SSLeay Certificate Cookbook

1. Introduction

This SSLeay Certificate Cookbook describes how to set up SSLeay to use it as a certificate authority, and how to create and install server and client certificates. It requires a basic understanding of cryptography, certificates, and SSL which is provided in an overview.

This cookbook details how to

  1. Obtain and Install SSLeay
  2. Establish an SSLeay Environment
  3. Create a Certificate Authority
  4. Create and Install Server Certificates
  5. Create and Install Client Certificates
  6. Configure a Server and Establish an SSL Connection
The use of client certificates is optional, depending on whether the server has been configured to require them.

2. Obtaining and Installing SSLeay

SSLeay is a free non-commercial implementation of SSL by Eric Young [SSLeay-FAQ]. In addition to the SSL implementation, it includes utilities for certificate management. It also includes a public key implementation which may be used outside the United States. In the United States, RSARef or BSAFE3.0 must be used due to patent requirements. SSLeay offers an inexpensive way to get started with SSL.

SSLeay may be installed and used for the following distinct but related purposes:

  1. Managing certificates
  2. Implementing SSL in a server
This cookbook describes how to use SSLeay to manage certificates. How it may be used to build a SSL capable server depends on the server. Two examples are building SSLeay to provide SSL in the following servers:

This documentation has been written for SSLeay-0.6.6, but as you read this a later version may be available. The source for SSLeay-0.6.6 may be obtained from ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/ .

The SSLeay-0.6.6 distribution is obtained as a tar file (SSLeay-0.6.6.tar) and a patch file (SSLeay-0.6.6.patch1). Extracting from the tar file will create a new directory, SSLeay-0.6.6 in which SSLeay is built.

The following steps are required to build SSLeay:

  1. Change to the directory SSLeay-0.6.6
  2. Apply patch
    patch < SSLeay-0.6.6.patch1
  3. Build SSLeay following the directions in the INSTALL file
  4. Install SSLeay in $SSLDIR (e.g. /opt/dev/ssl)

3. Establishing SSLeay Environment for Certificate Management

To act as a certificate authority, issuing client and server certificates, it is first necessary to establish the SSLeay certificate processing environment by
  1. Creating the directory structure for managing certificates .
  2. Modifying the SSLeay configuration file for our Certificate Authority

4. Creating a Certificate Authority

Before acting as a certificate authority, it is necessary to
  1. Create a self-signed Certificate Authority (CA) Certificate.
  2. Install the CA certificate in the server
  3. Install the CA certificate in browsers

5. Creating and Installing Server Certificates

A server certificate authenticates the server to the client. A server certificate is created by
  1. Creating a certificate request
  2. Signing the certificate request with the CA certificate
  3. Installing the server certificate in the server, such as

6. Creating and Installing Client Certificates (optional)

A client certificate is used to authenticate a client to a server. The use of client certificates is only needed if the server is configured to require them.

Creating and installing one is more difficult than creating a server certificate because the client must generate a key-pair, keep the private key to itself, and send the public key to the certificate authority to be incorporated into a certificate request. Once a signed certificate has been created using the Certificate Authority, this client certificate must be installed in the client so that the client may present it when needed.

Different clients such as Netscape Navigator and Microsoft Internet Explorer support different mechanisms for creating client certificates. The general procedure is the same, and consists of the following steps:

  1. User requests HTML page which displays form on client.

  2. User enters identification information.

  3. Submission of the form causes the following sequence to occur:

    1. Browser generates a key pair (public and private key).
    2. Private key is stored in browser.
    3. Public key is sent with identification information to the server.
    4. Server CGI script creates certificate and loads it into the client.

The HTML form includes fields (containing defaults) for the different distinguished name attributes which are to be used in the client certificate. The HTML form also contains information used to cause the browser to generate a key-pair, and a hidden field used to return this to the CGI script. This hidden information is browser dependent and the form is processed by a browser-dependent script.

The following documents describe the specific steps for two browsers:

7. Configuring a Server and Establishing an SSL connection

The server must have a server certificate installed, and the server's CA certificate must have been installed in the browser. The server will only request a client certificate from the browser if it is required in the server configuration file. For the SDG, this is done with the configuration line: 
VerifyClients:          Required
Required means that a client certificate is required, "Never" means that none is required. Other options are documented in the sdg.conf configuration file.

Apache uses a similar directive in httpd.conf : 

# Set SSLVerifyClient to:
# 0 if no certicate is required
# 1 if the client may present a valid certificate
# 2 if the client must present a valid certificate
# 3 if the client may present a valid certificate but it is not required to
#   have a valid CA
SSLVerifyClient 2
An SSL connection is established by requesting a URL from the browser of the form "https://example.opengroup.org/", where the domain refers to the server which supports SSL.

We have successfully established an SSL connection using either Netscape Navigator 3.01 Gold or Microsoft Internet Explorer 3.02 when configuring the server to not require client certificates (only use server certificates), using our own certificate authority certificate and server certificate.

We have successfully created and installed a client certificate into Netscape Navigator 3.01 Gold, and established an SSL connection when configuring the server to require a client certificate.

Although we have created a client certificate and loaded it into Microsoft Internet Explorer 3.02, we have not been able to successfully establish an SSL connection when configuring the server to require a client certificate. This is an area for further research, but may be resolved with the next release of SSLeay, expected shortly.

Contents