Scribd Logo
Upload

Welcome to Scribd!

  • OpenSSL HowTo

    Uploaded by

    Bruce McIntyre
    160 views3 pages
    A quick and dirty OpenSSL howto

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    A quick and dirty OpenSSL howto

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    160 views3 pages

    OpenSSL HowTo

    Uploaded by

    Bruce McIntyre
    A quick and dirty OpenSSL howto

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    OpenSSL

    Bruce McIntyre <bruce.mcintyre@gmail.com>


    31 August 2010

    Table of Contents
    1. Generate a Server Key ............................................................................................................... 1
    1.1. Purpose ......................................................................................................................... 1
    1.2. Command ...................................................................................................................... 1
    2. Generate a CSR ........................................................................................................................ 1
    2.1. Purpose ......................................................................................................................... 1
    2.2. Command ...................................................................................................................... 1
    3. Supplying the CSR to the Certificate Authority (CA) ....................................................................... 2
    3.1. Purpose ......................................................................................................................... 2
    4. Installing the Certificate ............................................................................................................. 3
    4.1. Purpose ......................................................................................................................... 3
    4.2. Things to remember ........................................................................................................ 3
    4.3. Example Installations ....................................................................................................... 3

    1. Generate a Server Key


    1.1. Purpose
    In order to generate Certificate Signing Requests (CSR), you need to generate a server key.

    1.2. Command
    Procedure 1. Generate a new server key
    • openssl genrsa -des3 -out <name of key>.key 1024

    Example 1. Generating an OpenSSL key


    root@www:/etc/ssl/private# openssl genrsa -des3 -out <my server FQDN>.key 1024
    Generating RSA private key, 1024 bit long modulus
    ...........++++++
    ....++++++
    e is 65537 (0x10001)
    Enter pass phrase for <my server FQDN>.key:
    Verifying - Enter pass phrase for <my server FQDN>.key:

    2. Generate a CSR
    2.1. Purpose
    This generates a CSR for use for a host. In the request, we describe all the details about the certificate.

    2.2. Command
    Procedure 2. Generate a new Certificate Signing Request (CSR)
    • openssl req -new -key <name of key>.key -out <name of csr>.csr

    1
    OpenSSL

    Example 2. Generate an OpenSSL csr


    root@www:# openssl req -new -key <my server FQDN>.key -out <my server FQDN>.csr
    Enter pass phrase for <my server FQDN>.key:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]: AU
    State or Province Name (full name) [Some-State]:State
    Locality Name (eg, city) []:Some City
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:ACME CC
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:<my server FQDN>
    Email Address []:security@somewhere.com

    Please enter the following 'extra' attributes


    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

    Note
    The most important item in this CSR is the Common Name. For web, it must correlate to the host name
    you are wishing to secure.

    3. Supplying the CSR to the Certificate Authority (CA)


    3.1. Purpose
    You now have to take the CSR to the CA and get the CA to sign the request. Generally, you email the CSR to
    the CA, or just post it on their website.

    Example 3. Example CSR


    -----BEGIN CERTIFICATE REQUEST-----
    MIIB2zCCAUQCAQAwgZoxCzAJBgNVBAYTAlpBMRAwDgYDVQQIEwdHYXV0ZW5nMRQw
    EgYDVQQHEwtEb3VnbGFzZGFsZTEWMBQGA1UEChMNSXJpZGVzZW5zZSBDQzEhMB8G
    A1UEAxMYd2VibWFpbC5pcmlkZXNlbnNlLmNvLnphMSgwJgYJKoZIhvcNAQkBFhlz
    ZWN1cml0eUBpcmlkZXNlbnNlLmNvLnphMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
    iQKBgQDWnRfj5MjeZ4Bf+P57quhf5f9DetkYItcAG4EdLYFQl4SFm2sRiIu6ekkX
    gRCpvfsEGTONTf9n0xbqmNX7LzPf6rHdbm6WMCf6MXX6ePNXxj/+vVovn6txnV04
    aHRSpyC59C5BFSidteJs1nAFCIFvCTbc/XJMp+IeOJw3PJAIkwIDAQABoAAwDQYJ
    KoZIhvcNAQEFBQADgYEAAs4ltVLOHQsi2HB710774LDxG/iZRSHvdZ46xodGDdmv
    8nUzTxFIavhBPQYYkUMn/prx5yoxIaY0aaI4YdUk0wgP4TEa1gnwuLdGd++Mtvt8
    8GXmR9lu0qKJqLT11x4yD+DZcCEny5z3dMTKzSb3sR7ScN0lMzLf/kTtyA1CMXQ=
    -----END CERTIFICATE REQUEST-----

    2
    OpenSSL

    Example 4. Example Signed Certificate


    -----BEGIN CERTIFICATE-----
    MIIFbzCCA1egAwIBAgIBBDANBgkqhkiG9w0BAQUFADB2MQswCQYDVQQGEwJaQTEQ
    MA4GA1UECBMHR2F1dGVuZzEWMBQGA1UEChMNSXJpZGVzZW5zZSBDQzETMBEGA1UE
    AxMKSXJpZGVzZW5zZTEoMCYGCSqGSIb3DQEJARYZc2VjdXJpdHlAaXJpZGVzZW5z
    ZS5jby56YTAeFw0wODEyMDIwMzI4MzBaFw0xODEwMTEwMzI4MzBaMIGaMQswCQYD
    VQQGEwJaQTEQMA4GA1UECBMHR2F1dGVuZzEUMBIGA1UEBxMLRG91Z2xhc2RhbGUx
    FjAUBgNVBAoTDUlyaWRlc2Vuc2UgQ0MxITAfBgNVBAMTGHdlYm1haWwuaXJpZGVz
    ZW5zZS5jby56YTEoMCYGCSqGSIb3DQEJARYZc2VjdXJpdHlAaXJpZGVzZW5zZS5j
    by56YTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1p0X4+TI3meAX/j+e6ro
    X+X/Q3rZGCLXABuBHS2BUJeEhZtrEYiLunpJF4EQqb37BBkzjU3/Z9MW6pjV+y8z
    3+qx3W5uljAn+jF1+njzV8Y//r1aL5+rcZ1dOGh0UqcgufQuQRUonbXibNZwBQiB
    bwk23P1yTKfiHjicNzyQCJMCAwEAAaOCAWUwggFhMAkGA1UdEwQCMAAwEQYJYIZI
    AYb4QgEBBAQDAgZAMCsGCWCGSAGG+EIBDQQeFhxUaW55Q0EgR2VuZXJhdGVkIENl
    cnRpZmljYXRlMB0GA1UdDgQWBBTs5AdEsQzK/VKEnFQQGEnleCiHXTCBqAYDVR0j
    BIGgMIGdgBSBfrWhUH6k7cnokzC+DpqJD8fkJqF6pHgwdjELMAkGA1UEBhMCWkEx
    EDAOBgNVBAgTB0dhdXRlbmcxFjAUBgNVBAoTDUlyaWRlc2Vuc2UgQ0MxEzARBgNV
    BAMTCklyaWRlc2Vuc2UxKDAmBgkqhkiG9w0BCQEWGXNlY3VyaXR5QGlyaWRlc2Vu
    c2UuY28uemGCCQCiOfAkVdxFETAkBgNVHRIEHTAbgRlzZWN1cml0eUBpcmlkZXNl
    bnNlLmNvLnphMCQGA1UdEQQdMBuBGXNlY3VyaXR5QGlyaWRlc2Vuc2UuY28uemEw
    DQYJKoZIhvcNAQEFBQADggIBALaNhRIp9YZM1BQR2E6hDrUUI913tHu1zn4vkDNN
    FFtg04wt6zzry8EtFnxAvpIjJI7TExUuENY4kC9DizZrKmi9W9HWxrSqgBD1Z4R0
    2BzelEdnV302RV9AHSnPr7nA35k4KrOzKvfJnPVzvjiMk/8WkugAx0bvCwosUbHP
    /qc1D4Q/JlwMRDyRudDQueuKw/iP7xNEroPFtioO1hzxiUdJyBqwnF0UyTUXRRMj
    nktrvLKxJpvkFNGA7bQxU4LEvajUK9ED5q26O/RA7ChCjJ7IcTHSqCHNjbRdr0t0
    JCBtugu+1AiV0Q+iB0sjNV1fK++0RiCFFoPnH8wQXAKlc7CCbEX/tKdnxgaJQ44M
    6uFSl+kYcs6L2niJuZ02RR9vJE/K/ioPccUdodFXqLrntAX+KVDjmQu1pgI+QDi0
    gVwS+IFdvMQdfMOaO672chrmVeveGHxKARDtxio+vrI9LNBHUfiRsilBsXBF2vmb
    1u7CRt2/MsJm9NSwTFkMx/coIQuGy4gRBd79FUiPrztTP/K8nTRc6XBAyR9/68bt
    9xCfUz6Tn+1zpg8XD1Cs0Sc1t1AQN183/FNMZcCz/3lQ/SCNbgKcOv0KhVq0PWmd
    GaMoHbxp5Cznh2TSAwP/Bg/WSGaiVszBgssgOodCTgb+GLhJxA0eoF+wZEzy/NH9
    WIAG
    -----END CERTIFICATE-----

    4. Installing the Certificate


    4.1. Purpose
    Once you have a signed certificate back, you have to install it in what ever application you are using.

    4.2. Things to remember


    Here are a few things that you need to remember:

    • The key that you used to generate the csr will have to have it's password removed, if you are going to use the
    certificate in a service, such as apache2. Remove the password as follows:
    openssl rsa -in <my server FQDN>.key -out <my server FQDN>.key.nopass

    4.3. Example Installations


    Example 5. Installation on Apache2
    # SSL Stuff
    SSLEngine on
    SSLOptions +StrictRequire
    SSLCertificateFile /etc/ssl/certs/<my server FQDN>.crt
    SSLCertificateKeyFile /etc/ssl/private/<my server FQDN>.key.nopass

    You might also like