How to create self-signed SSL certificate?

[Inigo]

Many users really like their mail servers or secure web server with SSL, but does not know how to create the SSL certificates. Through the use of SSL communication between client and server is encrypted. Thus, all data transmitted such as passwords, email, encrypted website. The advantage of self-signed certificates purchased over is quite simple, it costs NOTHING! To do this, you need openssl and in our case a Linux machine. The goal of this how to is the one at the end of a certification authority (Root CA) has, with which one can create as many self-signed certificates.

Openssl install

So we really can create SSL certificates, we need to install OpenSSL. Install OpenSSL by running:

aptitude install openssl

First we must create a certificate authority (Root CA). This is needed so that we can sign our certificates with ourselves. Only then will we have valid certificates. Creates the following folders and files in your home directory.

cd /home/username
mkdir CA
cd CA
mkdir newcerts private

The CA directory contains the following:

• CA Certificate
• The database containing the signed certificates
• The keys, requests and certificates we generate

It is also our working directory, whom we will create and sign certificates. The CA / newcerts list includes:

• A copy of every signed certificate

The CA / private directory contains:

• Our private and secret key CA

This key is very important! Without this key, you can sign any certificates or renew! So losing it under any circumstances! Moreover, this fits the key is readable only by root and does not come into the wrong hands! Otherwise, you can withdraw all the certificates and start from scratch. The next step is to create 2 files for the signing of the certificates are required:

echo '01' >serial
touch index.txt

[Inigo]

Configuration File

Creates a new configuration file "openssl.cnf".

vim /home/username/CA/openssl.cnf

with the following contents:

Code:

#
 # OpenSSL configuration file.
 #

 # Establish working directory.

 dir =.

Root CA certificate to create

Now we can begin to create the root CA certificate. But first a few details about the configuration. The configuration file is there that you do not have to enter as many parameters in the command line. In addition, the configuration file is divided into sections, they are ever read by specifying command line arguments, and processed. A name in "square brackets", eg "[req]," shows the beginning of a section. We must now check for a section of the certificates and a section which defines what the type certificate we want to create. Add the following lines to the new "openssl.cnf"

Code:

[Req]
 default_bits = 1024 # Size of keys
 default_keyfile = key.pem # name of generated keys
 default_md = md5 # message digest algorithm
 string_mask nombstr = # permitted characters
 distinguished_name = req_distinguished_name

 [Req_distinguished_name]
 # Variable name Prompt string
 #---------------------- --------------------------- -------
 0.organizationName = Organization Name (company)
 organizationalUnitName = Organizational Unit Name (department, division)
 emailAddress = Email Address
 emailAddress_max = 40
 localityName = Locality Name (city, district)
 stateOrProvinceName = State or Province Name (full name)
 countryName = Country Name (2 letter code)
 countryName_min = 2
 countryName_max = 2
 commonName = Common Name (hostname, IP, or your name)
 commonName_max = 64

 # Default values for the above, for consistency and less typing.
 # Variable name Value
 #------------------------------ ------------------- -----------
 0.organizationName_default = The Sample Company
 localityName_default = Basel
 stateOrProvinceName_default = Basel-Stadt
 countryName_default = CH

 [V3_ca]
 basicConstraints = CA: TRUE
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid: always, issuer: always

To make note that our CA certificate is protected against unauthorized use, the certificate is password protected. Every one who wants to sign a certificate with the CA certificate from us, you have to enter a password. Now we can create our self-signed root certificate. Used commandline options:

• A new self-signed certificate:-new-x509
• A CA certificate creation with-extensions v3_ca
• Availability:-days 3650
• Output to specified file:-keyout, out-
• use your own configuration file: config / openssl.cnf.

(A note regarding the validity of the root certificate: Wen a root certificate expires, all certificates that are signed with the root certificate, not more valid reason is our root certificate valid for 10 years!).

[Inigo]

Executes this command. You will be asked for a new password, which you'll have to enter two times. Remember this password! Which it is required to sign your certificates.

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem
-out cacert.pem -days 3650 -config ./openssl.cnf

This creates two files:

• A private key in "private / cakey.pem"
• A root CA certificate "cacert.pem"

cacert.pem is the file which is distributed to clients so that they can be the root CA certificate to import manually. Below there is a method of how to "crt." The CA certificate as a file with the file extension, can offer as a download link. More below. Private Key View:

cat /home/username/CA/private/cakey.pem

The private key (cakey.pem) looks like this:

Code:

----- BEGIN RSA PRIVATE KEY -----
 Proc-Type: 4, ENCRYPTED
 DEK-Info: DES-CBC-EDE3, 3A1E24518648628

 jlQvt9WdR9Vpg3WQT5 C3HU17bUOwvhp/r0 + + viMcBUCRW85UqI2BJJKTi1IwQQ4c
 tyTrhYJYOP + +6 A6JXt5BzDzZy/B7tjEMDBosPiwH2m4MaP wTbi1qR1pFDL3fXYDr
 QAPXhxpC7ftxMiKbdf2RTmgo/2JgU4AF1p45cIISJerf42g + GK36XA1paeVIgEUO
 qZb3mC6U2nRaP/NpZPcEx4lv2vH7OzHTu1TZ7t0asSpgpuH58dfHPw775kZDep2F
 LXA3Oeavg0TLFHkaFBU3fzreEG6Txpt9I74aAsw1T6UbTSjqgtsK0PHdjPNfPGlY
 5U3Do1pnU9hfoem/4RAOe0cCovP/xf6YPBraSFPs4XFfnWwgEtL09ReFqO9T0aSp
 5ajLyBOYOBKQ3PCSu1HQDw/OzphInhKxdYg81WBBEfELzSdMFQZgmfGrt5DyyWmq
 ITzTQcxXiAzkydqwnMKIAp1W2atwXDv7fZIthzQ + XkyVz0HlAM7M2uKS8Ug/FjUt
 0FMHTEB5HQebEkKBoRQMCJN/uyKXTLjNB7ibtVbZmfjsi9oNd3NJNVQQH + o9I/rP
 wtFsjs t7SKrsFB2cxZQdDlFzD6EBA + +5 + ytebGEI1lJHcOUEa6P LTphlwh/o1QuN
 IKX2YKHA4ePrBzdgZ xZuSLn/Qtjg/eZv6i73VXoHk8EdxfOk5xkJ + + DnsNmyx0vq
 zOITGqvZGFSZ0pbX58S9Hc9siHi + SD3943845jrMMpuxEe7YpXX2GsZzRgt2TQ63cS0
 X1OZ9Dix U0u6xXff0ETJ5dF3hV6GF7hP3Tmj9/UQdBwBzr + + == D8YWzQ
 ----- END RSA PRIVATE KEY -----

Of course we want to show cakey.pem anyone. This CA Key is to be used any more. The CA's certificate:

cat /home/username/CA/private/cakey.pem

To view individual sections of the certificate, you can do it with the following commands:

openssl x509 -in cacert.pem -noout -text

or

openssl x509 -in cacert.pem -noout -dates

or

openssl x509 -in cacert.pem -noout -purpose

[Inigo]

Create Server Certificate

Since we now have a root certificate, we can begin to create the SSL server certificate for our SSL applications such as https, SPOP, SIMAP or stunnel. The procedure is so, first we create a private key and certificate request, we sign this with the root certificate, this gives us a valid certificate. Our "openssl.cnf" Now a few more sections need to create non-CA Certificates. Add the following to the end of the file:

Code:

[V3_req]
 basicConstraints = CA: FALSE
 subjectKeyIdentifier = hash

To prevent the repeat the same every time we have on the command line, add the following into the "[req]" section for 'distinguished_name"

Code:

distinguished_name = req_distinguished_name
 req_extensions = v3_req

Now we are ready to create our first certificate request. In this example, we create a certificate for a secure Web server with the domain secure.yourdomain. Everything looks pretty similar to the Root CA certificate, except for three entries which change in the certificate request.

• Organizational unit: an indicator of what is the certificate
• Email Address: the email address of the Web server administrator
• Common Name: Host Name / Domain Name which the certificate are necessary.

The common name must be the same as compelling as the server name or domain name with which to access the secure site, the clients want. Wen this name does not fit together, get all the clients want to connect to the SSL-protected Web page, a warning! The warning you know you whether you trust this server and want to use anyway! The error message that appears when the client: "Warning! You asked for mail.sample.com; the responding machine's certificate is for secure.yourdomain. Are you sure you want to continue?" It is also possible to create a so-called wildcard certificate for all subdomains of a domain. For example "*.yourdomain", thus all subdomains are valid for this domain. However, this is usually required in more reverse proxy solutions.

[hajer ahmed]

How to create cross certificate SSL certificate?