I always had a love and hate interest with using OpenSSL ! But I should agree that it did help me many times…whenever I wanted to quickly test-drive my craziest ideas with PKI certificates. Couple of things I like about OpenSSL is its tools/utilities for testing as equivalent to a commerecial-grade CA and its FIPS-140 compliance. Also, I always get the required help on Web, right from the details of how-to install, configure…and all the operations. Here is my attempt to share a quick recipe on using OpenSSL commands.. particularly for those looking for help on test-driving SSL certificates using OpenSSL.
(A) Creating RSA Certificates
# openssl genrsa 2048 > myRSA-key.pem
This command creates a 2048-bit key pair and stores it in myRSA-key.pem. The default key size is 512 bits. In case if you want to password protect the RSA private key, use the following command:
# openssl genrsa 2048 -aes256 -out myRSA-key.pem
When you run the above command, OpenSSL prompts you for a passphrase for encrypting the key file using an algorithm – ex. AES (aes128, aes192 aes256), DES/3DES (des, des3).
(B) Creating a SSL Server Certificate Signing Request (CSR)
Important Note: This process requires signing by a valid Certificate Authority (CA)
For a commercial deployments, you need to obtain the SSL certificates and associated root CA certificates from a CA (ex. Cybertrust, Entrust, Verisign) . As a first step, you need to create a CSR for requesting the CA to sign (trust) your certificates. The following is the command for creating a CSR.
# openssl req -new rsa:1024 -node -out myCertReq.pem -keyout myPrivCertkey.pem -subj /C=US/ST=MA/L=Burlington/CN=myHost.domain.com/emailAddressemail@example.com
The generated certificate request (myCertReq.pem) must be signed by a CA otherwise it will not be a valid certificate. The key algorithm is RSA and size 1024 bits, the certificate will be valid for 365 days, and with -nodes option the key will be unencrypted. The -subj allows setting the Subject DN value that identifies the hostname “CN” must be fully qualified name that you’ll be using to access your SSL site.
Save the private key file (myPrivCertKey.pem) as you need the key in order to use the Server certificate from the CA. Just for the reason not to send the private key information to CA. Send the certificate request (myCertReq.pem) to the CA via email or using their web site. After signing process, The CA will return you the signed certificate and also root CA certificates.
(C) Creating the OpenSSL CA certificate
For Intranet or testing purpose, you may want to test with your own CA and it can be done with OpenSSL. Similar to the process (A) , you need to create a private CA key (myCA.key) and then a private CA X.509 certificate (myCACert.pem).
# openssl genrsa 2048 -aes256 -out myCA.key
# openssl req -new -x509 -days 3650 -key myCACert.key -out myCACert.pem
(D) Creating a Self-signed certificate (For SSL)
For your testing purposes, you may want to SSL test your applications with self-signed certificates and with your own CA. To create a self-signed certiicate:
# openssl req -nodes -x509 -newkey rsa:1024 -out mySelfSignedCert.pem -keyout myPrivServerKey.pem -days 365 -set_serial 01-subj “/C=US/ST=MA/L=Burlington/CN=myHost.domain.com/emailAddressfirstname.lastname@example.org
-x509 identifies it as a self-signed certificate and -set_serial sets the serial number for the server certificate. You may want to remove the password from the private key (so that the SSL server will not prompt you for password). Here is the command:
# openssl rsa -in myPrivServer.key -out myPrivServer.key.insecure
In some cases, you may want to create a single file that contains both private key and the self-signed certificate:
# openssl req -x509 -nodes -days 365 -newkey rsa:1024 -subj”/C=US/ST=MA/L=Burlington/CN=myHost.domain.com/emailAddressemail@example.com -keyout myServerCert.pem -out myServerCert.pem
To create a SSL certificate signed by your own Certification Authority (CA).
# openssl ca -cert myCACert.pem -in myCertReq.pem -out myServerCert.pem
Where myCACert.pem is the CA certificate, we discussed in (C).
(E) Testing the Certificate with OpenSSL
OpenSSL provides an s_server command that provides a SSL/TLS server implementation to test/verify support SSL/TLS based connections. By default, the s_server listens on port 4433. You should able to test your certificate by running the following command:
# openssl s_server -cert myServerCert.pem -www
The above command should launch an OpenSSL based SSL server using your certificates. To verify SSL connection with your certificates, try accessing https://localhost:4443/ from your browser. You must be seeing a simple web page listing the connection details and all the supported ciphers.
(F) Converting certificates from PEM to PKCS#12 formats
PKCS12 is an RSA standard for creating “Personal Information Exchange Syntax Standard” based certificates commonly used for email signatures (ex. pfx or p12). A PKCS#12 file combines all-in-one file including public key, private key, and the root CA certificate. With OpenSSL, you would able to convert a PEM file to PKCS#12 format file, you would use the following command (all in one line ignore \ ):
# openssl pkcs12 -export -in myServerCert.pem -inkey myPrivateServerKey.pem -certfile myCACert.pem -name “[friendly name - Ramesh Nagappan]” -out myServerPKCS12Cert.pfx
(G) SSL Certificate Pre-requisites for Apache and MySQL
If you are thinking about configuring SSL for your Apache Web Server or MySQL database connections, you would need the following:
1) Create the CA (private key and public cert) certificates.
2) Create your SSL server key.
3) Create your SSL server certificate.
Make sure your Common Name (CN( identifies “full-qualified domain name (FQDN)” of your server. Follow the directions for configuring SSL using Apache and MySQL documentation.
Enjoy. Let me know, if you had any suggestions.