This chapter is from the book
This chapter is from the book
This chapter is from the book
Managing Certificates
To have a working SSL server implementation, the first step is to create a server certificate. This section explains in detail how to create and manage certificates and keys by using the openssl command-line tool. For example, if you are using SSL for an e-commerce site, encryption prevents customer data from eavesdroppers and the certificate enables customers to verify that you are who you claim to be.
NOTE
The examples refer to the Unix version of the command-line program openssl. If you are running under Windows, you need to use openssl.exe instead and change the paths of the examples to use backslashes instead of forward slashes. The examples also assume that OpenSSL was installed in the path described earlier in the OpenSSL installation section.
Creating a Key Pair
You must have a public/private key pair before you can create a certificate request. Assume that the FQDN for the certificate you want to create is www.example.com. (You will need to substitute this name for the FQDN of the machine you have installed Apache on.) You can create the keys by issuing the following command:
# ./usr/local/ssl/install/bin/openssl genrsa -des3 -rand file1:file2:file3 -out www.example.com.key 1024
genrsa indicates to OpenSSL that you want to generate a key pair.
des3 indicates that the private key should be encrypted and protected by a pass phrase.
The rand switch is used to provide OpenSSL with random data to ensure that the generated keys are unique and unpredictable. Substitute file1, file2, and so on, for the path to several large, relatively random files for this purpose (such as a kernel image, compressed log files, and so on). This switch is not necessary on Windows because the random data is automatically generated by other means.
The out switch indicates where to store the results.
1024 indicates the number of bits of the generated key.
The result of invoking this command looks like this:
625152 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus .....++++++ .........................++++++ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase:
As you can see, you will be asked to provide a pass phrase. Choose a secure one. The pass phrase is necessary to protect the private key and you will be asked for it whenever you want to start the server. You can choose not to protect the key. This is convenient because you will not need to enter the pass phrase during reboots, but it is highly insecure and a compromise of the server means a compromise of the key as well. In any case, you can choose to unprotect the key either by leaving out the -des3 switch in the generation phase or by issuing the following command:
# ./usr/local/ssl/install/bin/openssl rsa -in www.example.com.key \
-out www.example.com.key.unsecure
It is a good idea to back up the www.example.com.key file. You can learn about the contents of the key file by issuing the following command:
# ./usr/local/ssl/bin/openssl rsa -noout -text -in www.example.com.key
Creating a Certificate Signing Request
To get a certificate issued by a CA, you must submit what is called a certificate signing request. To create a request, issue the following command:
# ./usr/local/ssl/install/bin/openssl req -new -key www.example.com.key -out www.example.com.csr
You will be prompted for the certificate information:
Using configuration from /usr/local/ssl/install/openssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) []: San Francisco Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) []:www.example.com Email Address []:administrator@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
It is important that the Common Name field entry matches the address that visitors to your Web site will type in their browsers. This is one of the checks that the browser will perform for the remote server certificate. If the names differ, a warning indicating the mismatch will be issued to the user.
The certificate is now stored in www.example.com.csr. You can learn about the contents of the certificate via the following command:
# ./usr/local/ssl/install/bin/openssl req -noout -text
-in www.example.com.csr
You can submit the certificate signing request file to a CA for processing. VeriSign and Thawte are two of those CAs. You can learn more about their particular submission procedures at their Web sites:
VeriSign: http://digitalid.verisign.com/server/apacheNotice.htm
Thawte: http://www.thawte.com
Creating a Self-Signed Certificate
You can also create a self-signed certificate. That is, you can be both the issuer and the subject of the certificate. Although this is not very useful for a commercial Web site, it will enable you to test your installation of mod_ssl or to have a secure Web server while you wait for the official certificate from the CA.
# ./usr/local/ssl/install/bin/openssl x509 -req -days 30 -in www.example.com.csr -signkey www.example.com.key -out www.example.com.cert
You need to copy your certificate www.example.com.cert (either the one returned by the CA or your self-signed one) to /usr/local/ssl/install/openssl/certs/ and your key to /usr/local/ssl/install/openssl/private/.
Protect your key file by issuing the following command:
# chmod 400 www.example.com.key