SSL Certificates

  So called SSL/TLS certificates are cryptographic public key certificates and are composed
  of a public and a private key. The certificates are used to authenticate the endpoints and
  encrypt the data. They are used for example on a web server (https) or mail server (imaps).

Procedure

    * We need a certificate authority to sign our certificate. This step is usually provided
      by a vendor like Thawte, Verisign, etc., however we can also create our own.
    * Create a certificate signing request. This request is like an unsigned certificate (the
      public part) and already contains all necessary information. The certificate request is
      normally sent to the authority vendor for signing. This step also creates the private
      key on the local machine.
    * Sign the certificate with the certificate authority.
    * If necessary join the certificate and the key in a single file to be used by the
      application (web server, mail server etc.).

Configure OpenSSL

  We use /usr/local/certs as directory for this example check or edit /etc/ssl/openssl.cnf
  accordingly to your settings so you know where the files will be created. Here are the
  relevant part of openssl.cnf:
[ CA_default ]
dir             = /usr/local/certs/CA       # Where everything is kept
certs           = $dir/certs                # Where the issued certs are kept
crl_dir         = $dir/crl                  # Where the issued crl are kept
database        = $dir/index.txt            # database index file.

  Make sure the directories exist or create them
# mkdir -p /usr/local/certs/CA
# cd /usr/local/certs/CA
# mkdir certs crl newcerts private
# echo "01" > serial                        # Only if serial does not exist
# touch index.txt

  If you intend to get a signed certificate from a vendor, you only need a certificate
  signing request (CSR). This CSR will then be signed by the vendor for a limited time (e.g.
  1 year).

Create a certificate authority

  If you do not have a certificate authority from a vendor, you'll have to create your own.
  This step is not necessary if one intend to use a vendor to sign the request. To make a
  certificate authority (CA):
# openssl req -new -x509 -days 730 -config /etc/ssl/openssl.cnf \
-keyout CA/private/cakey.pem -out CA/cacert.pem

Create a certificate signing request

  To make a new certificate (for mail server or web server for example), first create a
  request certificate with its private key. If your application do not support encrypted
  private key (for example UW-IMAP does not), then disable encryption with -nodes.
# openssl req -new -keyout newkey.pem -out newreq.pem \
-config /etc/ssl/openssl.cnf
# openssl req -nodes -new -keyout newkey.pem -out newreq.pem \
-config /etc/ssl/openssl.cnf                # No encryption for the key

  Keep this created CSR (newreq.pem) as it can be signed again at the next renewal, the
  signature onlt will limit the validity of the certificate. This process also created the
  private key newkey.pem.

Sign the certificate

  The certificate request has to be signed by the CA to be valid, this step is usually done
  by the vendor. Note: replace "servername" with the name of your server in the next
  commands.
# cat newreq.pem newkey.pem > new.pem
# openssl ca -policy policy_anything -out servernamecert.pem \
-config /etc/ssl/openssl.cnf -infiles new.pem
# mv newkey.pem servernamekey.pem

  Now servernamekey.pem is the private key and servernamecert.pem is the server certificate.

Create united certificate

  The IMAP server wants to have both private key and server certificate in the same file. And
  in general, this is also easier to handle, but the file has to be kept securely!. Apache
  also can deal with it well. Create a file servername.pem containing both the certificate
  and key.
    * Open the private key (servernamekey.pem) with a text editor and copy the private key
      into the "servername.pem" file.
    * Do the same with the server certificate (servernamecert.pem).

  The final servername.pem file should look like this:
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDutWy+o/XZ/[...]qK5LqQgT3c9dU6fcR+WuSs6aejdEDDqBRQ
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIERzCCA7CgAwIBAgIBBDANB[...]iG9w0BAQQFADCBxTELMAkGA1UEBhMCREUx
-----END CERTIFICATE-----

  What we have now in the directory /usr/local/certs/:
    * CA/private/cakey.pem (CA server private key)
    * CA/cacert.pem (CA server public key)
    * certs/servernamekey.pem (server private key)
    * certs/servernamecert.pem (server signed certificate)
    * certs/servername.pem (server certificate with private key)

  Keep the private key secure!

View certificate information

  To view the certificate information simply do:
# openssl x509 -text -in servernamecert.pem      # View the certificate info
# openssl req -noout -text -in server.csr        # View the request info
# openssl s_client -connect cb.vu:443            # Check a web server certificate

You are viewing proxied material from aussies.space. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.