OpenSSL CA

OpenSSL is an open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. In addition it provides a cryptography library. One of the interesting features beside the already mentioned is the ability to use it as a Certificate Authority (CA). By doing so you can create your own self signed certificates which you could use i.e. to encrypt sessions and authenticate entities such as web servers or real users.

However, you should be aware that the purpose of self signed certificates is limited in such case that certificate validation for outside entities is not that easy as when using certificates that had been issued by official certificate authorities. Official certificates can easily be validated by applying the public CA key (the public certificate) of the issuing CA. Fortunately, a variety of applications such as web browsers or e-clients have a built-in CA root store, containing the public certificates of authorized certificate issuers. Below the picture of the Firefox CA root store.

 

certificate root store

 

The drawback of using self signed certificates is the limited range and the fact that the public part of your own issuing CA is not known to anybody. However, self signed certificates are an excellent and cheap method for personal use. Moreover, the application range can even go beyond organization boundaries by having proper distribution und supporting processes for outside entities.

Fortunately, OpenSSL provides a tool for establishing / using the certificate authority - it is called “CA.pl”, in Slackware you will find it in /etc/ssl/misc. Before you use this tool you might want to have a look at and adapt the file “openssl.cnf” in /etc/ssl. This file holds and stores a bunch of certificate specific settings, such as default certificate validity period and many more. Adapt it to your needs – see picture below.

 

openssl configuration

 

First, you must create the CA hierarchy (in /etc/ssl/misc):

 

./CA.pl -newca

 

Then, issue:

 

./CA.pl –newreq

 

In short, this creates the private key and generates a certificate request. In doing so, you have to answer a number of questions. Default answers are derived from the file “openssl.cnf”.

Third, type:

 

CA.pl –signreq

 

This creates the certificate by using the public key and the certificate request. The resulting file is PEM formatted, if you have an application that prefers PKCS12 formatted certificates, issue something like:

 

CA.pl -pkcs12 "My Test Certificate"

 

The “CA.pl” interface eases the process of creating OpenSSL certificates. However, in some cases it might be required to do some stuff manually. One example is the remove the password from a private key, e.g. when using it with a web server for encryption and authentication. Note: Do this only if you know what you do, leaving a private key unencrypted is a major security risk.

Remove the pass phrase on an RSA private key:

 

openssl rsa -in key.pem -out keyout.pem

 

To encrypt a private key using triple DES:

 

openssl rsa -in key.pem -des3 -out keyout.pem

 

To convert a private key from PEM to DER format:

 

openssl rsa -in key.pem -outform DER -out keyout.der

 

To print out the components of a private key to standard output:

 

openssl rsa -in key.pem -text -noout

 

To just output the public part of a private key:

 

openssl rsa -in key.pem -pubout -out pubkey.pem

 

The manual way from key to certificate

The command “./CA.pl –newreq” implies the creation of a RSA key. The manual command for a 2048 bit long key would be:

 

openssl genrsa -des3 –out mykey.pem 2048

 

To create a certificate request, type:

 

openssl req -new -key mykey.pem -out cert.csr

 

To create a self signed certificate with a validity of 365 days

 

openssl req -new -x509 -key mykey.pem -out mycert.pem -days 365

 

To convert a certificate in PEM format to pkcs12 format

 

openssl pkcs12 -export -out mycert.p12 -inkey ./mykey.pem -in ./mycert.pem

 

Finally, the following command shows one of my certificates:

 

openssl x509 -in piircert.pem -text -noout

 

certificate