Saturday, November 20, 2004

Generating certificates with OpenSSL (Jun 2003)

I created this page as my notes on how to generate SSL certificates for my home web server. This document does not meant to be a comprehensive guide on SSL certificate. Read this on your own risk...

What is OpenSSL?

"The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library."

Random numbers

Before we start generating certificates, we need some random numbers for key generation. This step is optional, but it increases the security of the generated keys. Also you can use any random number generation menthod you like.

dd if=/dev/urandom of=rand.txt bs=8192 count=1

The above command copies 8192 pseudo-random bytes from /dev/urandom. I did this on my FreeBSD machine. Note that you can/should generate different random numbers for each key generation presented below.

Generating a Certificate Authority (CA)

First we generate the CA private key. Then based on the key, generate a certificate request. Finally we will sign the request with our own CA key.

openssl genrsa -rand rand.txt -out ca.key 1024
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr 
-signkey ca.key -out ca.crt

Generating a Web Server certificate

Here is how we generate a self-signed certificate for use with web servers. The procedures are similar to generating the CA certificate.

openssl genrsa -rand rand.txt -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr 
-signkey server.key -out server.crt

You can choose to sign the server certificate with the CA key (ca.key) generated in previous step.

(BTW, details on how to install the certificate on an Apache server are not presented here... maybe later when I have more time... :)

Generating a client certificate

The generation of client certificate is similar to others

openssl genrsa -rand rand.txt -out client.key 1024
openssl req -new -key client.key -out client.csr

Then use the CA key to sign the certificate request

openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key 
-CAcreateserial -in client.csr -out client.crt

Finally, package the certificate and key in PKCS12 format so we can import it into browsers

openssl pkcs12 -export -clcerts -in client.crt 
-inkey client.key -out client.p12

By default, OpenSSL uses RC2 and 3DES for encrypting the certificate and private key. Note that some binary distributions of OpenSSL do not have RC2 compiled in. And some browsers don't support certificate encrypted with RC2. If so, try to use RC4 or DES etc other encryptions for the certificate. e.g.

openssl pkcs12 -export -clcerts -in client.crt 
-inkey client.key -out client.p12 -certpbe des-ecb -descert


openssl pkcs12 -export -clcerts -in client.crt 
-inkey client.key -out client.p12 -certpbe rc4-40 -descert

You can then copy the .p12 file to the client computer for installation. For example, on Windows 2000, just double click the file and follow the instruction to install the certificate.

No comments: