Creating an Installing Server Certificates

A server certificate is created and installed as follows:

Create certificate request
Sign certificate request creating certificate
Install server certificate

Creating a Certificate Request

The SSLeay "req" command is used to create a PKCS#10 (Public-Key Cryptography Standards [PKCS]) certificate request. It also generates a key pair when "-new" is specified. The "-days" switch is used to specify the number of days that the certificate is valid. SSLeay prompts for a new password for this certificate (e.g. siteKEY). A certificate request may be created as follows:

Using SSLeay to Create Certificate Request
cd $SSLDIR/bin ./ssleay req -new -keyout newkey.pem -out newreq.pem -days 360\ -config /opt/www/lib/ssleay.cnf Using configuration from /opt/www/lib/ssleay.cnf Generating a 512 bit private key writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorperated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [MA]: Locality Name (eg, city) [Cambridge]: Organization Name (eg, company) [The Open Group]: Organizational Unit Name (eg, section) [Research Institute]: Common Name (eg, YOUR name) [example.opengroup.org]: Email Address []:ssl_admin@opengroup.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

Using SSLeay to Create Certificate Request

cd $SSLDIR/bin
./ssleay req  -new -keyout newkey.pem -out newreq.pem  -days 360\
	-config /opt/www/lib/ssleay.cnf 


Using configuration from /opt/www/lib/ssleay.cnf
Generating a 512 bit private key
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorperated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [MA]:
Locality Name (eg, city) [Cambridge]:
Organization Name (eg, company) [The Open Group]:
Organizational Unit Name (eg, section) [Research Institute]:
Common Name (eg, YOUR name) [example.opengroup.org]:
Email Address []:ssl_admin@opengroup.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

This results in a certificate request being created in newreq.pem (in this example certificates and keys are truncated):

Sample Certificate Request
-----BEGIN CERTIFICATE REQUEST----- MIIBXTCCAQcCAQAwgaMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNQTESMBAGA1UE ... Aty7AlcmN9XNwxUk1w0H3hk= -----END CERTIFICATE REQUEST-----

and a private key for the certificate being created in newkey.pem:

Sample Private Key
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,21F13B37A796482C XIY0c7gnv0BpVKkOqXIiqpyONx8xqW67wghzDlKyoOZt9NDcl9wF9jnddODwv9ZU ... QxS2zwfKG1u+YqS1c2v5ecBgqW78DQLvxMkpYU8+xge7vDeoYKE14w== -----END RSA PRIVATE KEY-----

Sample Private Key

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,21F13B37A796482C

XIY0c7gnv0BpVKkOqXIiqpyONx8xqW67wghzDlKyoOZt9NDcl9wF9jnddODwv9ZU
...
QxS2zwfKG1u+YqS1c2v5ecBgqW78DQLvxMkpYU8+xge7vDeoYKE14w==
-----END RSA PRIVATE KEY-----

Signing the Certificate Request

A server certificate is created by signing the certificate request using the SSLeay "ca" command. The "-policy" switch specifies the section of the SSLeay configuration file which defines which distinguished name fields are required, and the order of the fields. As an example, our test configuration file specifies the "policy_anything" section which makes all the listed distinguished name fields optional.

When this command is executed, it prompts for the certificate authority password:

Signing a Certificate Request to Create Server Certificate
cat newreq.pem newkey.pem > new.pem ./ssleay ca -policy policy_anything -out newcert.pem \ -config /opt/www/lib/ssleay.cnf -infiles new.pem Using configuration from /opt/www/lib/ssleay.cnf Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'MA' localityName :PRINTABLE:'Cambridge' organizationName :PRINTABLE:'The Open Group' organizationalUnitName:PRINTABLE:'Research Institute' commonName :PRINTABLE:'example.opengroup.org' emailAddress :IA5STRING:'ssl_admin@opengroup.org' Certificate is to be certified until May 12 15:39:33 1998 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

Signing a Certificate Request to Create Server Certificate

cat newreq.pem newkey.pem > new.pem
./ssleay ca  -policy policy_anything -out newcert.pem \
	-config /opt/www/lib/ssleay.cnf -infiles new.pem

Using configuration from /opt/www/lib/ssleay.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'MA'
localityName          :PRINTABLE:'Cambridge'
organizationName      :PRINTABLE:'The Open Group'
organizationalUnitName:PRINTABLE:'Research Institute'
commonName            :PRINTABLE:'example.opengroup.org'
emailAddress          :IA5STRING:'ssl_admin@opengroup.org'
Certificate is to be certified until May 12 15:39:33 1998 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

The server certificate is created in the file newcert.pem and is as follows (line-breaks added for issuer and subject):

Sample Server Certificate
issuer :/C=US/SP=MA/L=Cambridge/O=The Open Group/OU=Research Institute/ CN=Example CA/Email=ssl_admin@opengroup.org subject:/C=US/SP=MA/L=Cambridge/O=The Open Group/OU=Research Institute/ CN=example.opengroup.org/Email=ssl_admin@opengroup.org serial :01 Certificate: Data: Version: 0 (0x0) Serial Number: 1 (0x1) Signature Algorithm: md5withRSAEncryption Issuer: C=US, SP=MA, L=Cambridge, O=The Open Group, OU=Research Institute, CN=Example CA/Email=ssl_admin@opengroup.org Validity Not Before: May 12 15:39:33 1997 GMT Not After : May 12 15:39:33 1998 GMT Subject: C=US, SP=MA, L=Cambridge, O=The Open Group, OU=Research Institute, CN=example.opengroup.org/Email=ssl_admin@opengroup.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Modulus: 00:a1:41:0b:0c:15:53:a5:a5:c4:37:a8:48:f5:79: 39:9f:18:2d:f4:bf:43:34:36:21:23:03:48:a5:65: cb:e2:f8:97:af:9c:7d:df:1e:9b:54:e2:ad:21:e3: 41:3e:54:9a:ce:dc:66:4d:61:59:fb:83:11:36:bf: 9c:3b:47:20:fb Exponent: 65537 (0x10001) Signature Algorithm: md5withRSAEncryption 63:77:e7:f8:aa:0b:90:5e:13:9e:4b:57:f1:0f:22:f9:4c:e3: 7a:aa:ff:a7:8a:2e:3c:1c:a2:92:07:bc:9f:22:3f:2f:13:3f: 60:62:57:a7:74:12:35:28:82:b1:00:2a:36:54:de:67:cd:a2: 9e:24:3e:98:be:14:4e:35:b7:7f -----BEGIN CERTIFICATE----- MIICLTCCAdcCAQEwDQYJKoZIhvcNAQEEBQAwgZ4xCzAJBgNVBAYTAlVTMQswCQYD ... Ij8vEz9gYlendBI1KIKxACo2VN5nzaKeJD6YvhRONbd/ -----END CERTIFICATE-----

Sample Server Certificate

 issuer :/C=US/SP=MA/L=Cambridge/O=The Open Group/OU=Research Institute/
        CN=Example CA/Email=ssl_admin@opengroup.org
subject:/C=US/SP=MA/L=Cambridge/O=The Open Group/OU=Research Institute/
        CN=example.opengroup.org/Email=ssl_admin@opengroup.org
serial :01

Certificate:
    Data:
        Version: 0 (0x0)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5withRSAEncryption
        Issuer: C=US, SP=MA, L=Cambridge, O=The Open Group, 
                OU=Research Institute, 
                CN=Example CA/Email=ssl_admin@opengroup.org
        Validity
            Not Before: May 12 15:39:33 1997 GMT
            Not After : May 12 15:39:33 1998 GMT
        Subject: C=US, SP=MA, L=Cambridge, O=The Open Group, 
                 OU=Research Institute, 
                 CN=example.opengroup.org/Email=ssl_admin@opengroup.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Modulus:
                    00:a1:41:0b:0c:15:53:a5:a5:c4:37:a8:48:f5:79:
                    39:9f:18:2d:f4:bf:43:34:36:21:23:03:48:a5:65:
                    cb:e2:f8:97:af:9c:7d:df:1e:9b:54:e2:ad:21:e3:
                    41:3e:54:9a:ce:dc:66:4d:61:59:fb:83:11:36:bf:
                    9c:3b:47:20:fb
                Exponent: 65537 (0x10001)
    Signature Algorithm: md5withRSAEncryption
        63:77:e7:f8:aa:0b:90:5e:13:9e:4b:57:f1:0f:22:f9:4c:e3:
        7a:aa:ff:a7:8a:2e:3c:1c:a2:92:07:bc:9f:22:3f:2f:13:3f:
        60:62:57:a7:74:12:35:28:82:b1:00:2a:36:54:de:67:cd:a2:
        9e:24:3e:98:be:14:4e:35:b7:7f

-----BEGIN CERTIFICATE-----
MIICLTCCAdcCAQEwDQYJKoZIhvcNAQEEBQAwgZ4xCzAJBgNVBAYTAlVTMQswCQYD
...
Ij8vEz9gYlendBI1KIKxACo2VN5nzaKeJD6YvhRONbd/
-----END CERTIFICATE-----

Installing the Server Certificate

Installing the Server Certificate in the SDG

A server certificate is installed in the SDG by copying the server certificate and key files into the server certificate directory $CERTDIR (e.g. /opt/www/lib/certs), and creating the hash for the server certificate.

cp newcert.pem $CERTDIR/sitecert.pem
cp newkey.pem $CERTDIR/sitekey.pem
cd $CERTDIR
ln -s sitecert.pem `$SSLDIR/bin/x509 -noout -hash < sitecert.pem`.0

In order to easily find certificates SSLeay uses hashes of the certificate subject names. Thus, when looking for the certificate of the issuer of a certificate, it looks for a file named with the hash value of the issuer name. The avoids opening files and examining certificates to find a match. The SSLeay "x509" command may be used to manipulate certificates, and one option is to create a hash of the subject.

Once the certificate and key files have been installed the server configuration file must be modified to specify the server certificate. The sdg.conf configuration file must be edited to specify the server certificate and key files:

# Directory where hashed certificate files go.
CaDirectory:            lib/certs

# Server certificate and key file
CertificateFile:        lib/certs/sitecert.pem
KeyFile:                lib/certs/sitekey.pem

Installing the Server Certificate in Apache

The Apache-SSL httpd.conf file must be modified to specify the server certificate and key files as follows:

# Point SSLCertificateFile at a PEM encoded certificate.
SSLCertificateFile /opt/www/lib/certs/sitecert.pem

# If the key is not combined with the certificate, use this directive to
# point at the key file. If this starts with a '/' it specifies an absolute
# path, otherwise it is relative to the default certificate area. That is, it
# means "/private/".
SSLCertificateKeyFile /opt/www/lib/certs/sitekey.pem

Cookbook