Basics of using OpenSSL
From Section6wiki
Contents |
OpenSSL and the Certificate Dance in FreeBSD
Keep in mind this is just one way to do this, there are a million others with different variables, order, and even using a perl script. This is just one of many that works.
Preparing to do SSL stuff
First, edit /etc/ssl/openssl.cnf. Edit "dir = ./demoCA" to where you're going to store your certs and keys. I set it to /etc/ssl/CA (remember to create this dir after you're done).
Other vars that I set:
default_days = 3650 default_bits = 2048 countryName_default = US stateOrProvinceName_default = Washington localityName_default = Seattle 0.organizationName_default = My Company commonName_default = example.com emailAddress_default = root@example.com
If you're stuck on default bits, a good place to read is here:
http://www.schneier.com/crypto-gram-0204.html
Also make sure that
certificate = $dir/cacert.pem
or you'll get errors
if you have another openssl installed you'll want to make sure you're on the same page no matter which one you're using:
rm /usr/local/etc/openssl.cnf ln -s /etc/ssl/openssl.cnf /usr/local/etc/openssl.cnf
Caveat: Not using -nodes will make your key secure if someone breaks into your box and steals your private keys, but you'll need to worry about typing a password all the time.
Making your own CA
This is necessary if you're not going to use someone like Verisign to sign your key for you.
mkdir /etc/ssl/CA cd /etc/ssl/CA mkdir certs mkdir crls mkdir newcerts mkdir private touch index.txt echo 01 > serial openssl req -nodes -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650
This makes a certificate authority certificate in cacsr.pem and a certificatekey in private/cakey.pem.
Create a Certificate Revocation List
openssl ca -gencrl -out crls/crl.pem
To View the CSR info
openssl req -noout -text -in cert.csr
Making a new Certificate
Here's how to generate public and private certs, the optional company name is the server name ie private.example.com.
cd certs openssl req -nodes -new -keyout www.example.com.key -out www.example.com.csr
Then you'll want to sign this certificate (This is what verisign does too)
openssl ca -out www.section6.net.crt -in www.section6.net.csr -policy policy_anything
So now you have 3 files designated by their common name:
www.example.com.crt # The Signed server certificate
www.example.com.key # The private key for the server cert these files
# are what a hacker would want so keep them secure.
www.example.com.csr # Encrypted private key for the server cert,
# and the cert request.
Installing Certs in Apache
This is here because this is a fairly common example everyone uses, but it can be used for other apps too.
Copy www.example.com.key to /usr/local/etc/apache/ssl.key
and copy www.example.com.crt to /usr/local/etc/apache/ssl.key
Revoking a cetificate
For the paths below you'll want to look up where openssl.cnf says where your crl (cerficate revocation list) is stored. It should be under the "crl" and "crl_dir" derivatives state. On mine it's $dir/crl for crl_dir and $dir/crl/pem<tt> where dir is <tt>/etc/ssl/CA
You'll want to revoke a certificate if you find you no longer need it, it's been compromised, or in the case of openvpn you wish to deny a user access:
openssl ca -revoke certifcate.crt openssl ca -gencrl -out /etc/ssl/CA/crl/crl.pem
To verify the cert has been revoked:
cat cacert.csr /etc/ssl/CA/crl/crl.pem > revoke.pem openssl verify -CAfile revoke.pem -crl_check cerficate.crt
You can delete revoke.pem when you're done.
Generating Diffie Hellman parameters
This isn't needed for Apache, but is needed for other apps such as openvpn. Here's how:
You can use the script at:
/usr/local/share/doc/openvpn/easy-rsa/build-dh
or you can do it manually (recommended) with:
openssl dhparam -out dh1024.pem 1024
You can replace 1024 with whatever your preferred keysize is which should be defined in default bits in you openssl.cnf (see 1st section).
