24.6. Commands -often used

The commands listed below are some that we use often, but many more exist. Check the man pages and documentation for more details and information. As an example, we'll show you how to create certificates for your Apache Web Server and/or your own CA Certifying Authority to sign your Certificate Signing Request yourself.

Important: All commands listed below are assumed to be made in the /etc/ssl/ directory.

Create a RSA private key protected with a passphrase for your Apache Server.


         [root@deep ]/ssl#openssl genrsa -des3 -out server.key 1024
         

         Generating RSA private key, 1024 bit long modulus
         ......................+++++
         .....+++++
         e is 65537 (0x10001)
         Enter PEM pass phrase:
         Verifying password - Enter PEM pass phrase:

         Please backup this server.key file and remember the pass-phrase you had to enter at a secure location.
         

Generate a Certificate Signing Request CSR with the server RSA private key.


         [root@deep ]/ssl# openssl req -new -key server.key -out server.csr
         

         Using configuration from /etc/ssl/openssl.cnf
         Enter PEM pass phrase:
         You are about to be asked to enter information that will be incorporated
         into your certificate request.
         What you are about to enter is what is called a Distinguished Name or a DN.
         There are quite a few fields but you can leave some blank
         For some fields there will be a default value,
         If you enter '.', the field will be left blank.
         -----
         Country Name (2 letter code) [CA]:
         State or Province Name (full name) [Quebec]:
         Locality Name (eg, city) [Montreal]:
         Organization Name (eg, company) [Open Network Architecture]:
         Organizational Unit Name (eg, section) [Internet Department]:
         Common Name (eg, YOUR name) [www.openna.com]:
         Email Address [[email protected]]:

         Please enter the following 'extra' attributes
         to be sent with your certificate request
         A challenge password []:.
         An optional company name []:.
         

Note: Make sure you enter the FQDN, Fully Qualified Domain Name of the server when OpenSSL prompts you for the CommonName, i.e. when you generate a CSR for a website which will be later accessed via https://www.mydomain.com/, enter www.mydomain.com here.

After generation of your Certificate Signing Request; CSR, you have two choices:

  1. the first is to send this certificate to a commercial Certifying Authority (CA) like Verisign or Thawte for signing. You usually have to post the CSR into a web form, pay for the signing, await the signed Certificate and store it into a server.crt file. The result is then a real Certificate, which can be used for Apache.

  2. Second, you can use your own CA and now have to sign the CSR yourself by this CA. This solution is economical, and allows an organization to host their own CA server and generate as many certificates as they need for internal use without paying any cent to a commercial CA. Unfortunately. using your own CA to generate certificates cause problems in electronic commerce, because customers need to have some trust in your organization by the use of recognized commercial CA.

See below on how to sign a CSR with your CA yourself.

Create a RSA private key for your CA.


         [root@deep ]/ssl# openssl genrsa -des3 -out ca.key 1024
         

         Generating RSA private key, 1024 bit long modulus
         ...........................+++++
         ............................................+++++
         e is 65537 (0x10001)
         Enter PEM pass phrase:
         Verifying password - Enter PEM pass phrase:

         Please backup this ca.key file and remember the pass-phrase you had to enter at a secure location.
         

Create a self-signed CA certificate x509 structure with the RSA key of the CA.


         [root@deep ]/ssl# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
         

         Using configuration from /etc/ssl/openssl.cnf
         Enter PEM pass phrase:
         You are about to be asked to enter information that will be incorporated
         into your certificate request.
         What you are about to enter is what is called a Distinguished Name or a DN.
         There are quite a few fields but you can leave some blank
         For some fields there will be a default value,
         If you enter '.', the field will be left blank.
         -----
         Country Name (2 letter code) [CA]:
         State or Province Name (full name) [Quebec]:
         Locality Name (eg, city) [Montreal]:
         Organization Name (eg, company) [Open Network Architecture]:
         Organizational Unit Name (eg, section) [Internet Department]:CA Marketing
         Common Name (eg, YOUR name) [www.openna.com]:
         Email Address [[email protected]]:
         

         [root@deep ]/ssl# mv server.key private/
         [root@deep ]/ssl# mv ca.key private/
         [root@deep ]/ssl# mv ca.crt certs/
         

Note: The req command creates a self-signed certificate when the -x509 switch is used.

Signing a certificate request. We create and use our own Certificate Authority -CA, Prepare the script for signing which is needed because the openssl ca command has some strange requirements, and the default OpenSSL config doesn't allow one easily to use openssl ca directly. The script named sign.sh is distributed with the floppy disk under the openssl directory. Use this script for signing. Now you can use this CA to sign server CSR's in order to create real SSL Certificates for use inside an Apache Webserver assuming you already have a server.csr at hand:


         [root@deep ]/ssl# /usr/bin/sign.sh server.csr
         

         CA signing: server.csr -> server.crt:
         Using configuration from ca.config
         Enter PEM pass phrase:
         Check that the request matches the signature
         Signature ok
         The Subjects Distinguished Name is as follows
         countryName            :PRINTABLE:'CA'
         stateOrProvinceName    :PRINTABLE:'Quebec'
         localityName           :PRINTABLE:'Montreal'
         organizationName       :PRINTABLE:'Open Network Architecture'
         organizationalUnitName :PRINTABLE:'Internet Department'
         commonName             :PRINTABLE:'www.openna.com'
         emailAddress           :IA5STRING:'[email protected]'
         Certificate is to be certified until Dec  1 14:59:29 2000 GMT (365 days)
         Sign the certificate? [y/n]:y


         1 out of 1 certificate requests certified, commit? [y/n]y
         Write out database with 1 new entries
         Data Base Updated
         CA verifying: server.crt <-> CA cert
         server.crt: OK
         

This signs the CSR and results in a server.crt file.


         [root@deep ]/ssl# mv server.crt certs/
         
Now you have two files: server.key and server.crt. These can now, for example, be used as follows, inside your Apache server's httpd.conf file:

         SSLCertificateFile    /etc/ssl/certs/server.crt   (1) 
         SSLCertificateKeyFile /etc/ssl/private/server.key       (2) 
         
(1)
Our web server public key
(2)
Our web server private key
The server.csr file is no longer needed.

         [root@deep ]/ssl# rm -f server.csr
         

Tip: If you receive error message during signature of the certificate, it's probably because you've entered the wrong FQDN, Fully Qualified Domain Name for the server when OpenSSL prompted you for the CommonName; the CommonName must be something like my.domain.com and not domain.com. Also, since you generate both the certificate and the CA certificate, it's important that at least one piece of information differs between both files, or you may encounter problems during the signature of the certificate request.