Create a server certificate with OpenSSL
A long time ago I had created some certificate for my mail server. Very recently it expired so I had to renew it now.
Back then I had used 2 quite complex OpenSSL commands that I found @ some blog.
# create key + csr (-nodes == key is not encrypted) openssl req -new -nodes -newkey rsa:1024 -keyout domain.key.pem -out domain.csr.pem # create certificate (self signed) openssl x509 -req -days 365 -in domain.csr.pem -signkey domain.key.pem -out domain.crt.pem
I had documented them somewhere but when I looked at them again, it was like “don’t know what’s going on here”! So I tried to break them up into multiple steps. Also I came up with some naming convention since quite a few file are created during the whole process.
A key file is using the file suffix .key.pem, a certificate signing request uses .csr.pem and a certificate .crt.pem .
And the filename would always be prefixed with the domain name. E.g. for domain google.com a key file would be google.com.key.pem .
Prepare for creating certificates
1. Create a certificate authority
For convenience before using OpenSSL I would set up a certificate authority (CA) with a key file and a certificate file. Assuming that OpenSSL is already installed I configure some defaults in /etc/ssl/openssl.cnf .
[ CA_default ] dir = /etc/ssl # Where everything is kept certificate = $dir/private/cacert.pem # The CA certificate private_key = $dir/private/cakey.pem # The private key ... [ req_distinguished_name ] ...
And we create a few files/directories in /etc/ssl:
echo 01>/etc/ssl/serial touch /etc/ssl/index.txt mkdir /etc/ssl/newcerts
The execution of the next OpenSSL command will create the CA files and prompt for some input. Note that here for common name it is sufficient to use your real name. Finally we make the key file readable for root only.
openssl req -new -x509 -newkey rsa:2048 -keyout /etc/ssl/private/cakey.pem -out /etc/ssl/private/cacert.pem -days 730 chmod 600 /etc/ssl/private/cakey.pem
Ok here we go: these are the steps to create a certificate
2. Create a key for the server certificate
openssl genrsa -out domain.key.pem -aes128 2048 -days 730
That creates a password phrase protected key file. However since it so not fun to be prompted during server startup we remove the password phrase again.
openssl rsa -in domain.key.pem -out domain.key.pem
It actually would be better to safe the password protected key to some safe location before and creating the unprotected using a new file name!!!
Create a certificate signing request (CSR) and have a CA sign it
1. Create certificate signing request (CSR)
openssl req -new -key domain.key.pem -out domain.csr.pem -nodes
That creates a csr that later must be signed by a certificate authority (CA). It is of importance that here we have to use the full domain name of the server for the common name. Otherwise the client would not accept that certificate.
2. Have a CA sign the certificate signing request
A CA now has to sign the request. Either you contact one of the official authorities (like Thawte) and pay lots of bucks or you use the CA you created in the beginning (as we show now).
openssl ca -in domain.csr.pem -notext -out domain.crt.pem
3. Install certificate
First move the certificate to /etc/ssl/certs and move the key file to /etc/ssl/private. Make sure that only root can read the key files.
Finally you need to install your certificates which depends on the product you are using. Maybe I will write a blog entry on how to install a certificate for a mail provider or Apache web server later on.
1 Comment
Martin Ahrer - 2009/11/03
After writing this I actually found http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#selfcert.
1 Trackback