generate certification using openssl

Certification is frequently used in secure communication such as https and smtps. Certification contains the subject information and its public key, and a signature. The signature is generated by encrypting the hash of   the subject information and its public key using a private key – the key belong to the entity issuing the certification. If you believe in the certification issuer, you can verify the certification using the signature. If the verification passes, you can believe in the holder of the certification.  The verification is simple: you calculate the hash of the  organization information and its public key in the certification, you decrypt the signature using the public key of the certification issuer, you compare the hash and the decryption result, if they are the same, the verification passed, if not, the verification fails.

The most-used format for certification is called x509, which specifies what information should be included in a certification. In Linux, the most used file format for storing the certification is called pem. Although the suffix of a certification file may not be .pem, the content is often of pem format. This is a readable format, which contains the base64 encoded certification.

To issue certification, you should generate a root CA certification, and use this CA certification to issue other certifications. The root CA certification is of no difference than an ordinary certification except that the subject of the certification is the same as the issuer of the certification.  We will use openssl to generate CA root certification and other certifications.

After installing openssl, you will see a directory /etc/pki/CA. To generate certifications, you should create an empty file “index.txt”, and a file “serial” with a line “01″ in this directory. The number in the “serial” file will be used to generate the serial field of a new certification.

All works begin with generating a RSA key file:

myca.key now contains a RSA public/private key pair.

Generate a certification signing request file(.csr):

Notice that you should provide with the key file myca.key. openssl will use the private key in the file to sign the information you are asked to input such as the country, state, city,organization name, and the public key in the key file. The output file is myca.csr. You can upload this file to a real CA’s server to get a real certification. But here I only sign it myself:

The command takes the input certification signing request file(myca.csr) and uses the private key in myca.key to sign it, the result is the certification file myca.crt. Now we get a self-signed root certification file myca.crt. We will use it as a CA certification file to issue other certifications.

This will generate a RSA public/private key pair as we do for the CA certification.

This will generate a certification signing request file. We have been familiar with this in the process of generating the CA certification.

This will take the certification signing request file and sign it using the private key in myca.key to generate the certification file myserver.crt. Note that the new certification is NOT self-signed, but signed by the CA certification generated before. Thus, the CA certification file is needed as the parameter value of -cert. The issuer name in the CA certification file will be put into the new issued certification. Note also the value of -keyfile parameter is the CA’s key file, not the key file of the new issued certification because we need the private key of the CA to sign the information of the new issued certification. Myserver’s private key (myserver.key) is of no use here. In the issuing process, Myserver’s public key contained in myserver.csr will be used  to verify that the information in myserver.csr is valid and not modified by others(remember in generating the csr file, myserver’s private key was used to generate a signature?)

Since the certification file is not encrypted itself, we can use a SSL certification decoder to decode the certification contained in the file. We can also use the following openssl command to decode the certification:

We have created a server certification file, well done!. The server certification file and the server’s key file are important to deploy secure application such as https and smtp. Enabling Apache for https uses the server’s certification as the SSLCertificateFile. The certification will be sent to the client, and after verification, the public key in it will be used to encrypt a random string generated by the client. The server’s key file is used as the SSLCertificateKeyFile, which will be used to decrypt the encoded random string coming  from the client. The random string, together with two other random strings generated during the ssl handshaking process  are used to generate a session key, which is used to encrypted the information transferred after the handshaking process.

Posted in tips of hosting