Posted by chris on Mon 13 Oct 2008 at 22:46
When you need to run a website (https), mail (ssl/tls) or similar over an encrypted link - you need an SSL certificate. This article will explain some of the choices involved, and how to run your own certificate authority (CA).
So - what's the difference between these certificates?
A commercial certificate is signed by a certificate authority (CA). By signing this they are saying that they believe that you are who you say you are. The browser/application has a list of trusted CA certificates and can check - when the connection is made it will check the signature against this list of trusted CAs.
A self-signed certificate (one that you generate) will need to be installed in all browsers/applications you are going to use it with OR the users will have to approve the certificate each time they visit the site. In addition - when it falls due for renewal - you will have to re-install the certificate on all locations.
Wouldn't it be nice if we could be our own CA?
Well - luckily for us we can. The user will still have to install the CA certificate - but - these generally run for a lot longer than normal certificates (10, 15, 20 years) and - any new certificates issued using the same CA will be recognised as valid.
In this article we will examine the following
OpenSSL on debian comes with two files that make the job of being a
CA much easier. Both live in /usr/lib/ssl/misc - CA.pl
and CA.sh
These scripts do the same thing - it's just that one is written in perl - one is a shell script.
In etch - CA.pl has one setting that CA.sh is missing (when
generating the CA certificate CA.pl adds -extensions
v3_ca to the call - CA.sh in etch is missing this although I
believe it to be fixed for lenny). For this reason - we will use
CA.pl
However - we need to setup CA.pl and openssl
(/etc/ssl/openssl.cnf) before we can use them
properly.
By default - CA.pl (and CA.sh for that matter) together with
openssl.cnf are set up so that everything happens in the local
directory - with the CA store in ./demoCA. This isn't so
very useful. So - let's make some decisions.
To do this we need to change both CA.pl and openssl.cnf.
Locate the variables at the top - DAYS and CADAYS. Change these lines to look like:
$DAYS="-days 730"; # 2 year
$CADAYS="-days 3650"; # 10 years
A little further down you will find the variable $CATOP. Change this line to look like:
$CATOP="/etc/ssl/ca";
One more change - the default CA certificates key is 1024 bits RSA. I would like 2048.
So - search down to print "Making CA certificate ...\n";. The line after that needs changing from
system ("$REQ -new -keyout " .
to
system ("$REQ -newkey rsa:2048 -keyout " .
The first change must match the $CATOP variable from CA.pl - we need to change the dir variable so that it looks like
dir = /etc/ssl/ca
We should also set the default number of days to match $DAYS:
default_days = 730
I personally also change default_bits to 2048
default_bits = 2048
Finally - and this is optional - you can edit any value in
the [ req_distinguished_name ] section that ends
'default' - to change the defaults to match your needs. When
generating certificates you will be prompted to enter - so
these can always be overwritten - but here you can set the ones you
use most often.
Run the following:
/usr/lib/ssl/misc/CA.pl -newca
Your new cacert.pem file is now
in /etc/ssl/ca/cacert.pem and can be distributed for
installation in browsers etc.
This goes through the following process:
Of course - as your own CA you will be sending it to yourself and signing it yourself.
/usr/lib/ssl/misc/CA.pl -newreq
This will prompt you for the certificate details. The vital point is that the CN of the certificate must be the domain name of the site you wish to secure. You can use *.example.com for a wildcard certificate (everything under example.com).
This will generate a newkey.pem and a newreq.pem. newkey.pem you need to keep for later - newreq.pem you would send off for signing - in this case to yourself - but you could also use it for purchasing a real certificate.
Given a newreq.pem in the current working directory run
/usr/lib/ssl/misc/CA.pl -sign
This will sign the request and generate a newcert.pem with the signed certificate. You will have to enter the password for your CA key which you supplied when creating the CA key, certificate and store.
The installation will depend on what software you are using. You will need the newkey.pem and newcert.pem - rename them to something useful - like domainname.key and domainname.cert.
Some software will not accept the extra information in the
certificate file - you can strip out everything apart from the
lines -----BEGIN CERTIFICATE----- up to and
including -----END CERTIFICATE-----.
Note - your certicate's key has a passphrase assigned during the -newreq phase. If you want your software to autostart this won't work - since it prompts for the password. To remove a passphrase:
openssl rsa -in newkey.pem -out newkey.nopass.pem
This will prompt you one last time and then generate a non-passphrase key file that you can use instead.
1 There is a community site at http://www.cacert.org/ dedicated to providing signed certificates for free. However - the CAcert.org root certificate (their CA certificate) is not installed in browsers by default - and would need to be installed by your users. However - this may be good enough for you.
This article can be found online at the Debian Administration website at the following bookmarkable URL (along with associated comments):
This article is copyright 2008 chris - please ask for permission to republish or translate.