generate certificates using openssl

Certificate is frequently used in secure communication such as https and smtps. Certificate contains the subject information and its public key, and a signature. The signature is generated by encrypting the hash of   the subject information and its public key using a private key – the key belong to the entity issuing the certificate. If you believe in the certificate issuer, you can verify the certificate using the signature. If the verification passes, you can believe in the holder of the certificate.  The verification is simple: you calculate the hash of the  organization information and its public key in the certificate, you decrypt the signature using the public key of the certificate issuer, you compare the hash and the decryption result, if they are the same, the verification passed, if not, the verification fails.

The most-used format for certificates is called x509, which specifies what information should be included in a certificate. In Linux, the most used file format for storing certificates is called pem. Although the suffix of a certificate file may not be .pem, the content is often of pem format. This is a readable format, which contains the base64 encoded certificate.

To issue a certificate, you should generate a root CA certificate, and use this CA certificate to issue other certificates. The root CA certificate is of no difference than an ordinary certificate except that the subject of the certificate is the same as the issuer of the certificate.  We will use openssl to generate CA root certificate and other certificates.

After installing openssl, you will see a directory /etc/pki/CA. To generate certificates, you should create an empty file “index.txt”, and a file “serial” with a line “01″ in this directory. The number in the “serial” file will be used to generate the serial field of a new certificate.

All works begin with generating a RSA key file:

myca.key now contains a RSA public/private key pair.

Generate a certificate signing request file(.csr):

Notice that you should provide with the key file myca.key. openssl will use the private key in the file to sign the information you are asked to input such as the country, state, city,organization name, and the public key in the key file. The output file is myca.csr. You can upload this file to a real CA’s server to get a real certificate. But here I only sign it myself(so called self-signed):

The command takes the input certificate signing request file(myca.csr) and uses the private key in myca.key to sign it, the result is the certificate file myca.crt. Now we get a self-signed root certificate file myca.crt. We will use it as a CA certificate file to issue other certificates.

This will generate a RSA public/private key pair as we do for the CA certificate.

This will generate a certification signing request file. We have been familiar with this in the process of generating the CA certification.

This will take the certificate signing request file and sign it using the private key in myca.key to generate the certificate file myserver.crt. Note that the new certificate is NOT self-signed, but signed by the CA certificate generated before. Thus, the CA certification file is needed as the parameter value of -cert. The issuer name in the CA certification file will be put into the new issued certificate. Note also the value of -keyfile parameter is the CA’s key file, not the key file of the new issued certificate because we need the private key of the CA to sign the information of the new issued certificate. Myserver’s private key (myserver.key) is of no use here. In the issuing process, Myserver’s public key contained in myserver.csr will be used  to verify that the information in myserver.csr is valid and not modified by others(remember in generating the csr file, myserver’s private key was used to generate a signature?)

The generated myserver.crt is in plain text. You can see the subject/public key, etc. in it. Most software, however, use a .pem format certificate. We need to convert the .crt file to a .pem file:

Now the text in myserver.pem is no longer readable.

Since the certificate file is not encrypted itself, we can use a SSL certificate decoder to decode the certificate contained in the file. We can also use the following openssl command to decode the certificate:

We have created a server certificate file, well done!. The server certificate file and the server’s key file are important to deploy secure application such as https and smtp. Enabling Apache for https uses the server’s certificate as the SSLCertificateFile. The certificate will be sent to the client, and after verification, the public key in it will be used to encrypt a random string generated by the client. The server’s key file is used as the SSLCertificateKeyFile, which will be used to decrypt the encoded random string coming  from the client. The random string, together with two other random strings generated during the ssl handshaking process  are used to generate a session key, which is used to encrypted the information transferred after the handshaking process.

Posted in tips of hosting