Managing Certificates

After installing and configuring OpenSSL and mod_ssl, the next step for a working SSL server implementation is to create a server certificate. This section explains in detail how to create and manage certificates and keys by using the openssl command-line tool. If you are using SSL for an e-commerce site, encryption protects customer data from eavesdroppers, and the certificate enables customers to verify that you are who you claim to be.

By the Way

The examples refer to the UNIX version of the command-line program openssl. If you are running under Windows, you need to use openssl.exe instead and change the paths of the examples to use backslashes instead of forward slashes. Also, if you installed OpenSSL in a directory unlike the one listed here, simply substitute that directory in the examples.

Creating a Key Pair

You must have a public/private key pair before you can create a certificate request. Assume that the fully qualified domain name (FQDN) for the certificate you want to create is www.example.com. You can create the keys by issuing the following command:

# openssl genrsa --des3 -out www.example.com.key 1024

The genrsa switch indicates to OpenSSL that you want to generate a key pair.

The -des3 switch indicates that the private key should be encrypted and protected by a pass phrase.

The -out switch indicates where to store the results.

1024 indicates the number of bits of the generated key.

The result of invoking this command looks like this:

Generating RSA private key, 1024 bit long modulus ..............++++++ .......................++++++ e is 65537 (0x10001) Enter pass phrase for www.example.com.key:

As you can see, you will be asked to provide a pass phrase; choose a secure one. The pass phrase is necessary to protect the private key, and you will be asked for it whenever you want to start the server.

By the Way

You can choose not to password-protect the key. This is convenient because you will not need to enter the pass phrase during reboots, but it is highly insecure, and a compromise of the server means a compromise of the key as well. In any case, you can choose to unprotect the key either by leaving out the -des3 switch in the generation phase or by issuing the following command:

# openssl rsa -in www.example.com.key -out www.example.com.key.unsecure

It is a good idea to back up the www.example.com.key file. You can learn about the contents of the key file by issuing the following command:

# openssl rsa -noout -text -in www.example.com. key

Elements of the key will then be displayed to you.

Creating a Certificate Signing Request

To get a certificate issued by a CA, you must submit a certificate signing request. To create a request, issue the following command:

#  req -new -key www.example.com.key -out www.example.com.csr

You will be prompted for the certificate information, something like the following:

Using configuration from /usr/local/ssl/install/openssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) []: San Francisco Organization Name (eg, company) [Internet Widgits Pty Ltd]:. Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) []:www.example.com Email Address []:administrator@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

It is important that the Common Name field entry matches the address that visitors to your website will type in their browsers. This is one of the checks that the browser will perform for the remote server certificate. If the names differ, a warning indicating the mismatch will be issued to the user.

The certificate is now stored in www.example.com.csr. You can learn about the contents of the certificate using the following command:

# openssl req -noout -text -in www.example.com.csr

You can submit the certificate signing request file to a CA for processing. VeriSign and Thawte are two of those CAs, but many CAs are available. You can learn more about the VeriSign and Thawte submission procedures at their websites for their products:

• VeriSign http://www.verisign.com/products-services/security-services/ssl/

• Thawte http://www.thawte.com/ssl-digital-certificates/ssl/

Creating a Self-Signed Certificate

You can also create a self-signed certificate. That is, you can be both the issuer and the subject of the certificate. Although this is not useful for a commercial website, it will enable you to test your installation of mod_ssl and to have a secure web server while you wait for the official certificate from the CA.

# openssl x509 -req -days 30 -in www.example.com.csr -signkey www.example.com. key-out www.example.com.cert

You need to copy your certificate www.example.com.cert (either the one returned by the CA or your self-signed one) to /usr/local/ssl/openssl/certs/ and your key to /usr/local/ssl/openssl/private/.

Protect your key file by issuing the following command:

# chmod 400 www.example.com.key

This command makes the key readable only by the root user.