I can never remember how to use OpenSSL and reading the OpenSSL man page makes me angry so here's a cheat sheet on how to do basic useful stuff with OpenSSL.
Create a Secure Directory for Certificates
# mkdir -m 700 -p /usr/local/ca
# chown root:root /usr/local/ca
Create Your Own Certificate Authority
- Create the CA private key (remember your passphrase!):
# openssl genrsa -des3 -out /usr/local/ca/ca.key 1024
- Create the CA certificate (ca.crt) and sign it with the CA's private key (ca.key)
# openssl req -new -x509 -days 3650 -key /usr/local/ca/ca.key -out /usr/local/ca/ca.crt
Create an unsigned certificate (this is for SSL enabling your service)
- Create a certificate (cert.pem) and a certificate signing request or CSR (req.pem).
# openssl req -new -days 3650 -nodes -out /tmp/req.pem -keyout /usr/local/ca/cert.pem
Realise that the -nodes option means that your key is sitting unencrypted on your hard disk. While this is generally unavoidable if you want your service to start unattended on boot up, it's still a gaping security issue to be aware of.
Sign Your Certificate With Your CA's Key
- Using your CA's priviate key (ca.key) and certificate (ca.crt) sign the CSR (req.pem) and create a signed certificate (signed_req.pem)
# openssl x509 -req -CA /usr/local/ca/ca.crt -CAkey /usr/local/ca/ca.key -days 3650 -in /tmp/req.pem -out /tmp/signed_req.pem -CAcreateserial
If you wanted to go with a 3rd party certificate authority like CaCert, FreeCert or Verisign you would instead mail them your CSR (req.pem) and they would mail you back the signed request (signed_req.pem).
- Concatenate the signed request with your certificate to produce a certificate that can be loaded into your web/mail server:
# cat /tmp/signed_req.pem >> /usr/local/ca/cert.pem
Note: I use "-days 3650" which means that the certificate expiress in 10 years as opposed to the normal 1 year. Officially this is a bad thing, but I would rather revoke a cert then deal with them expiring every year.
Configuring Apache
Some daemons and services don't use the older style PEM files (notably Apache and OpenLdap) so you need to do things a little differently. Instead of concatenating signed_req.pem to the end of cert.pem you need to point the daemon at those files directly. Using Apache with ModSsl with a stock DebianLinux setup you would do it like this:
- Copy the key file (cert.pem) and the certificate file (signed_req.pem) to their "proper" home:
# cp /usr/local/ca/cert.pem /etc/apache/ssl.key/server.key
# cp /tmp/signed_req.pem /etc/apache/ssl.crt/server.crt Configure Apache to use these file locations (assumes you have all the other ModSsl settings already configured):
SSLCertificateFile /etc/apache/ssl.crt/server.crt SSLCertificateKeyFile /etc/apache/ssl.key/server.key
Other Useful Commands
- View the fingerprint of a certificate:
# openssl x509 -subject -dates -fingerprint -in cert.pem
Other Useful Software
I have actually used very little of this, but it's software which I've stumbled across at some point, thought it looked interesting and now have stashed away here for future reference.
http://openca.sourceforge.net/
An OpenSource certificate authority using OpenLDAP, OpenSSL, Apache and mod_ssl.
http://www.pyca.de/ A Python web tools for managing a certificate authority.
http://users.pandora.be/stes/saferelay.html A curses based tool for managing certificates for services to use.
http://stunnel.mirt.net/ An SSL wrapper which allows you to SSL encrypt non-SSL'd services (eg. POP3). You use as a wrapper around the daemon and/or the client.
See also: http://www.eudora.com/qpopper/faq.html#certs
Just found a cool little Perl/Tk application which takes care of all this for you. It's called TinyCA and can be downloaded here:
Another good OpenSSL howto:
Great walk through by VincentDanen on the linsec wiki: