Distroname and release: Debian Squeeze

Use OpenSSL to create certificates. OpenSSL CA

This howto, will show how to create and sign certificates for use with example, ProFTPD, Apache etc.

There is two different sections. The first is just a quick way to create and sign the certificate The second, is where we use an apache tool, to INDEX our certificates which we have created.

If you have multiple different hosts or services that needs a certificate I recommend to export the CA certificate. With a CA it's possible to create an CA certificate, and imports this to all clients. Thereby all certificates from this CA is trusted by the client automatically without importing a single certificate for site1.example.com, site2.example.com etc. in example.

Verisign, is an example of one CA which most clients automatically trust certificates from, since their CA certificate is imported automatically on most clients as default. Let it be MAC, Linux, Windows etc.

File Extension Explanations

  • .csr = The Certificate Server Request file. Can be used at example VeriSign, or we selfsign it with openssl, which we will do later.
  • .crt = The generated certificate file in PEM format.
  • .key = The servers own private key file.


aptitude install openssl
aptitude install mod_ssl (only needed for creating own CA, and selfsign the certificates with this CA)

Create and sign a certificate, no INDEX signing

Defiantly recommended only to use this approach, if you only need one or two certificates. If you need more, then consider using your own CA, since you then just can ship the root CA to clients, and they will automatically trust all certificates created from this CA.

First we will create a new directory to work in. All of our files will be saved here as well.
mkdir /root/ssl
cd /root/ssl
Create the key file for the server, we will use this key file later to sign the certificate request.
openssl genrsa -des3 -out ca.key 2048

Using CSR

Create CSR (Certificate Signing Request)
openssl req -new -key ca.key -out myCertificate.csr
The Common Name (eg, YOUR name)[]: MUST match the site/domain you want to protect with the certificate.
In example, to protect example.com, write example.com. You can also use subdomains like secure.example.com, in this case write secure.example.com

Now we can sign the certificate at in example verisign using the .csr file. Or we can just do it on our own, which we of course will do.

Self-Sign the certificate using our own server
openssl x509 -req -days 365 -in myCertificate.csr -signkey ca.key -out myCertificate.crt

Skip CSR

Another option, instead of creating an CSR, is just to create the certificate.
req -new -x509 -days 365 -nodes -out example.com.crt -key ca.key
Remember to set permissions and backup the files!

That is it, now you have created a new certificate which you can use with in example Apache !

Create and sign a certificate, With INDEX signing

Create the servers private key file !
Remember to save this file, AND the password somewhere safe!! You do not want anyone, to get this file!
It is important to use the file names in these examples, or else you will need to modify a script later on ! So for ease of use, it is a good idea to use the names provided here and then rename the files later on.

First we will create a new directory to work in. Our files will be saved here as well.
mkdir /root/ssl
cd /root/ssl
Lets create the servers key file!
Same step, as above without the CA, so there is nothing new here, although I am using a stronger encryption.
openssl genrsa -des3 -out ca.key 4096
Take backup of the key file. If you loose it, and you want to configure addiotional certificates you will need to create a new root CA certificate and export this to all the clients once again! (What a mess). Also if you need to renew a certificate you will need to start all over.
Protect it, and remember the password !!!

Now comes the new part, where we create the CA public certificate.

Create the CA certificate from the servers keyfile! (Valid for 5 years)
openssl req -new -x509 -days 1825 -key ca.key -out ca.crt
Now copy the ca.crt to the trusted root folder of your client system. (On windows this can be done easily by opening an mmc snapin. Works ONLY with IE !!! All cerficiates rolled out from this CA, where the certificate is used, will now be automatically trusted, since the rootCA is installed.

Create the certificate request that we will sign with the servers key file (ca.key) ! This request file can come from any system, anywhere. In example a client from a webserver, but here we will just create it directly on the CA server which in real cercumstanses is quite unlikely.
openssl req -new -key ca.key -out myCertificate.csr
The Common Name (eg, YOUR name)[]: MUST match the site/domain you want to protect with the certificate.
In example, to protect example.com, write example.com.
You can also use subdomains like secure.example.com, in this case write secure.example.com

Use the sign.sh script to create the certificate from the .csr file. If you cannot find the sign.sh script, then install the libapache-mod-ssl package.

If you are using the sign.sh script it is important that they CA key file is named ca.key and the certificate file is named ca.crt. If you are using other names, you will need to edit the sign.sh script to your names.

The script is located here: /usr/share/doc/libapache-mod-ssl/examples/sign.sh
cd /root/ssl
/usr/share/doc/libapache-mod-ssl/examples/sign.sh myCertificate.csr
I strongly recommend to save these .csr files, in case you will need to renew the certificate. It is not required at all, but will ease the renewal of the certificate, since you will not have the recreate the Certificate Server Request file (.csr).

Backup the files!

ca.db.certs/ = Directory for request files, in PEM format
ca.db.index = Index file over CA signed certificates
ca.crt = the CA certificate itself
ca.key = The servers key file

Protect the files.

Protect the files, so ONLY root can read them (or a trusted user). No execute is needed at all, so we only apply read and write access to the files.
Once again, remember to backup this folder if you are running your own CA!
chmod 600 /root/ssl/*
If used with example apache2.
chmod 600 /etc/apache2/ssl/*

Renew certificates with an CA

cd /root/ssl
sh /usr/share/doc/libapache-mod-ssl/examples/sign.sh myCertificate.csr

Other Nice To Know Things

Using a certificate for apache

When running apache with a secured key file, apache will when it starts, wait for input for the password to the key file.
This could be a problem if the server crashes and / or reboots automatically, then it will never start because it will hang for inputs.
A way to get around this is to create an insecure key file that does not require a password!
Therefor we want to create a version of the servers key file that does not need a password. This can be done like shown be below.
mv ca.key secure_server.key
openssl rsa -in secure_server.key -out insecure_server.key
And then remember to set permission so only root have access to the file, since we defiantly do not want anyone go get access to this file, since everyone could create certificates from this key file now!
chmod 600 insecure_server.key

Generating an Apache2 certificate

Apache2 requires PEM format on the certificates. In can be accomplished this way, after the certficate is created.
openssl x509 -in mycertificate.crt -out mycertificate.crt.pem -outform PEM
Next Apache should be configured as follows, you will still need the KEY and the CHAIN certificate.
I am using an insecure key in this example. Not really important.
SSLCertificateFile /etc/apache2/ssl/mycertificate.crt.pem
SSLCertificateKeyFile /etc/apache2/ssl/insecure_server.key
SSLCertificateChainFile /etc/apache2/ssl/ca.crt

Do not trust the authors words! POC, tests and experience is key

Copyright LinuxLasse.net 2009 - 2024 All Rights Reserved.

Valid HTML 4.01 Strict Valid CSS!