SSL Certificates

Which type of SSL Certificate to websites use?

The generally supported certificate type (both for clients and servers) is RSA.

The standard keysize for commercial security (eg. banking) sites is 1024 bit. Some sites (eg. Verisign) have 2048 bit keys.

The recommendation from the openssl folk is that keys should be 2048 bit or larger to be secure for a reasonable amount of time.

How to set up your own self-signed certificates

Using openssl a self-signed 2048 bit RSA key is created with the following command:

$ openssl genrsa -out private-rsa.key 2048

A encrypted key (requiring a password to unlock) can be generated by adding an extra parameter:

$ openssl genrsa -out private-rsa.key -des 2048

Note however that for web servers the passphrase for the encryption will need to be stored in plain-text on the server unless you want to enter the password manually whenever the web service is restarted.

Once the key exists the RSA self-signed certificate is generated using the following command:

$ openssl req -new -x509 -key private-rsa.key -out self-signed-cert.pem -days 3650

This command generates a 10-year certificate.

Other references:

How to set up your own Certificate Authority

Openssl comes with the required tools to run a minimal CertificateAuthority. Because the tools assume a bunch of files and directories exist a helper script (http://www.openssl.org/docs/apps/CA.pl.html) has been included.

To set up a new CA:

$ /usr/lib/ssl/misc/CA.pl -newca

This steps you through setting up the CA key and certificate and creates the base directory and files.

Other references:

How to sign certificates with your Certificate Authority

Once the CA is in place you can generate certificate requests and issue certificates signed by your CA:

$ openssl req -new -key rsa-key.pem -out server-rsa.req
$ cp server-rsa.req /path/to/ca/newreq.pem
$ cd /path/to/ca
$ /usr/lib/ssl/misc/CA.pl -sign

The resulting newcert.pem is the signed certificate issued by the CA.

Note that CA.pl is based on an earlier shell script called CA.sh, and both versions include the difficult-to-use aspects like the input files having a fixed assumed name (and output files the same). If intending to use the scripts it would probably make sense to wrap them in a second helper script which created the appropriate input files and grabbed the output files in a more user-friendly way. The reason for this unusual interface is the the openssl ca tools were really meant to be an example of functionality.

For anything more complex than a very minimal CA it would make sense to go with a system like OpenCA.

Other references:

How to use commercial Certificate Authorities

Each CA has it's own range of certificate types and processes. You should be able to submit a certificate request generated with openssl.

Other references:

Miscellaneous

Creating the subject hash

From the openssl x509 manpage: This is used in OpenSSL to form an index to allow certificates in a directory to be looked up by subject name.

For example - trusted certificates in /etc/ssl/certs have symlinks like:

00673b5b.0 -> thawte_Primary_Root_CA.pem

To create an openssl hash symlink like this run the following command:

$ ln -s some-cert.pem `openssl x509 -noout -hash -in some-cert.pem`.0

PKCS12 conversion

To make PEM certificates usable by software that requires PKCS12 these commands are helpful:

To convert a PEM certificate to DER (p12):

$ openssl pkcs12 -export -in <pemfile> -out <derfile>

To convert a DER (p12) certificate to PEM:

Note: The PEM file created includes the private key, then the CA public cert and finally the public cert.

$ openssl pkcs12 -nodes -in <derfile> -out <pemfile>

BradsWiki: SslCertificates (last edited 2010-07-20 07:24:32 by BradleyDean)