WARNING: This information is a bit outdated... This is a description of how I use OpenSSL on my various systems on (and off) the net. I have setup my own Certification Authority (CA) and I issue my own certificates that I sign with my CA certificate. Once I import my CA certificate into my favorite browsers or email clients, it's impossible to tell the difference between my SSL certificates and commercial SSL certificates that have been signed by a known commercial Certification Authority (i.e. Verisign). All of the information that I have collected here was taken from Nick Burch's excellent OpenSSL pages. Setting up your CACreating your own CA self-signed certificate, entails:
Set up the CA directory StructureOnce on the CA system, setup a suitable directory structure. I use the following three directories (for certificates, certificate requests and private keys):/opt/CA/certs/ /opt/CA/csr/ /opt/CA/private/ Create the CA private/public key-pairIt's now time to create the CA key-pair. I use a 8192 bits RSA key-pair, and I ask OpenSSL to encrypt the private key with Triple-DES, using a passphrase as the Triple-DES key: openssl genrsa \ -des3 \ -out /opt/CA/private/<MyDomain>-ca.key \ 8192 Generate the CA certificateNow that we have the private/public key-pair, let's go ahead and generate the self-signed certificate:openssl req \ -new \ -key /opt/CA/private/<MyDomain>-ca.key \ -x509 \ -days 3650 \ -out /opt/CA/certs/<MyDomain>-ca.crt \ -subj '/C=US/O=<MyDomain>/CN=<MyDomain> Root Certification Authority' Note that older versions of openssl doesn't support the subject option, -subj, so leave it out and let OpenSSL prompt you for the individual fields. See the OpenSSL manpage 'req' for a description about the subject fields. Also you might want to add some fields, like Org. Unit (OU) or email address (emailAddress). [Optional] Convert the CA certificate from PEM to DER formatThe certificate generated above (/opt/CA/certs/<MyDomain>-ca.crt) is in PEM format, which is good for applications (servers), OpenSSL clients, Netscape and Mozilla browsers, and newer versions of Internet Explorer. For older versions of Internet Explorer you should convert the certificate to DER format, which we can do like this:openssl rsa \ -inform PEM \ -outform DER \ -in /opt/CA/certs/<MyDomain>-ca.crt \ -out /opt/CA/certs/<MyDomain>-ca.der.crt Note that older versions of openssl, seem to have a problem converting just a certificate, as opposed to a public or a private key. Tell everyone about your CA certificateIn order to use SSL certificates that you sign with you CA certificate seamless, you need to tell your SSL clients about your new fance CA certificate.Store your CA certificate on a web serverIn order to facilitate propagation, I keep my PEM encoded CA certificate on my web server (right here: ca.crt). Just make sure your web server have associated .crt extensions with the application/x-x509-ca-cert mime type.BrowsersClick on your certificate link on your web page, or copy the certificate to the system that has the browser on it, and open the certificate in your browser as a file, using the file:// method.For netscape browsers, I enable all three forms of certificate use (website, email users, software signing). For Internet Explorer, after you click on the CA certificate, it asks you what you want to do. Click on "Open", click on "Install Certificate...", click on "Next>", select "Place all certificates in the following store", browse and select "Trusted Root Certification Authorities", click "Ok", click "Next>", click "Finish", click "Yes", and you are done. OpenSSL clientsFor OpenSSL clients, such as pine under unix, you need to install your CA certificate in the client system's OpenSSL certificate directory. This is usually /usr/share/ssl/certs on systems that bundle OpenSSL (Linux), otherwise it's typically /usr/local/ssl/certs or /usr/local/share/ssl/certs.First, copy your CA certificate (<MyDomain>-ca.crt) into the OpenSSL .../ssl/cert directory. Then, figure out the OpenSSL hash value for the subject in your CA certificate: openssl x509 \ -hash \ -noout \ -in .../ssl/certs/<MyDomain>-ca.cert The hash value is an 8-digit hexadecimal number. You need to create a symbolic link in the OpenSSL .../ssl/certs directory using the hash value as it's name with ".0" appended to the end of the hash value. This symbolic link has to point to the CA certificate file. You can do this in one operation like this: cd .../ssl/certs ln -s <MyDomain>-ca.crt `openssl x509 -noout -hash -in <MyDomain>-ca.crt`.0 Generating an Apache web server SSL certificateOn the CA system again, create a new 1024 bits RSA public/private key-pair for your web server: openssl genrsa \ -out /opt/CA/private/www.<MyDomain>.key \ 1024 Then generate the certificate request using this key pair: openssl req \ -new \ -key /opt/CA/private/www.<MyDomain>.key \ -out /opt/CA/csr/www.<MyDomain>.csr \ -subj '/C=US/ST=New York/L=New York/O=<MyDomain>/OU=<MyDomain>/CN=www.<MyDomain>/emailAddress=hostmaster@<MyDomain>' Note that the commonName field (CN) has to be the virtual hostname of the web server that you are going to use this SSL certificate with. Note that older versions of openssl doesn't support the subject option, -subj, so leave it out and let OpenSSL prompt you for the individual fields. See the OpenSSL manpage 'req' for a description about the subject fields. And finally, take the certificate request and sign it using your CA private key. The result is your new web server SSL certificate: openssl x509 \ -req \ -days 365 \ -in /opt/CA/csr/www.<MyDomain>.csr \ -CA /opt/CA/certs/<MyDomain>-ca.crt \ -CAkey /opt/CA/private/<MyDomain>-ca.key \ -CAcreateserial \ -out /opt/CA/certs/www.<MyDomain>.crt In order to use this SSL certificate with your apache web server, you need to copy the web server private key, the web server SSL certificate, and the CA certificate to your apache installation directory, on your web server: /opt/CA/certs/<MyDomain>-ca.crt --> /usr/local/apache2/conf/ssl.crt/ /opt/CA/certs/www.<MyDomain>.crt --> /usr/local/apache2/conf/ssl.crt/ /opt/CA/private/www.<MyDomain>.key --> /usr/local/apache2/conf/ssl.key/ Edit the apache conf/ssl.conf file, and change: SSLCertificateFile /usr/local/apache2/conf/ssl.crt/www.<MyDomain>.crt SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/www.<MyDomain>.key SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/<MyDomain>-ca.crt and restart apache. Generating a mail server certificateThis certificate will work both with UW's imapd and postfix.The steps to create a key-pair, generate the certificate request, and signing it with the CA private key for imapd/postfix is identical to how we did it for apache above. So in rapid sequence, we do: openssl genrsa \ -out /opt/CA/private/mail.<MyDomain>.key \ 1024 openssl req \ -new \ -key /opt/CA/private/mail.<MyDomain>.key \ -out /opt/CA/csr/mail.<MyDomain>.csr \ -subj '/C=US/ST=New York/L=New York/O=<MyDomain>/OU=<MyDomain>/CN=mail.<MyDomain>/emailAddress=hostmaster@<MyDomain>' openssl x509 \ -req \ -days 365 \ -in /opt/CA/csr/mail.<MyDomain>.csr \ -CA /opt/CA/certs/<MyDomain>-ca.crt \ -CAkey /opt/CA/private/<MyDomain>-ca.key \ -CAcreateserial \ -out /opt/CA/certs/mail.<MyDomain>.crt Note that older versions of openssl doesn't support the subject option, -subj, so leave it out and let OpenSSL prompt you for the individual fields. See the OpenSSL manpage 'req' for a description about the subject fields. Imapd/postfix needs the private key and the certificate to be in the same file, so we can just concatenate both of them like this: cat /opt/CA/private/mail.<MyDomain>.key > /opt/CA/private/mail.<MyDomain>.key.crt echo "" >> /opt/CA/private/mail.<MyDomain>.key.crt cat /opt/CA/certs/mail.<MyDomain>.crt >> /opt/CA/private/mail.<MyDomain>.key.crt For UW's imapd, copy the joint private key and certificate PEM encoded file to your mailserver in the OpenSSL .../ssl/certs directory, and call it "imapd.pem". PostfixFor postfix, copy the joint private key and certificate PEM encoded file to your mailserver in /etc/postfix, and call it "smtp.pem". And at a minimum, add the following configuration directives in /etc/postfix/main.cf: smtpd_tls_cert_file = /etc/postfix/smtp.pem smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_use_tls = yes Also enable the postfix smtps daemon program in /etc/postfix/master.cf, and make sure you define the smtps service in /etc/services (465/tcp). In addition, once SSL is working, if you want to turn on SMTP authentication (using SASL), and disable cleartext passwords unless SSL is used, add the following to main.cf: smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous Note that we just added the 'permit_sasl_authenticated' to 'smtpd_recipient_restrictions', the other two options are present by default. |