Creating Self-Signed Certificates Open SSL

 

This document explains creating self-signed ssl certificate using Open SSL.  This tutorial uses binary version of Open SSL (for windows platform) for creating and signing certificates.

1 Open SSL Setup

  • Get Open SSL binary version from here and install it.
  • Update System’s Path with <Open_SSL_Install_Home>/bin/.
  • Create following directory structures

           myCA

             - Certs

             - Private

             - Newcerts

             - crl

  • Create following two files under "myCA" directory
    1. index.txt
    2. serial
  • Edit "serial" file and put '01' at first line. link
  • Copy “openssl.cnf” from <OPEN_SSL_INSTALL_HOME>/share under “myCA
  • Update fields in openssl.cnf as per following example
####################################################################
[ ca ]
default_ca    = CA_default        # The default ca section

####################################################################
[ CA_default ]

dir        = .        ## Chenaged ##
certs        = $dir/certs        # Where the issued certs are kept
crl_dir        = $dir/crl        # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
#unique_subject    = no            # Set to 'no' to allow creation of
                    # several ctificates with same subject.
new_certs_dir    = $dir/newcerts        # default place for new certs.

certificate    = $dir/certs/myca.crt     ## Chenaged ##

serial        = $dir/serial         # The current serial number
crlnumber    = $dir/crlnumber    # the current crl number
                    # must be commented out to leave a V1 CRL
crl        = $dir/crl.pem         # The current CRL
private_key    = $dir/private/myca.key ## Chenaged ##

RANDFILE    = $dir/private/.rand    # private random number file

x509_extensions    = usr_cert        # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt     = ca_default        # Subject Name options
cert_opt     = ca_default        # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions    = crl_ext

default_days    = 365            # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md    = sha1            # which md to use.
preserve    = no            # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy        = policy_match

# For the CA policy
[ policy_match ]
countryName        = match
stateOrProvinceName    = match
organizationName    = match
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName        = optional
stateOrProvinceName    = optional
localityName        = optional
organizationName    = optional
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

####################################################################


In above portion of openssl.cnf file, all updated fields are commented with ## Changed ##


2 Creating Certificate Authority


Navigate to “myCA” folder and execute the command 



openssl req -config openssl.my.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825

It asks to enter PEM pass phrase and verify it, then It will except following inputs


a) Country Name (2 letter code) [AU]:

b) State or Province Name (full name) [Some-State]:

c) Locality Name (eg, city) []:

d) Organization Name (eg, company) [Internet Widgits Pty Ltd]:

e) Organizational Unit Name (eg, section) []:

f) Common Name (eg, YOUR name) []:

g) Email Address []:


Enter all appropriate information one by one and it will create following two files for you


a) certs/myca.crt

b) private/myca.key


Here is the sample log 


Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
..++++++
..........++++++
writing new private key to 'private/myca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Andhra Pradesh
Locality Name (eg, city) []:Hyderabad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Certificate Authority
Organizational Unit Name (eg, section) []:Certificate Authority
Common Name (eg, YOUR name) []:my.ca.com
Email Address []:admin@my.ca.com


3 Creating Server certificate request


Execute following command to create certificate request 



openssl req -config openssl.my.cnf -new -nodes -keyout private/server.key -out server.csr -days 365

This except following inputs from user


  1. Country Name (2 letter code) [AU]:
  2. State or Province Name (full name) [Some-State]:
  3. Locality Name (eg, city) []:
  4. Organization Name (eg, company) [Internet Widgits Pty Ltd]:
  5. Organizational Unit Name (eg, section) []:
  6. Common Name (eg, YOUR name) []:
  7. Email Address []:

Please enter the following 'extra' attributes to be sent with your certificate request

    8.  A challenge password []:

    9. An optional company name []:

This command create “server.csr” file under same directory.

Here is the sample log 




Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
......................++++++
....................++++++
writing new private key to 'private/server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Andhra Pradesh
Locality Name (eg, city) []:Hyderabad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Web Server
Organizational Unit Name (eg, section) []:Web Server
Common Name (eg, YOUR name) []:nbhydydevatra
Email Address []:admin@nbhydydevatra.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

4 Signing server certificate request with Certificate Authority


The server certificate request created in previous step needs to signed by Certificate Authority created in step 3.

To get it signed execute following command 



openssl ca -config openssl.my.cnf -policy policy_anything -out certs/server.crt -infiles server.csr

It will ask to enter pass Phrase CA key, it is the same key we have entered in step 4

This command creates “server.cert” file under “certs” directory. This is the signed certificate for the web server (for given domain).

Here is the sample log 




Using configuration from openssl.my.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./private/myca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb  1 16:09:52 2011 GMT
            Not After : Feb  1 16:09:52 2012 GMT
        Subject:
            countryName               = IN
            stateOrProvinceName       = Andhra Pradesh
            localityName              = Hyderabad
            organizationName          = My Web Server
            organizationalUnitName    = Web Server
            commonName                = nbhydydevatra
            emailAddress              = admin@nbhydydevatra.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                86:3E:1C:19:53:5D:FF:00:B1:F7:9A:5B:F8:37:39:28:D8:5C:0A:C3
            X509v3 Authority Key Identifier:
                keyid:E8:27:1F:25:F5:B0:09:41:A5:B5:C6:93:63:60:D9:14:D0:50:F0:CF
                DirName:/C=IN/ST=Andhra Pradesh/L=Hyderabad/O=My Certificate Authority/OU=Certificate Authority/CN=my.ca.com/emailAddress=admin@my.ca.com
                serial:CC:B2:24:C3:B5:2C:43:2F

Certificate is to be certified until Feb  1 16:09:52 2012 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


Now you have all certificate are available under “certs” and keys are available “private” directory.

Comments

  1. snaturFebruary 6, 2011 at 12:20 PM

    your topic is very helpful . I’ll bookmark your site to read again

    ReplyDelete
  2. Yogesh DevatrajFebruary 6, 2011 at 8:37 PM

    Welcome.

    I am planning to post part 2 of this post about testing.....

    ReplyDelete

Post a Comment

Popular posts from this blog

Composite Design Pattern by example

Image
This post explains Composite design pattern with an example. When to use ? – Use Composite pattern when you have treat a collection of objects as they were once one thing. With Composite design pattern it is very easy to simplify operations over collection data structure. It reduces complexity of the code required if you were going to handle collection as special case. How to Use? - The Composite pattern consist of Component, Leaf and Composite Classes as shown below class diagram Component – Component declares the common interface that both the single and composite nodes will implements Leaf – The leaf class represent the singular atomic data type implementing he component interface.     Composite – Composite is an abstract entity which declares common functionality which are needed by concrete implementation for handling collection data. An Example -   Item.java public interface Item {     public double getPrice(); }   ColdDrink.java pu
Read more

State Design Pattern by Example

Image
State pattern falls under the category of Behavioral patterns. State design pattern comes in picture when a system’s behavior is depends on its own state or some other resource’s state. If an implementation is depends on the states, we end up with snarl of conditional statement every where in code. A very neat approach to deal with such situation is to separate out every state’s behavior and use them where ever they are applicable. The state pattern allows an object to alter its behavior when is internal state changes . The object is appeared to change its class. State pattern is a way to implement the same. Class Diagram : As above class diagram shows, System class holds state instance. As state of system changes , all handle request delegated to respective State’s concrete implementation. Example : Have an example of Vending machine. Vending machine has following states No Coin Inserted Coin Inserted Dispensing Empty Following diagram explain behavior
Read more

Eclipse command framework core expression: Property tester

Image
Addition to Eclipse command framework series, this post explains use of property tester to control command’s enable/visible properties. In earlier post we have tried declarative way to achieve same thing but property tester gives us more control. Property tester is associated with, tester class which implements PropertyTester.java, a namespace and set of property which it supports. We can refer this property tester using its namespace + a property name. It gives you call back to test() method with property name as parameter inside property tester class. We can configure property tester for type of input parameter. Here is sample declaration of property tester extension point < extension point ="org.eclipse.core.expressions.propertyTesters" > < propertyTester class ="com.example.advance.cmd.EditorTester" id ="com.example.advance.cmd.propertyTester1" namespace ="com.example.advance.cm
Read more