9 OpenSSL

9.1 Conventions

• req = certificate signing request
• key = unencrypted private key
• pem = encrypted private key
• crt = signed certificate

9.2 Create a Certificate Signing request

1. Create an RSA key and a signing request
   $ openssl req -new -days 3650 -config <config file> -out certreq.req -keyout server.pem
2. The -config is optional.
3. The PEM passphrase requested is the passphrase for encrypting server.pem. Some applications may require an unencrypted key (eg stunnel) but it is good practice to encrypt the key and create a decrypted copy if necessary.
4. Use reasonable values for the remaining questions
   Country Name (2 letter code) [GB]:US 
   State or Province Name (full name) [Berkshire]:California 
   Locality Name (eg, city) [Newbury]:Los Angeles 
   Organization Name (eg, company) [My Company Ltd]:DPSI 
   Organizational Unit Name (eg, section) []:Systems 
   Common Name (eg, your name or your server's hostname) []:ssl.dpsi-corp.com  
   Email Address []:

9.3 Signing a Certificate

If you are not going to have your keys signed by a Certificate Authority then you can sign the key yourself. See Section 9.9 for setting up a private CA.

1. If necessary, mount the cdrom the key file(s) are stored on
   $ mount /mnt/cdrom
2. Sign the Certificate
   $ openssl ca -config stunnel.cnf -days 365 -keyfile /mnt/cdrom/DPSIkey.pem -cert /mnt/cdrom/DPSIcert.pem -in certreq.req -out test.crt 
    
   Using configuration from stunnel.cnf 
   Enter PEM pass phrase: 
   Check that the request matches the signature 
   Signature ok 
   The Subjects Distinguished Name is as follows  
   countryName           :PRINTABLE:'US' 
   stateOrProvinceName   :PRINTABLE:'California' 
   localityName          :PRINTABLE:'Los Angeles' 
   organizationName      :PRINTABLE:'DPSI' 
   organizationalUnitName:PRINTABLE:'Systems' 
   commonName            :PRINTABLE:'ssl.dpsi-corp.com' 
   Certificate is to be certified until Dec 27 00:02:23 2003 GMT (365 days) 
   Sign the certificate? [y/n]:y 
    
   1 out of 1 certificate requests certified, commit? [y/n]y  
   Write out database with 1 new entries 
   Data Base Updated
3. The passphrase requested is for the key to be used for signing.
4. When finished, unmount and eject the CD.
   $ umount /mnt/cdrom 
   $ eject

9.4 Decrypting a Server Key

Some applications need the server key to be in clear text. The private key can be decrypted with

$ openssl rsa -in server.pem -out server.key

9.5 Encrypting a Server Key

If a key needs to be encrypted after decrypting

$ openssl rsa -des3 -in plaintext.key -out encrypted.key.pem

You will be promptd for a passphrase.

9.6 Show the fields in a certificate

1. Signing Request
   $ openssl req -in cert.req -text
2. Signed Certificate 
   $ openssl x509 -in cert.crt -text
3. Encrypted Private Key
   $ openssl rsa -in www.closetheloan.pem -text
4. Unencrypted Private Key
   $ openssl rsa -in www.closetheloan.key -text

9.7 Convert OpenSSL Key to IIS Key

1. Decrypt the server key 
   $ openssl rsa -in server.pem -out server_.key
2. Combine the server key and the signed certificate 
   $ openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12

9.8 Self Signed Certificate

1. Generate a key:
   $ openssl genrsa -des3 1024 >server.pem
2. Generate the self signed certificate
   $ openssl req -new -key server.pem -x509 -days 3650 -out server.crt

9.9 Create a Private CA

1. Change to working directory
   $ cd ~/certs
2. Create a directory structure for openssl to store some stuff in. This may require updating the configuration in /usr/share/ssl/openssl.cnf.
   $ mkdir -p DPSI-CA/certs 
   $ mkdir -p DPSI-CA/crl 
   $ mkdir -p DPSI-CA/newcerts 
   $ mkdir -p DPSI-CA/private 
   $ touch DPSI-CA/index.txt 
   $ touch DPSI-CA/private/.rand 
   $ echo 01 >DPSI-CA/serial
3. Create the self-signed key and cert
   $ openssl req -new -x509 -keyout DPSIkey.pem -out DPSIcert.pem -days 3650
4. Use a good passphrase when prompted for one.
5. Use reasonable values for the remaining questions
   Country Name (2 letter code) [GB]:US 
   State or Province Name (full name) [Berkshire]:California 
   Locality Name (eg, city) [Newbury]:Los Angeles 
   Organization Name (eg, company) [My Company Ltd]:DPSI 
   Organizational Unit Name (eg, section) []:Systems 
   Common Name (eg, your name or your server's hostname) []:dpsi-corp.com  
   Email Address []:
6. The new CA private key will be in DPSIkey.pem. The public key is in DPSIcert.pem

If this CA is being generated for ``real'' it is a good idea to copy the public and private keys to safe place and delete the originals. It might be a really good idea to burn them onto a CD that is only mounted when a certificate need to be signed.