Creating X.509 Certificates With OpenSSL
OverviewThis procedure describes one of the ways to use OpenSSL to create an X.509 Certificate file and an associated RSA Key file to use for ssl/tls certificates.
The following assumptions are made in this discussion:
● The Operating System is Fedora 10 with the Gnome desktop installed. ● OpenSSL will be used with mod_ssl for Apache Server 2.2.xx. I nstall OpenSSL
1. Start the Package Manager from the Add/Remove Software entry on the
System/Administration menu:
2. Enter openssl in the search box in the upper left column and click Find. When the search has completed, scroll down to the package named The OpenSSL toolkit. If the openssl package is not already installed, check the missing package and click the Apply button at the bottom right:
Configuration
1. Open a terminal window and sign in as root. Navigate to the /etc/pki/tls folder and open the openssl.cnf file with a text editor:
[jay@fedora10 jay]$ su Password:
[root@fedora10 jay]# cd /etc/pki/tls [root@fedora10 tls]# gedit openssl.cnf
3. For each variable field with _default at the end of the name, enter the appropriate information for the certificate location. Uncomment variables as required:
Save and close the edited file.
4. Using a web browser, download the following file script to a temporary folder: http://jaywheeler.users.sourceforge.net/scripts/makesslcert.tgz
5. untar (tar -xvf) the script, then move the script named makesslcert to the /usr/local/bin folder. Set owner (root:root) and permissions (755) appropriately.
6. makesslcert is a shell script designed for use with Fedora (8 and newer). It has been, however, successfully installed and used on FreeBSD (7 and 8) and Ubuntu (9 and 10), but requires editing of the file locations. Navigate to the installation folder and edit the script file. Locate the comment block as shown below:
############################################## #
# User defined settings # ############################################## openssl=/usr/bin/openssl apache_dir=/etc/httpd/conf ssl_subdir_cert=ssl.crt ssl_subdir_key=ssl.key
ssl_pem_passphrase=ewdesigns # -a = -pass pem password phrase ssl_pem_name=server.pem # -p = -key pem file name
ssl_cert_name=server.crt # -c = -out X509 certificate file name ssl_key_name=server.key # -k = -out rsa key file name
ssl_cert_days=730 # -t = -days to expiration ssl_cert_cn=fedora13.ewdesigns.lan # -h = -subj (host name)
ssl_cert_debug=0 # -d = debug level (0 = off) ############################################## #
# Make changes above this block ONLY #
##############################################
Modify the settings to match the site installation parameters and needs. The settings with a comment following them are passed as parameters to the OpenSSL certificate generator. Alternatively, the parameters can be entered as arguments on the command line when executing the makesslcert script (a ? as parameter will list the options).
7. To create a new X.509 Certificate and RSA Key file, simply execute the script. The files will be placed in the directories configured above.
Configuring mod_ssl for use with Apache server
1. Start the Package Manager from the Add/Remove Software entry on the
System/Administration menu (see above for help).
2. Enter mod_ssl in the search box in the upper left column and click Find. When the search has completed, scroll down to the package named SSL/TLS module for the Apache
HTTP Server. If the mod_ssl package is not already installed, check the missing package
and click Apply at the bottom right:
3. After the file has been loaded and installed, exit the software updater. Start a terminal interface, su to root and navigate to /etc/httpd/conf. Edit the file named httpd.conf. 4. Locate Section 3 : Virtual Hosts:
### Section 3: Virtual Hosts NameVirtualHost *:80 <VirtualHost *:80> ServerAdmin [email protected] DocumentRoot /Data10/Internet/www ServerName fedora10.ewdesigns.lan ErrorLog /var/log/httpd/ssl_error_log
CustomLog /var/log/httpd/ssl_access_log common LogLevel debug
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key </VirtualHost>
5. If there is no default VirtualHost, add the definition shown above. If it is already there, modify it to look similar to the one displayed above. Remember to change the settings to match those used by the Apache server installation and the location of the generated certificate(s).
6. Save the file, navigate to /etc/httpd/conf.d, and edit the file named ssl.conf. Modify the file contents to, at a minimum, look similar to the file shown below:
LoadModule ssl_module modules/mod_ssl.so
######################################################## Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin
SSLCryptoDevice builtin ######################################################## <VirtualHost _default_:443> ErrorLog /var/log/httpd/ssl_error_log TransferLog /var/log/httpd/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>
Save the modified file.
