OpenSSL as Certificate Authority/SSL Test Kit: Quick Cheatsheet

I always had a love and hate interest with using OpenSSL ! But I should agree that it did help me many times…whenever I wanted to quickly test-drive my craziest ideas with PKI certificates. Couple of things I like about OpenSSL is its tools/utilities for testing as equivalent to a commerecial-grade CA and its FIPS-140 compliance. Also, I always get the required help on Web, right from the details of how-to install, configure…and all the operations. Here is my attempt to share a quick recipe on using OpenSSL commands.. particularly for those looking for help on test-driving SSL certificates using OpenSSL.

(A) Creating RSA Certificates

# openssl  genrsa   2048   >   myRSA-key.pem

This command creates a 2048-bit key pair and stores it in myRSA-key.pem. The default key size is 512 bits. In case if you want to password protect the RSA private key, use the following command:

# openssl genrsa 2048 -aes256 -out myRSA-key.pem

When you run the above command, OpenSSL prompts you for a passphrase for encrypting the key file using an algorithm – ex. AES (aes128, aes192 aes256), DES/3DES (des, des3).

(B) Creating a SSL Server Certificate Signing Request (CSR)

Important Note: This process requires signing by a valid Certificate Authority (CA)

For a commercial deployments, you need to obtain the SSL certificates and associated root CA certificates from a CA (ex. Cybertrust, Entrust, Verisign) . As a first step, you need to create a CSR for requesting the CA to sign (trust) your certificates. The following is the command for creating a CSR.

# openssl req -new rsa:1024 -node -out myCertReq.pem -keyout myPrivCertkey.pem -subj /C=US/ST=MA/L=Burlington/CN=myHost.domain.com/emailAddress=nramesh@sun.com

The generated certificate request (myCertReq.pem) must be signed by a CA otherwise it will not be a valid certificate. The key algorithm is RSA and size 1024 bits, the certificate will be valid for 365 days, and with -nodes option the key will be unencrypted. The -subj allows setting the Subject DN value that identifies the hostname “CN” must be fully qualified name that you’ll be using to access your SSL site.

Save the private key file (myPrivCertKey.pem) as you need the key in order to use the Server certificate from the CA. Just for the reason not to send the private key information to CA. Send the certificate request (myCertReq.pem) to the CA via email or using their web site. After signing process, The CA will return you the signed certificate and also root CA certificates.

(C) Creating the OpenSSL CA certificate

For Intranet or testing purpose, you may want to test with your own CA and it can be done with OpenSSL. Similar to the process (A) , you need to create a private CA key (myCA.key) and then a private CA X.509 certificate (myCACert.pem).

# openssl genrsa 2048 -aes256 -out myCA.key

# openssl req -new -x509 -days 3650 -key myCACert.key -out myCACert.pem

 

(D) Creating a Self-signed certificate (For SSL)

For your testing purposes, you may want to SSL test your applications with self-signed certificates and with your own CA. To create a self-signed certiicate:

# openssl req -nodes -x509 -newkey rsa:1024 -out mySelfSignedCert.pem -keyout myPrivServerKey.pem -days 365 -set_serial 01-subj “/C=US/ST=MA/L=Burlington/CN=myHost.domain.com/emailAddress=nramesh@sun.com

-x509 identifies it as a self-signed certificate and -set_serial sets the serial number for the server certificate. You may want to remove the password from the private key (so that the SSL server will not prompt you for password). Here is the command:

# openssl rsa -in myPrivServer.key -out myPrivServer.key.insecure

In some cases, you may want to create a single file that contains both private key and the self-signed certificate:

# openssl req -x509 -nodes -days 365 -newkey rsa:1024 -subj”/C=US/ST=MA/L=Burlington/CN=myHost.domain.com/emailAddress=nramesh@sun.com -keyout myServerCert.pem -out myServerCert.pem

To create a SSL certificate signed by your own Certification Authority (CA).

# openssl ca -cert myCACert.pem -in myCertReq.pem -out myServerCert.pem

Where myCACert.pem is the CA certificate, we discussed in (C).

(E) Testing the Certificate with OpenSSL

OpenSSL provides an s_server command that provides a SSL/TLS server implementation to test/verify support SSL/TLS based connections. By default, the s_server listens on port 4433. You should able to test your certificate by running the following command:

# openssl s_server -cert myServerCert.pem -www

The above command should launch an OpenSSL based SSL server using your certificates. To verify SSL connection with your certificates, try accessing https://localhost:4443/ from your browser. You must be seeing a simple web page listing the connection details and all the supported ciphers.

(F) Converting certificates from PEM to PKCS#12 formats

PKCS12 is an RSA standard for creating “Personal Information Exchange Syntax Standard” based certificates commonly used for email signatures (ex. pfx or p12). A PKCS#12 file combines all-in-one file including public key, private key, and the root CA certificate. With OpenSSL, you would able to convert a PEM file to PKCS#12 format file, you would use the following command (all in one line ignore \ ):

# openssl pkcs12 -export -in myServerCert.pem -inkey myPrivateServerKey.pem -certfile myCACert.pem -name “[friendly name – Ramesh Nagappan]” -out myServerPKCS12Cert.pfx

 

(G) SSL Certificate Pre-requisites for Apache and MySQL

If you are thinking about configuring SSL for your Apache Web Server or MySQL database connections, you would need the following:

1) Create the CA (private key and public cert) certificates.

2) Create your SSL server key.

3) Create your SSL server certificate.

Make sure your Common Name (CN( identifies “full-qualified domain name (FQDN)” of your server. Follow the directions for configuring SSL using Apache and MySQL documentation.

Enjoy. Let me know, if you had any suggestions.

3 thoughts on “OpenSSL as Certificate Authority/SSL Test Kit: Quick Cheatsheet

  1. Pingback: Ramesh Nagappan Blog : Demystifying MySQL Security for Web 2.0: Part 1 | Core Security Patterns Weblog

  2. Pingback: Ramesh Nagappan Blog : Unleashing SSL Acceleration and Reverse-Proxying with Kernel SSL (KSSL) | Core Security Patterns Weblog

  3. Taylor Monacelli

    Did you mean this in part C?

    openssl genrsa -passout pass:testpass
    -aes256 -out myCACert.key 2048
    openssl req -new -x509 -days 3650
    -key myCACert.key -passin pass:testpass
    -passout pass:testpass -out myCACert.pem
    -subj ‘/C=US/ST=MA/L=Burlington/CN=myHost.domain.com/emailAddress=nramesh@sun.com’

    Thank you for your step by step instructions! Very helpful.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *