How to Create Self-Signed SSL Certificates with OpenSSL
Introduction
This is a brief and superficial tutorial on creating self-signed SSL certificates using OpenSSL. So what is a SSL certificate and why would you want one? Without getting overly complex, SSL certificates verify your identity to an end user and make it possible to encrypt the communication between two hosts. In short, SSL works like this. The browser would check the web server's certificate to see if it's valid or not. If the certificate is valid and not someone trying to impersonate the intended destination web server, the browser and web server negotiate on an encryption algorithm they both can understand. Once a negotiation has been reached they use unique keys or codes (public key and private key) to be used for encrypting and decrypting the data on both sides. Finally the browser and web server communicate securely so no one can eavesdrop on their conversation.Secure Sockets Layer (SSL) is used in e-commerce and other applications where the information being transmitted must be secure and not visible to anyone watching the network traffic. A practical e-commerce example would be making a purchase form an online store. When you enter your credit card information and click a submit button, your information is sent from your web browser to the store's server. It's encrypted using SSL so no one else can read it as it travels across the internet. An application example could be acquiring UPS shipping rates in real-time. When you have an account with UPS you must establish a userid, password, and are then assigned a license key. You would transmit these credentials programmatically to their server to request pricing for maybe sending a package to New York from your location. You wouldn't want your credentials being sent in plain text because it'd be possible for someone to steal your account information, so to combat this UPS offers their XML service through a SSL enabled URL.
Now that you have a general understanding of SSL we come to the certificate signing part. SSL certificates must be signed by a trusted authority or more commonly known as Certificate Authorities (CA). CA's confirm your identity by adding their signature to your SSL certificate. On the web browser side, browsers like FireFox and Internet Explorer have a list of CA fingerprints to match against the SSL certificates they come across. For example, when you go to a SSL enabled URL, that certificate would be signed by a company like Verisign, Thawte, Comodo, or some other CA. Your web browser would check the certificate's CA fingerprint to make sure it hasn't been forged and is a valid and trusted certificate. If all goes well your browser would accept the certificate and give no complaints, however, if it doesn't have the fingerprint on file it would complain and typically throw up a window saying the certificate is bad or shouldn't be trusted. CA's usually ask for proof of your company like a copy of your DBA (Doing Business As) before they'll sign your certificate. Also, be prepared to hand over some cash because CA's won't sign your certificate for free.
So where does that leave us individuals and non-commercial entities that want to use SSL to encrypt our data? The answer is using self-signed certificates. Self-signed certs are the same as signed versions except for the fact that a CA doesn't stamp it with their approval, instead you stamp it with yours. Self-signed certs offer the same amount of protection but at the cost of dealing with the annoying popup alert the browser displays and someone being able to forge your identity, however they are completely free and easy to make using OpenSSL. If you want to create your own private use SSL certificate then keep reading this tutorial and you'll learn how to. Make sure you're logged in as root and are in your home directory. Also, be sure to create a directory called ssl and move into it (we'll create our SSL files here temporarily).
Generate Your Private Key
The first step in creating a self-signed SSL certificate is to generate your private key. Its purpose is to encrypt data to be decrypted by the public key and vice versa, so basically one cannot work without the other since they are both mathematically linked. The private key is stored on the web server and should never be shared with anyone (protect it at all costs!). Your private key can be either RSA or DSA based with a minimum of 1024 bits using a cipher such as TripleDES. For our private key we'll use RSA, 1024 bits, and TripleDES (I've gone as far as to use 4096 bits - more secure but slower to encrypt/decrypt). Our private key password should contain a minimum of 12 characters and they should be alpha-numeric with some special characters like spaces, dollar signs, asterisks, etc. The point is to choose a very hard password to crack and not be dictionary based. When you figure out what password you're going to use for your private key then you should write it down and keep it in a safe place. Don't lose this password because when it comes time to renew your certificate you'll have to trash it and start over from scratch.#yum install mod_ssl
#openssl genrsa -des3 -out server.key 1024
[enter a password]
[confirm your password]
Our private key has been created and saved as server.key. We can now move on to creating the certificate signing request (public key).
Certificate Signing Request (CSR)
The certificate signing request (CSR) is an unsigned copy of the SSL certificate. The CSR contains the public key and X.509 certificate attributes including your country, state, organization name, server's common name or FQDN (fully qualified domain name), and other information. Before you can get a digital certificate from a CA you'll need to generate a CSR on the server you'll be using the SSL certificate on. The most important attribute you should pay close attention to is the common name. You must use the FQDN of the server you'll be protecting by SSL. For example, if you want to use https://secure.yourdomain.com then the common name would besecure.yourdomain.com. You'll need to configure DNS and your web server to respond to requests for this address. Another thing to know is that when you enter your organizational name, you should use the word 'and' instead of an ampersand '&' character if you have a company name like Law Offices of Smith & Klein. Certificate Authorities like Verisign are very picky about the ampersand and will likely make you redo your CSR if you use one. Play it safe and use 'and' instead of '&'. Now we'll create our certificate signing request.#openssl req -key server.key -out server.csr
[enter your private key password]
[enter your two character country code]
[enter your full state or province name]
[enter your city name]
[enter your company name]
[enter your organizational unit or leave it blank]
[enter your common name or fqdn]
[enter your admin email address]
[leave the rest of the attributes blank]
Our CSR has been generated and saved as server.csr. At this point you could send in the request to a CA, pay the fee, prove your identity, and then they would issue you a SSL certificate. All they need is the contents of server.csr which can be retrieved by using the cat command.
#cat server.csr
You would send everything to the CA starting from the first hyphen to the last one (the entire file).
Sign Your Certificate Signing Request
With our CSR generated we come to the heart of this tutorial which is signing your CSR to create a SSL cert for your web server. Since we're signing our own certificate we have much more control over the process. When you have a CA sign your CSR you pay for a year, two years, or possibly more. In our case we can specify how many days our certificate is good for before it expires and needs to be resigned. We'll be using 365 days but feel free to use a value greater than one year (maybe 5475 days or 15 years...that should take a while for the clock to run out).#openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
[enter your private key password]
Our self-signed certificate has been created and saved as server.crt. You will use this certificate and the private key for Apache to enable SSL on your server, however before we do that we will remove the passphrase from our private key.
Remove the PassPhrase From Your Private Key
When your private key has a passphrase, Apache will have no idea what it is and prompt you for your password whenever the service is started. As you can imagine, this would be a major inconvenience if you need to edit any virtual hosts and reload the changes or if your server crashed or rebooted itself. Apache would just sit there and wait for you to key in the password for each SSL enabled host. The solution to this dilemma would be to remove the passphrase from the private key file. Of course something that simple isn't without another problem. When you remove the encryption from your private key you're also removing its security. If your private key was ever to be stolen then you would need to have your certificate revoked. One course of action is to make your private key readable by only root (chmod 400). Let's remove the passphrase from our private key.#cp server.key server.key.secure
#openssl rsa -in server.key.secure -out server.key
[enter your private key password]
Install Your Certificate and Private Key
[root@www ~]# vi /etc/httpd/conf.d/ssl.conf
Uncomment
DocumentRoot "/var/www/html"
Uncomment and specify server name
ServerName www.server.world:443
Specify certificate
SSLCertificateFile /etc/pki/tls/certs/server.crt
Specify certification key
SSLCertificateKeyFile /etc/pki/tls/certs/server.key
[root@www ~]# /etc/rc.d/init.d/httpd restart
For testing
No comments:
Post a Comment