SSL for UNIX

System and Software Requirements for SSL Under UNIX

The system and software requirements for using SSL under UNIX operating environments are:

• A computer that runs UNIX.

• Internet access and a Web browser such as Netscape Navigator or Internet Explorer.

• The TCP/IP communications access method.

• Access to the OpenSSL utility at www.openssl.org/source if you plan to use the OpenSSL CA.

• Knowledge of your site's security policy, practices, and technology. The properties of the digital certificates that you request are based on the security policies that have been adopted at your site.

Setting up SSL Under UNIX

Perform the following tasks to set up and use SSL:

1. Download and build SSL.

2. Create digital certificate requests .

3. Generate digital certificates from requests.

4. View the digital certificates.

5. Terminate the OpenSSL utility.

6. Create a trusted list of CAs.

Downloading and Building SSL Under UNIX

If you want to use OpenSSL as your trusted Certificate Authority (CA), follow the instructions for downloading and building OpenSSL that are given at www.openssl.org/source. For complete documentation about the OpenSSL utility, visit www.openssl.org/docs/apps/openssl.html.

Information about alternative CAs and their Web sites follows :

• For VeriSign, see www.verisign.com

• For Thawte, see www.thawte.com

Creating Digital Certificate Requests Under UNIX

To enable an SSL connection at your site, you must

• obtain a digital certificate from a certification authority (CA).

• create a digital certificate request from which a digital certificate is generated.

• request one or more digital certificates for the CA (if you will be running your own CA), the server, and the client (optional).

The tasks that you perform to request a digital certificate for the CA, the server, and the client are similar, however, the values that you specify will be different.

In this example, Proton, Inc. is the organization that is applying for certification authority status by using OpenSSL. After Proton, Inc. becomes a CA, it can serve as a Certificate Authority for issuing digital certificates to clients (users) and servers on its network.

Perform the following tasks:

1. Select the apps subdirectory of the directory where OpenSSL was built.

2. Initialize OpenSSL.

    $ openssl 

3. Issue the appropriate command to request a digital certificate. (See Table A3.1 on page 407.) The functions of the arguments used in the commands are shown in Table A3.2 on page 407

   Table A3.1: Open SSL Commands for Requesting a Digital Certificate

   Request Certificate for	OpenSSL Command
   CA	req -config ./openssl.cnf -new -out sas.req -keyout saskey.pem -nodes
   Server	req -config ./openssl.cnf -new -out server.req -keyout serverkey.pem
   Client	req -config ./openssl.cnf -new -out client.req -keyout clientkey.pem

   Table A3.2: Arguments and Values Used in OpenSSL Commands

   OpenSSL Arguments and Values	Functions
   req	requests a certificate
   -config ./openssl.cnf	specifies where the configuration details for the OpenSSL program are stored
   -new	identifies the request as new
   -out sas.req	specifies where the certificate request will be stored
   -keyout saskey.pem	specifies where the private key will be stored
   -nodes	prevents the private key from being encrypted

4. Informational messages are displayed and prompts for additional information appear according to the specific request.

   To accept a default value, press the Return key. To change a default value, type the appropriate information and press the Return key.

   Note	Unless the -NODES option is used in the OpenSSL command when creating a digital certificate request, OpenSSL will prompt you for a password before allowing access to the private key.

   The following is an example of a request for a digital certificate:

    OpenSSL>  req -config ./openssl.cnf -new -out sas.req -keyout saskey.pem -nodes  Using configuration from ./openssl.cnf Generating a 1024 bit RSA private key ............................++++++ ..........................................++++++ writing new private key to 'saskey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [North Carolina]: Locality Name (city) [Cary]: Organization Name (company) [Proton INC.]: Organizational Unit Name (department) [IDB]: Common Name (YOUR name) []:  Joe Bass  Email Address []:  Joe.Bass@proton.com  Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: OpenSSL> 

The request for a digital certificate is complete.

Generating Digital Certificates on UNIX

Perform the following tasks to generate digital certificates for a CA, a server, and a client.

1. Issue the appropriate command to generate a digital certificate from the digital certificate request. (See Table A3.3 on page 408.)

   Table A3.3: OpenSSL Commands for Generating Digital Certificates under UNIX

   Generate Certificate for	OpenSSL Command
   CA	x509 req -in sas.req -signkey saskey.pem -out sas.pem
   Server	ca -config ./openssl.cnf -in server.req -out server.pem -nodes
   Client	ca -config ./openssl.cnf -in client.req -out client.pem

   The functions performed by the OpenSSL arguments and values are shown in Table A3.4 on page 408.

   Table A3.4: Arguments and Values Used in OpenSSL Commands on UNIX

   OpenSSL Arguments and Values	Functions
   x509	identifies the certificate display and signing utility
   req	specifies that a certificate be generated from the request
   ca	identifies the certificate authority utility
   -config ./openssl.cnf	specifies where the configuration details for the OpenSSL utility are stored
   -in filename.req	specifies where the input for the certificate request is stored
   -out filename.pem	specifies where the certificate will be stored
   -signkey saskey.pem	specifies the private key that will be used to sign the certificate that is generated by the certificate request

2. Informational messages are displayed and prompts for additional information appear according to the specific request.

   To accept a default value, press the Return key. To change a default value, type the appropriate information, and press the Return key.

   Sample dialog for creating a server digital certificate follows:

   Note	The password is for the CA's private key.

    Using configuration from ./openssl.cnf Enter PEM pass phrase:  password  Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName           :PRINTABLE:'US' stateOrProvinceName   :PRINTABLE:'NC' localityName          :PRINTABLE:'Cary' organizationName      :PRINTABLE:'Proton, Inc.' organizationalUnitName:PRINTABLE:'Development' commonName            :PRINTABLE:'Server' Certificate is to be certified until Oct 16 17:48:27 2003 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 

   The subject's Distinguished Name is obtained from the digital certificate request.

   A root CA digital certificate is self-signed. Self-signed means that the digital certificate is signed with the private key that corresponds to the public key that is in the digital certificate. Except for root CAs, digital certificates are usually signed with a private key that corresponds to a public key that belongs to someone else, usually the CA.

Viewing Digital Certificates

To view a digital certificate, issue the following command:

 openssl> x509 -text -in  filename  .pem 

A digital certificate contains data that was collected to generate the digital certificate timestamps, a digital signature, and other information. However, because the generated digital certificate is encoded (usually in PEM format), it is unreadable.

Terminating OpenSSL

To terminate OpenSSL, type quit at the prompt.

Creating a CA Trust List

After generating digital certificates for the CA, the server, and the client (optional), you must identify for the OpenSSL client application one or more CAs that are to be trusted. This list is called a trust list .

If there is only one CA to trust, specify the name of the file that contains the OpenSSL CA digital certificate, in the client application.

If multiple CAs are to be trusted, create a new file and copy-and-paste into it the contents of all the digital certificates for CAs to be trusted by the client application.

Use the following template to create a CA trust list:

 Certificate for OpenSSL CA   -----BEGIN CERTIFICATE-----   <PEM encoded certificate>   -----END CERTIFICATE-----   Certificate for Keon CA   -----BEGIN CERTIFICATE-----   <PEM encoded certificate>   -----END CERTIFICATE-----   Certificate for Microsoft CA   -----BEGIN CERTIFICATE-----   -----END CERTIFICATE----- 

Because the digital certificate is encoded, it is unreadable. Therefore, the content of the digital certificate in this example is represented as <PEM encoded certificate> . The content of each digital certificate is delimited with a -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- pair. All text outside the delimiters is ignored. Therefore, you might want to use undelimited lines for descriptive comments. In the preceding template, the file that is used contains the content of digital certificates for the CAs: OpenSSL, Keon, and Microsoft.