What is OpenSSL?
"The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library."
Random numbers
Before we start generating certificates, we need some random numbers for key generation. This step is optional, but it increases the security of the generated keys. Also you can use any random number generation menthod you like.
dd if=/dev/urandom of=rand.txt bs=8192 count=1
The above command copies 8192 pseudo-random bytes from /dev/urandom. I did this on my FreeBSD machine. Note that you can/should generate different random numbers for each key generation presented below.
Generating a Certificate Authority (CA)
First we generate the CA private key. Then based on the key, generate a certificate request. Finally we will sign the request with our own CA key.
openssl genrsa -rand rand.txt -out ca.key 1024 openssl req -new -key ca.key -out ca.csr openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Generating a Web Server certificate
Here is how we generate a self-signed certificate for use with web servers. The procedures are similar to generating the CA certificate.
openssl genrsa -rand rand.txt -out server.key 1024 openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
You can choose to sign the server certificate with the CA key (ca.key) generated in previous step.
(BTW, details on how to install the certificate on an Apache server are not presented here... maybe later when I have more time... :)
Generating a client certificate
The generation of client certificate is similar to others
openssl genrsa -rand rand.txt -out client.key 1024 openssl req -new -key client.key -out client.csr
Then use the CA key to sign the certificate request
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt
Finally, package the certificate and key in PKCS12 format so we can import it into browsers
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
By default, OpenSSL uses RC2 and 3DES for encrypting the certificate and private key. Note that some binary distributions of OpenSSL do not have RC2 compiled in. And some browsers don't support certificate encrypted with RC2. If so, try to use RC4 or DES etc other encryptions for the certificate. e.g.
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 -certpbe des-ecb -descert
or
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 -certpbe rc4-40 -descert
You can then copy the .p12 file to the client computer for installation. For example, on Windows 2000, just double click the file and follow the instruction to install the certificate.
No comments:
Post a Comment