs8c3VffbRI6b
W2Oc5Z8BRU7WizB1v6/Dd979du3qeRignNrcwrdrzhxZduWg5VrvXPKg+t0KKsoc
Mpm38xTcchK//mVreIkZlJzOwY00gt0SJcspuk1A2aCZ7E77YXxX
-----END CERTIFICATE-----
subject=/C=US/ST=Texas/L=San Antonio/O=5dollarwhitebox.org/OU=Webserver Team/CN=www.5dollarwhitebox.org/emailAddress=support@5dollarwhitebox.org
issuer=/C=US/ST=Texas/L=San Antonio/O=5dollarwhitebox.org CA/OU=Certificate Authority/CN=www.5dollarwhitebox.org/emailAddress=support@5dollarwhitebox.org
---
No client certificate CA names sent
---
Ciphers common between both SSL endpoints:
RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5
EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5
RC4-64-MD5
---
SSL handshake has read 895 bytes and written 239 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : SSLv2
Cipher : DES-CBC3-MD5
Session-ID: 117889854CBB924363F13008CC54F839
Session-ID-ctx:
Master-Key: FE6B3547BBE3EF420F2A1EB796927EC3654792EBD786B5E7
Key-Arg : 075FA57CC1C14CC2
Start Time: 1157152470
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
