The Short Introduction to TLS Certificates

Why do we need TLS?



If you have to ask this question, then you probably do not need TLS at all. TLS is a technology that allows for authenticated and/or encrypted communication. However, I am not going to explain in details what TLS is. If this is the question whose answer you're seeking, then you have better try a search on Google. This HOWTO is aiming at guiding you through the basic steps in creating your own TLS certificates for your own servers. This means that I am assuming that you know enough about *nix like operating systems, and that you also have an idea what TLS certificates are used for.



Create the certificate



The process of creating an SSL certificates usually goes like this:




  • Create a private key

  • Create a certificate request

  • Send the certificate request to your CA

  • Receive the certificate from your CA



Now, we'll cover each step on the way.



Create the private key



First we need to generate your key. It is also possible to generate it on the fly in the next step, but if you create it separately you have better control over the type of key you'll be creating.



The command that we'll use for creating your key is



openssl genrsa


It has several options, that you can see with



openssl genrsa -help


You don't need most of the options, because if you are creating a key for a server, then you must not encrypt it, or your server software will be unable to use it.



Simply create the key and save it to a file.



openssl genrsa -out server.key 2048


You can also change 2048 to the number of bits that you want.



Make sure that nobody can read the file. Just in case run



chmod 600 server.key


Once the key is ready, you're ready to proceed.



Create a certificate request



Next, you need to create the certificate request, which is the tricky part. The command this time will be



openssl req


and it also has options that you have better look at this time.



Before running the command, however, you need to create a configuration file. This file will describe who the certificate belongs to, and what its intended purposes are. You can also use the openssl.cnf file that comes with the OpenSSL distribution.



You can use the stock openssl.cnf as a template for creating your own file, or you can create a file based on this template:



[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=JP
ST=Tokyo
L=Tokyo
O=GG3.NET
OU=Sample SSL key
CN=tips.at.gg3.net

[ cert_type ]
nsCertType = server


You should put the name of the server on the CN line, and the e-mail address of the administrator (you) on the emailAddress line. You can also set prompt to yes if you want to be asked for confirmation for the value of every field. You can also change the value when you're prompted.



Once you have your configuration file ready, save it as server.cnf or something and execute



openssl req -new -nodes -key server.key -config server.cnf -days 365 -out server.req


If the command produces no output, everything is O.K. You can check your certificate request with



# openssl req -noout -text -in server.req -config server.cnf


Get your signed certificate



All you have to do next is send the server.req file to your CA, wait for them to get it signed and use the new file for whatever needs you have. Some software cannot read the certificate and the key from different files, so you may need to append both files to one. Just make sure that nobody can read the file.



Your own CA



What happens when an average person want a certificate, but doesn't want to spend big money on one. There are of course alternatives to SSL, all with their drawbacks.



If you want to create a certificate for signing and receiving encrypted e-mail, you may prefer to think of alternatives like PGP.



The other alternative is to become your own CA. The problem with this method is that other people will not be able to automaticaly recognize your authority, and therefore not trust the certificates that you issue. However, if you can convince the people connecting to you that the certificates are indeed genuine, you can safely proceed.



Prepare the configuration



First, you will need to create a directory where you will keep the certificates that you are going to issue. You can safely use openssl.cnf, because it is used by your certificate authority command by default anyway. The relevant section of mine looks like this:
[ CA_default ]



dir = /etc/ssl # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.



certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number



crlnumber = $dir/crlnumber # the current crl number



                                    # must be commented out to leave a V1 CRL


crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file



x509_extensions = usr_cert # The extentions to add to the cert



Comment out the following two lines for the "traditional"



(and highly broken) format.



name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
I prefer to use an absolute path for dir, because this way I can sign certificates from any directory.



You also need to create the directory structure, before you can sign certificates. This simple script (taken from CA.sh that is installed with the OpenSSL package) does the job.



!/bin/sh



CATOP=/etc/ssl
mkdir ${CATOP}
mkdir ${CATOP}/certs
mkdir ${CATOP}/crl
mkdir ${CATOP}/newcerts
mkdir ${CATOP}/private
echo "01" > ${CATOP}/serial
touch ${CATOP}/index.txt



Create certificate and key



In order to use your CA, you also need to generate a separate pair of key/certificates for it. The process is almost identical to what we discussed in the previous chapter.



Generate a key for your CA.
touch cakey.pem
chmod 600 cakey.pem
openssl genrsa -des3 -out cakey.pem 2048
Add the following section to your server.cnf.
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints=CA:true
Now create your certificate
openssl req -new -x509 -out cacert.pem -days 1825 -config ca.cnf -extensions v3_ca -key cakey.pem



Now that you have your certificates, move them to the appropriate location, as described in openssl.cnf.
mv cakey.pem ${CATOP}/private/
mv cacert.pem ${CATOP}/
Now try to sign the request you made in the previous chapter
openssl ca -in server.req -out server.pem -config /etc/ssl/openssl.cnf
Did it work? No? This would mean that I did not do a good job explaining. If you send me an e-mail telling me about your problem, I will try to improve this HOWTO.

Comments

Post a Comment

Popular posts from this blog

FreeIPA cluster with containers

Notes on how to install a FreeIPA cluster on Ubuntu. Mostly following the instructions on https://github.com/freeipa/freeipa-container Start with what would be the primary host. If you install a third replica you would want to review the replica agreements to ensure you have a two-way replication between all pairs of nodes.
Read more

ADSL Router Model CT-5367 user and pass (VIVACOM)

Writing down the username and password for the vivacom ADSL router, in case I need it again. user: root pass: warmWLspot Useful to telnet 192.168.1.1 and then reboot . Originally found at Neo2SHYAlien blog . And here I found passwords for other models, just in case. ZTE ZXDSL 832 username: root password: GSrootaccess ZTE ZXDSL 831 username: root password: GSrootaccess ZTE username: root password: 831access Huawei SmartAX MT882 username: root password: MT882rootaccess ZTE ZXDSL-531b username: root password: rootWLaccess Pirelli – DRG – A124G username: root password: warmWLspot Comtrend CT-5367 username: root password: warmWLspot HG530 Home Gateway username: root password: warmWLspot
Read more

Installing Gentoo with full disk encryption

The purpose of this exercise - install Gentoo where all disk partitions are encrypted. Boot from a system rescue disk and partition the disk - use GPT partition table where the first partition is reserved, second is the boot, and the third one is for the rest of the data. Device Start End Sectors Size Type /dev/sda1 2048 32767 30720 15M BIOS boot /dev/sda2 32768 442367 409600 200M Linux filesystem /dev/sda3 442368 375093902 374651535 178.7G Linux filesystem Encrypt partitions number 2 and 3, and open them cryptsetup luksFormat /dev/sda2 cryptsetup luksFormat /dev/sda3 cryptsetup luksOpen /dev/sda2 crypt_boot cryptsetup luksOpen /dev/sda3 crypt_data Format the boot partition mkfs.btrfs /dev/mapper/crypt_boot Prepare LVM for the rest, and format the top level vgcreate vg0 /dev/mapper/crypt_data lvcreate -l 100%FREE -n data vg0 mkfs.btrfs /dev/vg0/data Mount and set up any subvolumes mount /dev/vg0/data /mnt/gentoo btrfs subvol create /mnt/gentoo/@ /mnt/gentoo/@home umount /mnt/gentoo Now...
Read more