IndexCookbook

Cookbook: SSL, TLS and certificates

To generate SSL keys you will have to follow these steps detailed below.

Locate CA.pl or CA.sh

In Debian GNU/Linux those are located in /usr/lib/ssl/misc/

`find / -iname CA.pl -print` might help.

Create a new CA

     $ /usr/lib/ssl/misc/CA.pl -newca
     CA certificate filename (or enter to create) <press enter>
     Making CA certificate ...
     Generating a 1024 bit RSA private key
     .............++++++
     .......................................++++++
     writing new private key to './demoCA/private/cakey.pem'
     Enter PEM pass phrase: <type the secret phrase again>
     Verifying - Enter PEM pass phrase: <type the secret phrase again>
     -----
     You are about to be asked to enter information that will be incorporated
     into your certificate request.
     What you are about to enter is what is called a Distinguished Name or a DN.
     There are quite a few fields but you can leave some blank
     For some fields there will be a default value,
     If you enter '.', the field will be left blank.
     -----
     Country Name (2 letter code) [AU]:ES
     State or Province Name (full name) [Some-State]:.
     Locality Name (eg, city) []:.
     Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cherokee Team
     Organizational Unit Name (eg, section) []:<Enter>
     Common Name (eg, YOUR name) []:Cherokee Certificate Master
     Email Address []:alvaro@alobbs.com

Generate a certificate request

     $ /usr/lib/ssl/misc/CA.pl -newreq
     Generating a 1024 bit RSA private key
     .....................................++++++
     ...++++++
     writing new private key to 'newreq.pem'
     Enter PEM pass phrase: <anothe phrase>
     Verifying - Enter PEM pass phrase: <repeat it>
     -----
     You are about to be asked to enter information that will be incorporated
     into your certificate request.
     What you are about to enter is what is called a Distinguished Name or a DN.
     There are quite a few fields but you can leave some blank
     For some fields there will be a default value,
     If you enter '.', the field will be left blank.
     -----
     Country Name (2 letter code) [AU]:ES
     State or Province Name (full name) [Some-State]:.
     Locality Name (eg, city) []:.
     Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cherokee web server
     Organizational Unit Name (eg, section) []:.
     Common Name (eg, YOUR name) []:www.cherokee-project.com
     Email Address []:sysop@cherokee-project.com

     Please enter the following 'extra' attributes
     to be sent with your certificate request
     A challenge password []: <Enter>
     An optional company name []: <Enter>
     Request (and private key) is in newreq.pem

Sign the certificate request

  $ /usr/lib/ssl/misc/CA.pl -sign:
  Using configuration from /usr/lib/ssl/openssl.cnf
  Enter pass phrase for ./demoCA/private/cakey.pem:
  Check that the request matches the signature
  Signature ok
  Certificate Details:
        Serial Number: 1 (0x1)
        Validity:
            Not Before: Aug 17 13:12:44 2003 GMT
            Not After : Aug 16 13:12:44 2004 GMT
        Subject:
            countryName               = ES
            organizationName          = Cherokee web server
            commonName                = www.cherokee-project.com
            emailAddress              = sysop@cherokee-project.com
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            14:6A:45:66:A2:EB:73:74:5A:C5:68:80:50:D5:48:94:DD:ED:25:F7
            X509v3 Authority Key Identifier:
            keyid:9E:E0:E2:6E:1B:02:17:F2:72:C9:0D:E3:DA:C9:E1:8F:CE:BC:6E:A2
            DirName:/C=ES/ST=Madrid/L=Madrid/O=Cherokee Team/CN=Cherokee Certificate Master/emailAddress=alvaro@alobbs.com
            serial:00

  Certificate is to be certified until Aug 16 13:12:44 2004 GMT (365 days)
  Sign the certificate? [y/n]:y


  1 out of 1 certificate requests certified, commit? [y/n]y
  Write out database with 1 new entries
  Data Base Updated
  Signed certificate is in newcert.pem

Self signed certificates

It's another way to generate certificate files. Ramon Pons sent this little script to create self signed certificates::

#!/bin/sh
CERTNAME=cherokee.pem
openssl req -days 1000 -new -x509 -nodes -out $CERTNAME -keyout $CERTNAME
chmod 600 $CERTNAME
openssl verify $CERTNAME
if [ $? != 0 ]; then
    \mv $CERTNAME $CERTNAME.not_valid
fi