The Short Introduction to TLS Certificates

Why do we need TLS?

If you have to ask this question, then you probably do not need TLS at all. TLS is a technology that allows for authenticated and/or encrypted communication. However, I am not going to explain in details what TLS is. If this is the question whose answer you're seeking, then you have better try a search on Google. This HOWTO is aiming at guiding you through the basic steps in creating your own TLS certificates for your own servers. This means that I am assuming that you know enough about *nix like operating systems, and that you also have an idea what TLS certificates are used for.

Create the certificate

The process of creating an SSL certificates usually goes like this:

  • Create a private key

  • Create a certificate request

  • Send the certificate request to your CA

  • Receive the certificate from your CA

Now, we'll cover each step on the way.

Create the private key

First we need to generate your key. It is also possible to generate it on the fly in the next step, but if you create it separately you have better control over the type of key you'll be creating.

The command that we'll use for creating your key is

openssl genrsa

It has several options, that you can see with

openssl genrsa -help

You don't need most of the options, because if you are creating a key for a server, then you must not encrypt it, or your server software will be unable to use it.

Simply create the key and save it to a file.

openssl genrsa -out server.key 2048

You can also change 2048 to the number of bits that you want.

Make sure that nobody can read the file. Just in case run

chmod 600 server.key

Once the key is ready, you're ready to proceed.

Create a certificate request

Next, you need to create the certificate request, which is the tricky part. The command this time will be

openssl req

and it also has options that you have better look at this time.

Before running the command, however, you need to create a configuration file. This file will describe who the certificate belongs to, and what its intended purposes are. You can also use the openssl.cnf file that comes with the OpenSSL distribution.

You can use the stock openssl.cnf as a template for creating your own file, or you can create a file based on this template:

[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
OU=Sample SSL key

[ cert_type ]
nsCertType = server

You should put the name of the server on the CN line, and the e-mail address of the administrator (you) on the emailAddress line. You can also set prompt to yes if you want to be asked for confirmation for the value of every field. You can also change the value when you're prompted.

Once you have your configuration file ready, save it as server.cnf or something and execute

openssl req -new -nodes -key server.key -config server.cnf -days 365 -out server.req

If the command produces no output, everything is O.K. You can check your certificate request with

# openssl req -noout -text -in server.req -config server.cnf 

Get your signed certificate

All you have to do next is send the server.req file to your CA, wait for them to get it signed and use the new file for whatever needs you have. Some software cannot read the certificate and the key from different files, so you may need to append both files to one. Just make sure that nobody can read the file.

Your own CA

What happens when an average person want a certificate, but doesn't want to spend big money on one. There are of course alternatives to SSL, all with their drawbacks.

If you want to create a certificate for signing and receiving encrypted e-mail, you may prefer to think of alternatives like PGP.

The other alternative is to become your own CA. The problem with this method is that other people will not be able to automaticaly recognize your authority, and therefore not trust the certificates that you issue. However, if you can convince the people connecting to you that the certificates are indeed genuine, you can safely proceed.

Prepare the configuration

First, you will need to create a directory where you will keep the certificates that you are going to issue. You can safely use openssl.cnf, because it is used by your certificate authority command by default anyway. The relevant section of mine looks like this:
[ CA_default ]

dir = /etc/ssl # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number

crlnumber = $dir/crlnumber # the current crl number

                                    # must be commented out to leave a V1 CRL

crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file

x509_extensions = usr_cert # The extentions to add to the cert

Comment out the following two lines for the "traditional"

(and highly broken) format.

name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
I prefer to use an absolute path for dir, because this way I can sign certificates from any directory.

You also need to create the directory structure, before you can sign certificates. This simple script (taken from that is installed with the OpenSSL package) does the job.


mkdir ${CATOP}
mkdir ${CATOP}/certs
mkdir ${CATOP}/crl
mkdir ${CATOP}/newcerts
mkdir ${CATOP}/private
echo "01" > ${CATOP}/serial
touch ${CATOP}/index.txt

Create certificate and key

In order to use your CA, you also need to generate a separate pair of key/certificates for it. The process is almost identical to what we discussed in the previous chapter.

Generate a key for your CA.
touch cakey.pem
chmod 600 cakey.pem
openssl genrsa -des3 -out cakey.pem 2048
Add the following section to your server.cnf.
[ v3_ca ]
Now create your certificate
openssl req -new -x509 -out cacert.pem -days 1825 -config ca.cnf -extensions v3_ca -key cakey.pem

Now that you have your certificates, move them to the appropriate location, as described in openssl.cnf.
mv cakey.pem ${CATOP}/private/
mv cacert.pem ${CATOP}/
Now try to sign the request you made in the previous chapter
openssl ca -in server.req -out server.pem -config /etc/ssl/openssl.cnf
Did it work? No? This would mean that I did not do a good job explaining. If you send me an e-mail telling me about your problem, I will try to improve this HOWTO.


Popular posts from this blog

Installing Gentoo with full disk encryption

ADSL Router Model CT-5367 user and pass (VIVACOM)

FreeIPA cluster with containers