kernel/kernel_Notes
1
0
Fork 0
mirror of https://github.com/beyondx/Notes.git synced 2026-02-12 23:06:31 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add New Notes

Browse Source
This commit is contained in:
geekard
2012-08-08 14:26:04 +08:00
commit 5ef7c20052
2374 changed files with 276187 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

341
Zim/Utils/openssl/2.txt Normal file
View File

@@ -0,0 +1,341 @@
Content-Type: text/x-zim-wiki
Wiki-Format: zim 0.4
Creation-Date: 2011-05-22T21:56:04+08:00
====== 2 ======
Created Sunday 22 May 2011
http://sandbox.rulemaker.net/ngps/m2/howto.ca.html
HOWTO: Creating your own CA with OpenSSL
Pheng Siong Ng
ngps@post1.com
Copyright © 2000, 2001 by Ng Pheng Siong.
Revision History
Revision $Revision: 1.1 $ $Date: 2001/03/31 04:32:29 $
Introduction
This is a HOWTO on creating your own certification authority (CA) with OpenSSL.
I last created a CA about a year ago, when I began work on M2Crypto and needed certificates for the SSL bits. I accepted the tools' default settings then, e.g., certificate validity of 365 days; this meant that my certificates, including my CA's certificate, have now expired.
Since I am using these certificates for M2Crypto's demonstration programs (and I have forgotten the passphrase to the CA's private key), I decided to discard the old CA and start afresh. I also decided to document the process, hence this HOWTO.
The Procedure
I use CA.pl, a Perl program written by Steve Hanson and bundled with OpenSSL.
The following are the steps to create a CA:
Choose a directory to do your CA work. All commands are executed within this directory. Let's call the directory demo.
Copy CA.pl and openssl.cnf into demo.
Apply the following patch to CA.pl, which allows it to generate a CA certificate with a validity period of 1095 days, i.e., 3 years:
--- CA.pl.org Sat Mar 31 12:40:13 2001
+++ CA.pl Sat Mar 31 12:41:15 2001
@@ -97,7 +97,7 @@
} else {
print "Making CA certificate ...\n";
system ("$REQ -new -x509 -keyout " .
- "${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT $DAYS");
+ "${CATOP}/private/$CAKEY -out ${CATOP}/$CACERT -days 1095");
$RET=$?;
}
}
Create a new CA like this:
./CA.pl -newca
A certificate filename (or enter to create) <enter>
Making CA certificate ...
Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
............++++++
......................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase: <secret passphrase here>
Verifying password - Enter PEM pass phrase: <secret passphrase again>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SG
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:..
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DemoCA
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:DemoCA Certificate Master
Email Address []:certmaster@democa.dom
This creates a new CA in the directory demoCA. The CA's self-signed certificate is in demoCA/cacert.pem and its RSA key pair is in demoCA/private/cakey.pem.
demoCA/private/cakey.pem looks like this:
cat demoCA/private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,19973A9DBBB601BA
eOq9WFScNiI4/UWEUaSnGTKpJv2JYuMD3HwQox2Q3Cd4zGqVjJ6gF3exa5126cKf
X/bMVnwbPpuFZPiAIvaLyCjT6pYeXTBbSzs7/GQnvEOv+nYnDUFWi0Qm92qLk0uy
pFi/M1aWheN3vir2ZlAw+DW0bOOZhj8tC7Co7lMYb0YE271b6/YRPZCwQ3GXAHUJ
+aMYxlUDrK45aCUa/1CZDzTgk7h9cDgx2QJSIvYMYytCfI3zsuZMJS8/4OXLL0bI
lKmAc1dwB3DqGJt5XK4WJesiNfdxeCNEgAcYtEAgYZTPIApU+kTgTCIxJl2nMW7j
ax+Q1z7g+4MpgG20WD633D4z4dTlDdz+dnLi0rvuvxiwt+dUhrqiML1tyi+Z6EBH
jU4/cLBWev3rYfrlp4x8J9mDte0YKOk3t0wQOHqRetTsIfdtjnFp/Hu3qDmTCWjD
z/g7PPoO/bg/B877J9WBPbL/1hXXFYo88M+2aGlPOgDcFdiOqbLb2DCscohMbbVr
A4mgiy2kwWfIE73qiyV7yyG8FlRvr1iib+jbT3LTGf743utYAAs7HNGuOUObhoyt
jYvBD7ACn35P5YX7KTqvqErwdijxYCaNBCnvmRtmYSaNw9Kv1UJTxc5Vx7YLwIPk
E9KyBgKI7vPOjWBZ27+zOvNycmv1ciNtpALAw4bWtXnhCDVTHaVDy34OkheMzNCg
2cjcBFzOkMIjcI03KbTQXOFIQGlsTWXGzkNf/zBQ+KksT1MCj+zBXSCvlDASMckg
kef21pGgUqPF14gKGfWX3sV4bjc1vbrRwq6zlG3nMuYqR5MtJJY9eQ==
-----END RSA PRIVATE KEY-----
Next, generate a certificate request.
./CA.pl -newreq
Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
..........++++++
..............++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase: <another secret passphrase here>
Verifying password - Enter PEM pass phrase: <another secret passphrase again>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SG
State or Province Name (full name) [Some-State]:..
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:M2Crypto
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:localhost
Email Address []:admin@server.example.dom
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<enter>
An optional company name []:<enter>
Request (and private key) is in newreq.pem
The certificate request and private key in newreq.pem looks like this:
cat newreq.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,41B2874DF3D02DD4
mg611EoVkLEooSTv+qTM0Ddmm/M1jE/Jy5RD/sc3LSMhuGu9xc26OgsTJmkQuIAh
J/B4lAw8G59VTG6DykeEtrG0rUBx4bggc7PKbFuiN423YjJODWcHvVgnPOzXMQt+
lY4tPl5+217MRHyx2NsWGrpkQNdu3GeSPOVMl3jeQiaXupONbwQ7rj42+X/VtAJP
W4D1NNwu8aGCPyShsEXHc/fI1WDpphYWke97pOjIZVQESFZOPty5HjIYZux4U+td
W81xODtq2ecJXc8fn2Wpa9y5VD1LT7oJksOuL1+Z04OVaeUe4x0swM17HlBm2kVt
fe/C/L6kN27MwZhE331VjtTjSGl4/gknqQDbLOtqT06f3OISsDJETm2itllyhgzv
C6Fi3N03rGFmKectijC+tws5k+P+HRG6sai33usk8xPokJqA+HYSWPz1XVlpRmv4
kdjQOdST7ovU62mOTgf3ARcduPPwuzTfxOlYONe5NioO1APVHBrInQwcpLkpOTQR
vI4roIN+b75/nihUWGUJn/nbbBa2Yl0N5Gs1Tyiy9Z+CcRT2TfWKBBFlEUIFl7Mb
J9fTV3DI+k+akbR4il1NkQ8EcSmCr3WpA0I9n0EHI7ZVpVaHxc0sqaPFl8YGdFHq
1Qk53C/w6+qPpDzT3yKFmG2LZytAAM1czvb6RbNRJJP2ZrpBwn/h99sUTo/yPfxY
nueYmFJDm0uVNtG0icXGNUfSfnjKNTtHPAgyKGetRIC3kgJz/bo2w7EI6iEjBAzK
l5TRm4x6ZJxwuXXMiJCehMMd8TC8ybwWO4AO19B3ebFFeTVsUgxSGA==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE REQUEST-----
MIIBnTCCAQYCAQAwXTELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIw
EAYDVQQDEwlsb2NhbGhvc3QxJzAlBgkqhkiG9w0BCQEWGGFkbWluQHNlcnZlci5l
eGFtcGxlLmRvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr1nYY1Qrll1r
uB/FqlCRrr5nvupdIN+3wF7q915tvEQoc74bnu6b8IbbGRMhzdzmvQ4SzFfVEAuM
MuTHeybPq5th7YDrTNizKKxOBnqE2KYuX9X22A1Kh49soJJFg6kPb9MUgiZBiMlv
tb7K3CHfgw5WagWnLl8Lb+ccvKZZl+8CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GB
AHpoRp5YS55CZpy+wdigQEwjL/wSluvo+WjtpvP0YoBMJu4VMKeZi405R7o8oEwi
PdlrrliKNknFmHKIaCKTLRcU59ScA6ADEIWUzqmUzP5Cs6jrSRo3NKfg1bd09D1K
9rsQkRc9Urv9mRBIsredGnYECNeRaK5R1yzpOowninXC
-----END CERTIFICATE REQUEST-----
Decoding the certificate request gives the following:
openssl req -text -noout < newreq.pem
Using configuration from /usr/local/pkg/openssl/openssl.cnf
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=SG, O=M2Crypto, CN=localhost/Email=admin@server.example.dom
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:af:59:d8:63:54:2b:96:5d:6b:b8:1f:c5:aa:50:
91:ae:be:67:be:ea:5d:20:df:b7:c0:5e:ea:f7:5e:
6d:bc:44:28:73:be:1b:9e:ee:9b:f0:86:db:19:13:
21:cd:dc:e6:bd:0e:12:cc:57:d5:10:0b:8c:32:e4:
c7:7b:26:cf:ab:9b:61:ed:80:eb:4c:d8:b3:28:ac:
4e:06:7a:84:d8:a6:2e:5f:d5:f6:d8:0d:4a:87:8f:
6c:a0:92:45:83:a9:0f:6f:d3:14:82:26:41:88:c9:
6f:b5:be:ca:dc:21:df:83:0e:56:6a:05:a7:2e:5f:
0b:6f:e7:1c:bc:a6:59:97:ef
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: md5WithRSAEncryption
7a:68:46:9e:58:4b:9e:42:66:9c:be:c1:d8:a0:40:4c:23:2f:
fc:12:96:eb:e8:f9:68:ed:a6:f3:f4:62:80:4c:26:ee:15:30:
a7:99:8b:8d:39:47:ba:3c:a0:4c:22:3d:d9:6b:ae:58:8a:36:
49:c5:98:72:88:68:22:93:2d:17:14:e7:d4:9c:03:a0:03:10:
85:94:ce:a9:94:cc:fe:42:b3:a8:eb:49:1a:37:34:a7:e0:d5:
b7:74:f4:3d:4a:f6:bb:10:91:17:3d:52:bb:fd:99:10:48:b2:
b7:9d:1a:76:04:08:d7:91:68:ae:51:d7:2c:e9:3a:8c:27:8a:
75:c2
Now, sign the certificate request:
./CA.pl -sign
Using configuration from openssl.cnf
Enter PEM pass phrase: <CA's passphrase>
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'SG'
organizationName :PRINTABLE:'M2Crypto'
commonName :PRINTABLE:'localhost'
emailAddress :IA5STRING:'admin@server.example.dom'
Certificate is to be certified until Mar 31 02:57:30 2002 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
newcert.pem looks like this:
cat newcert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=SG, O=DemoCA, CN=DemoCA Certificate Master/Email=certmaster@democa.dom
Validity
Not Before: Mar 31 02:57:30 2001 GMT
Not After : Mar 31 02:57:30 2002 GMT
Subject: C=SG, O=M2Crypto, CN=localhost/Email=admin@server.example.dom
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:af:59:d8:63:54:2b:96:5d:6b:b8:1f:c5:aa:50:
91:ae:be:67:be:ea:5d:20:df:b7:c0:5e:ea:f7:5e:
6d:bc:44:28:73:be:1b:9e:ee:9b:f0:86:db:19:13:
21:cd:dc:e6:bd:0e:12:cc:57:d5:10:0b:8c:32:e4:
c7:7b:26:cf:ab:9b:61:ed:80:eb:4c:d8:b3:28:ac:
4e:06:7a:84:d8:a6:2e:5f:d5:f6:d8:0d:4a:87:8f:
6c:a0:92:45:83:a9:0f:6f:d3:14:82:26:41:88:c9:
6f:b5:be:ca:dc:21:df:83:0e:56:6a:05:a7:2e:5f:
0b:6f:e7:1c:bc:a6:59:97:ef
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=SG, O=DemoCA, CN=DemoCA Certificate Master/Email=certmaster@democa.dom
Validity
Not Before: Mar 31 02:57:30 2001 GMT
Not After : Mar 31 02:57:30 2002 GMT
Subject: C=SG, O=M2Crypto, CN=localhost/Email=admin@server.example.dom
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:af:59:d8:63:54:2b:96:5d:6b:b8:1f:c5:aa:50:
91:ae:be:67:be:ea:5d:20:df:b7:c0:5e:ea:f7:5e:
6d:bc:44:28:73:be:1b:9e:ee:9b:f0:86:db:19:13:
21:cd:dc:e6:bd:0e:12:cc:57:d5:10:0b:8c:32:e4:
c7:7b:26:cf:ab:9b:61:ed:80:eb:4c:d8:b3:28:ac:
4e:06:7a:84:d8:a6:2e:5f:d5:f6:d8:0d:4a:87:8f:
6c:a0:92:45:83:a9:0f:6f:d3:14:82:26:41:88:c9:
6f:b5:be:ca:dc:21:df:83:0e:56:6a:05:a7:2e:5f:
0b:6f:e7:1c:bc:a6:59:97:ef
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B3:D6:89:88:2F:B1:15:40:EC:0A:C0:30:35:3A:B7:DA:72:73:1B:4D
X509v3 Authority Key Identifier:
keyid:F9:6A:A6:34:97:6B:BC:BB:5A:17:0D:19:FC:62:21:0B:00:B5:0E:29
DirName:/C=SG/O=DemoCA/CN=DemoCA Certificate Master/Email=certmaster@democa.dom
serial:00
Signature Algorithm: md5WithRSAEncryption
In certain situations, e.g., where your certificate and private key are to be used in an unattended SSL server, you may wish to not encrypt the private key, i.e., leave the key in the clear. This decision should be governed by your site's security policy and threat model, of course.
openssl rsa < newreq.pem > newkey.pem
read RSA key
Enter PEM pass phrase:<secret passphrase here>
writing RSA key
newkey.pem looks like this:
cat newkey.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQCvWdhjVCuWXWu4H8WqUJGuvme+6l0g37fAXur3Xm28RChzvhue
7pvwhtsZEyHN3Oa9DhLMV9UQC4wy5Md7Js+rm2HtgOtM2LMorE4GeoTYpi5f1fbY
DUqHj2ygkkWDqQ9v0xSCJkGIyW+1vsrcId+DDlZqBacuXwtv5xy8plmX7wIDAQAB
AoGAbAkU8w3W1Qu15Hle1bJSL7GMReoreqeblOBmMAZz4by0l6sXZXJpjWXo86f/
+dASMYTMPC4ZTYtv06N07AFbjL+kDfqDMTfzQkYMHp1LAq1Ihbq1rHWSBH5n3ekq
KiY8JKpv8DR5Po1iKaXJFuDByGDENJwYbSRSpSK3P+vkWWECQQDkEUE/ZPqqqZkQ
2iWRPAsCbEID8SAraQl3DdCLYs/GgARfmmj4yUHEwkys9Jo1H8k4BdxugmaUwNi5
YQ/CVzrXAkEAxNO80ArbGxPUmr11GHG/bGBYj1DUBkHZSc7dgxZdtUCLGNxQnNsg
Iwq3n6j1sUzS3UW6abQ8bivYNOUcMKJAqQJBANQxFaLU4b/NQaODQ3aoBZpAfP9L
5eFdvbet+7zjt2r5CpikgkwOfAmDuXEltx/8LevY0CllW+nErx9zJgVrwUsCQQCu
76H5JiznPBDSF2FjgHWqVVdgyW4owY3mU739LHvNBLicN/RN9VPy0Suy8/CqzKT9
lWPBXzf2k3FuUdNkRlFBAkEAmpXoybuiFR2S5Bma/ax96lVs0/VihhfC1zZP/X/F
Br77+h9dIul+2DnyOl50zu0Sdzst1/7ay4JSDHyiBCMGSQ==
-----END RSA PRIVATE KEY-----
That's it! The certificate, newcert.pem, and the private key - newreq.pem (encrypted) or newkey.pem (unencrypted) - are now ready to be used. You may wish to rename the files to more intuitive names.
You should also keep the CA's certificate demo/cacert.pem handy for use when developing and deploying SSL or S/MIME applications.
Conclusion
We've walked through the basic steps in the creation of a CA and certificates using the tools that come with OpenSSL. We did not cover more advanced topics such as constraining a certificate to be SSL-only or S/MIME-only.
There exist several HOWTOs similar to this one on the net. This one is written specifically to facilitate discussions in my other HOWTOs on developing SSL and S/MIME applications in Python using M2Crypto.
$Id: howto.ca.docbook,v 1.1 2001/03/31 04:32:29 ngps Exp ngps $

258
Zim/Utils/openssl/3.txt Normal file
View File

@@ -0,0 +1,258 @@
Content-Type: text/x-zim-wiki
Wiki-Format: zim 0.4
Creation-Date: 2011-05-22T21:56:45+08:00
====== 3 ======
Created Sunday 22 May 2011
http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
I declare from the beginning that I am no authority on digital certificates.
This document is a summary of all the articles I have read about openssl. It describes in short how to become your own Certificate Authority (CA) and how to create and sign your own certificate requests. Make no mistake, these certificates are good only for personal use or for use in your intranet in order to provide a secure way to login or communicate with your services, so that passwords or other data is not transmitted in the clear. Noone else will or should trust these certificates.
Prerequisites
The package openssl should be installed in the machine you will use to manage your certificates or create the certificate requests.
First things first…
The openssl package comes with some scripts that can help you create your server certificates fast, but here I will describe how to set things up from scratch in a new directory, so that you can customize things later if you like or delete everything without touching openssls or the systems default files. This article is based on a Fedora installation, but will do for all distributions.
Creating the necessary directories
First of all we will create a directory tree where all certificate stuff will be kept. Fedoras default directory is /etc/pki/tls/. So, as root, we create our own directories:
# mkdir -m 0755 /etc/pki_jungle
And then we create our CAs directory tree:
# mkdir -m 0755 \
/etc/pki_jungle/myCA \
/etc/pki_jungle/myCA/private \
/etc/pki_jungle/myCA/certs \
/etc/pki_jungle/myCA/newcerts \
/etc/pki_jungle/myCA/crl
myCA is our Certificate Authoritys directory.
myCA/certs directory is where our server certificates will be placed.
myCA/newcerts directory is where openssl puts the created certificates in PEM (unencrypted) format and in the form cert_serial_number.pem (eg 07.pem). Openssl needs this directory, so we create it.
myCA/crl is where our certificate revokation list is placed.
myCA/private is the directory where our private keys are placed. Be sure that you set restrictive permissions to all your private keys so that they can be read only by root, or the user with whose priviledges a server runs. If anyone steals your private keys, then things get really bad.
Initial openssl configuration
We are going to copy the default openssl configuration file (openssl.cnf) to our CAs directory. In Fedora, this file exists in /etc/pki/tls. So, we copy it to our CAs dir and name it openssl.my.cnf. As root:
# cp /etc/pki/tls/openssl.cnf /etc/pki_jungle/myCA/openssl.my.cnf
This file does not need to be world readable, so we change its attributes:
# chmod 0600 /etc/pki_jungle/myCA/openssl.my.cnf
We also need to create two other files. This file serves as a database for openssl:
# touch /etc/pki_jungle/myCA/index.txt
The following file contains the next certificates serial number. Since we have not created any certificates yet, we set it to "01":
# echo '01' > /etc/pki_jungle/myCA/serial
Things to remember
Here is a small legend with file extensions we will use for the created files and their meaning. All files that will be created will have one of these extensions:
KEY Private key (Restrictive permissions should be set on this)
CSR Certificate Request (This will be signed by our CA in order to create the server certificates. Afterwards it is not needed and can be deleted)
CRT Certificate (This can be publicly distributed)
PEM We will use this extension for files that contain both the Key and the server Certificate (Some servers need this). Permissions should be restrictive on these files.
CRL Certificate Revokation List (This can be publicly distributed)
Create the CA Certificate and Key
Now, that all initial configuration is done, we may create a self-signed certificate, that will be used as our CAs certificate. In other words, we will use this to sign other certificate requests.
Change to our CAs directory. This is where we should issue all the openssl commands because here is our openssls configuration file (openssl.my.cnf). As root:
# cd /etc/pki_jungle/myCA/
And then create your CAs Certificate and Private Key. As root:
# openssl req -config openssl.my.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825
This creates a self-signed certificate with the default CA extensions which is valid for 5 years. You will be prompted for a passphrase for your CAs private key. Be sure that you set a strong passphrase. Then you will need to provide some info about your CA. Fill in whatever you like. Here is an example:
Country Name (2 letter code) [GB]:GR
State or Province Name (full name) [Berkshire]:Greece
Locality Name (eg, city) [Newbury]:Thessaloniki
Organization Name (eg, company) [My Company Ltd]:My Network
Organizational Unit Name (eg, section) []:My Certificate Authority
Common Name (eg, your name or your server's hostname) []:server.example.com
Email Address []:whatever@server.example.com
Two files are created:
certs/myca.crt This is your CAs certificate and can be publicly available and of course world readable.
private/myca.key This is your CAs private key. Although it is protected with a passphrase you should restrict access to it, so that only root can read it:
# chmod 0400 /etc/pki_jungle/myCA/private/myca.key
More openssl configuration (mandatory)
Because we use a custom directory for our certificates management, some modifications to /etc/pki_jungle/myCA/openssl.my.cnf are necessary. Open it in your favourite text editor as root and find the following part (around line 35):
[ CA_default ]
dir = ../../CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
#crlnumber = $dir/crlnumber # the current crl number must be
# commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
You should modify the following settings in order to coform to our custom directory and our custom CA key and certificate:
[ CA_default ]
dir = . # <--CHANGE THIS
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
#unique_subject = no
new_certs_dir = $dir/newcerts
certificate = $dir/certs/myca.crt # <--CHANGE THIS
serial = $dir/serial
#crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/private/myca.key # <--CHANGE THIS
RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
Create a Server certificate
Further openssl.my.cnf files customization is possible, so that we define our policy for certificate creation and signing or define our desired extensions for the new certificates. I may add this info to a future version of this document. Its easy though, just try to familiarize yourself with the openssl.cnfs structure and youll figure it out.
Anyway, the certificates we are going to create, without customizing openssl.my.cnf any further, are general purpose certificates and their usage in not restricted to server authentication only. One thing that you should take a note of is that the private keys will not be protected by a passphrase, so that when the services are restarted they do not ask for a passphrase. This means that you should set restrictive permissions on the private keys, so that only root or the user under whose priviledges a server runs can read these files.
Generate a Certificate Request
First, we change to our CAs directory:
# cd /etc/pki_jungle/myCA/
Then we create the certificate request:
# openssl req -config openssl.my.cnf -new -nodes -keyout private/server.key -out server.csr -days 365
The -nodes option is needed so that the private key is not protected with a passphrase. If you do not intend to use the certificate for server authentication, you should not include it in the above command.
You can customize the number of days you want this certificate to be valid for.
You will be prompted for the certificates info. Here is an example:
Country Name (2 letter code) [GB]:GR
State or Province Name (full name) [Berkshire]:Greece
Locality Name (eg, city) [Newbury]:Thessaloniki
Organization Name (eg, company) [My Company Ltd]:My Network
Organizational Unit Name (eg, section) []:My Web Server
Common Name (eg, your name or your server's hostname) []:www.server.example.com
Email Address []:whatever@server.example.com
The Common Name (CN) is the info that uniquely distinguishes your service, so be sure that you type it correctly.
When prompted for some extra attributes (challenge password, optional company name) just hit the [Enter] key.
Two files are created:
server.csr this is the certificate request.
private/server.key this is the private key, which is not protected with a passphrase.
Set restrictive permissions on the private key. Only root or the user that is used to run the server should be able to read it. For example:
# chown root.root /etc/pki_jungle/myCA/private/server.key
# chmod 0400 /etc/pki_jungle/myCA/private/server.key
Or:
# chown root.apache /etc/pki_jungle/myCA/private/server.key
# chmod 0440 /etc/pki_jungle/myCA/private/server.key
Sign the Certificate Request
Now we are going to sign the certificate request and generate the servers certificate.
First, we change to our CAs directory:
# cd /etc/pki_jungle/myCA/
Then we sign the certificate request:
# openssl ca -config openssl.my.cnf -policy policy_anything -out certs/server.crt -infiles server.csr
You will need to supply the CAs private key in order to sign the request. You can check the openssl.my.cnf file about what policy_anything means. In short, the fields about the Country, State or City is not required to match those of your CAs certificate.
After all this is done two new files are created:
certs/server.crt this is the servers certificate, which can be made available publicly.
newcerts/01.pem This is exactly the same certificate, but with the certificates serial number as a filename. It is not needed.
You can now delete the certificate request (server.csr). Its no longer needed:
# rm -f /etc/pki_jungle/myCA/server.csr
Verify the certificate
You can see the certificates info with the following:
# openssl x509 -subject -issuer -enddate -noout -in /etc/pki_jungle/myCA/certs/server.crt
Or the following:
# openssl x509 -in certs/server.crt -noout -text
And verify that the certificate is valid for server authentication with the following:
# openssl verify -purpose sslserver -CAfile /etc/pki_jungle/myCA/certs/myca.crt /etc/pki_jungle/myCA/certs/server.crt
Server certificate and key in one file
Some servers, for example vsftpd, require that both the private key and the certificate exist in the same file. In a situation like that just do the following:
# cat certs/server.crt private/server.key > private/server-key-cert.pem
You should restrict access to the final file and delete server.crt and server.key since thay are no longer needed.
# chown root.root private/server-key-cert.pem
# chmod 0400 private/server-key-cert.pem
# rm -f certs/server.crt
# rm -f private/server.key
Revoke a Server Certificate
If you do not want a certificate to be valid any more, you have to revoke it. This is done with the command:
# openssl ca -config openssl.my.cnf -revoke certs/server.crt
Then you should generate a new CRL (Certificate Revokation List):
# openssl ca -config openssl.my.cnf -gencrl -out crl/myca.crl
The CRL file is crl/myca.crl.
Distribute your certificates and CRL
Your CAs certificate and your servers certificates should be distributed to those who trust you so they can import them in their client software (web browsers, ftp clients, email clients etc). The CRL should also be published.
Further Reading
As I have said from the beginning, this document is just a summary of what I have read. Here are some useful links that will get you started:
The SSL Certificates HOWTO
The OpenSSL Documentation
The openssl.cnf documentation
OpenSSL Certificate Authority Setup