Become your own Certificate Authority (CA)
Below are the steps Ive successfully done by my  own hand to learn how to create and sign your own certificate requests. Make no mistake, these certificates are good only for personal use or for use in your intranet in order to provide a secure way to login or communicate with your services, so that passwords or other data is not transmitted in the clear. Noone else will or should trust these certificates.

The OpenSSL Documentation    The SSL Certificates HOWTO

Prerequisites

The package openssl should be installed in the machine you will use to manage your certificates or create the certificate requests.

First things first…

The openssl package comes with some scripts that can help you create your server certificates fast, but here I will describe how to set things up from scratch in a new directory, so that you can customize things later if you like or delete everything without touching openssl’s or the system’s default files. This article is based on a RHEL 9.0 installation, but will do for all distributions.

Creating the necessary directories

First of all we will create a directory tree where all certificate stuff will be kept. If I am setting up certs for Apache, I touch a directory is /usr/local/apache2/conf/pki. So, logged in as root, we create our own directories:

cd /usr/local/apache2/conf/
# mkdir -m 0755 pki_vault

And then we create our CA’s directory tree:

cd pki_vault/
# mkdir -m 0755 myCA/
# mkdir -m 0755 myCA/private/
# mkdir -m 0755 myCA/certs/
# mkdir -m 0755 myCA/newcerts/
# mkdir -m 0755 myCA/crl/

• myCA is our Certificate Authority’s directory.
• myCA/certs directory is where our server certificates will be placed.
• myCA/newcerts directory is where openssl puts the created certificates in PEM (unencrypted) format and in the form cert_serial_number.pem (eg 07.pem). Openssl needs this directory, so we create it.
• myCA/crl is where our certificate revokation list is placed.
• myCA/private is the directory where our private keys are placed. Be sure that you set restrictive permissions to all your private keys so that they can be read only by root, or the user with whose privileges a server runs. If anyone steals your private keys, then things get really bad really quick.

Initial openssl configuration

We are going to copy the default openssl configuration file (openssl.cnf) to our CA’s directory. In RHEL, this file exists in /etc/pki/tls. If you have installed OpenSSL in a particular place, as I, you may have a duplicate file that is updates and configured for your install of the service.

find / -name openssl.conf
it returned this listing
/home/INSTALL/openssl-0.9.8i/apps/openssl.cnf
/etc/pki/tls/openssl.cnf
/usr/local/ssl/openssl.cnf

Then I performed a ls -la on each to determine the most recent date so, I next copied it to our CA’s dir and name it openssl.my.cnf. (As root user):

# cp /usr/local/ssl/openssl.cnf /usr/local/apache2/conf/pki_vault/myCA/openssl.my.cnf
This file does not need to be world readable, so we change its attributes:

# chmod 0600 /usr/local/apache2/conf/pki_vault/myCA/openssl.my.cnf

We also need to create two other files. This file serves as a database for openssl:

# touch /usr/local/apache2/conf/pki_vault/myCA/index.txt

The following file contains the next certificate’s serial number. Since we have not created any certificates yet, we set it to “01″:

# echo ‘01′ > /usr/local/apache2/conf/pki_vault/myCA/serial

Things to remember

Public Key Cryptography Standards

RSA Security    PKCS
Here is a small legend with file extensions we will use for the created files and their meaning. All files that will be created will have one of these extensions:

• KEY - Private key (Restrictive permissions should be set on this)
• CSR - Certificate Request (This will be signed by our CA in order to create the server certificates. Afterwards it is not needed and can be deleted)
  You can check your CSR validity online here
• CRT - Certificate (This can be publicly distributed)
• PEM - We will use this extension for files that contain both the Key and the server Certificate (Some servers need this). Permissions should be restrictive on these files. Public PEM key files can be used with third parties to access traffic to your protected server(s).
• CRL - Certificate Revokation List (This can be publicly distributed)

ca = CA management
crl = CRL management
dgst = Message digest calculation
dsa = DSA data management
enc = Encoding with ciphers
gendsa = Generation of DSA parameters
genrsa = Generation of RSA parameters

rsa = RSA data management
verify = X.509 certificate verification
x509 = X.509 certificate data management

Create the CA Certificate and create the RSA private Key for your CA
Now, that all initial configuration is done, we may create a self-signed certificate, that will be used as our CA’s certificate. In other words, we will use this to sign other certificate requests.

Change to our CA’s directory. This is where we should issue all the openssl commands because here is our openssl’s configuration file (openssl.my.cnf). As root:

:
# cd /usr/local/apache2/conf/pki_vault/myCA/

Next let’s try creating something, like creating your CA’s Certificate and Private Key. As root:

argument breakdown ::.
req command = perform a certificate operation
X.509 Certificate Signing Request (CSR) management
-config openssl.my.cnf
-new = create a new certificate request
-x509 flag = indicates a self-signed certificate.
-extensions v3_ca = supports self signing
-keyout = the file to write the RSA private keypair to.
-out = the file to write the certificate request to.

Extended Settings :
default_days is set as 365 in openssl.conf

Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA with the next command :

openssl req -config openssl.my.cnf -new -x509 -extensions v3_ca -keyout /usr/local/apache2/conf/pki_vault/myCA/private/myca.key -out /usr/local/apache2/conf/pki_vault/myCA/certs/myca.crt -days 1825

Then you will need to provide some info about your CA. Fill in whatever you like. Here is an example:
Country Name (2 letter code) [US]:US
State or Province Name (full name) [Pennsylvania]:Pennsylvania
Locality Name (eg, city) [Philadelphia]:Chester
Organization Name (eg, company) [My Company Ltd]:My Network
Organizational Unit Name (eg, section) []:My Certificate Authority
Common Name (eg, your name or your server’s hostname) []:server.example.com
Email Address []:whatever@server.example.com

typically at this point your certificate is a raw DER thing in PEM format.

This creates a self-signed certificate with the default CA extensions which is valid for 5 years. You will be prompted for a passphrase for your CA’s private key. Be sure that you set a strong passphrase.

You’ll first need to decide whether or not you want to encrypt your key. Doing so means that the key is protected by a passphrase.

On the plus side, adding a passphrase to a key makes it more secure, so the key is less likely to be useful to someone who steals it. The downside, however, is that you’ll have to either store the passphrase in a file or type it manually every time you want to start your web or ldap server.

=================================================
I need to supply more RESEARCH HERE on pros and vulnerabilities of password protected private key files.

you create the key with the -nodes option, then it is not password
protected.

I have found the -passin option specifies the password for command.

=================================================

Two files are created:

* certs/myca.crt - This is your CA’s certificate and can be publicly available and of course world readable.

* private/myca.key - This is your CA’s private key. Although it is protected with a passphrase you should restrict access to it, so that only root can read it:
This file does not need to be world readable, so we change its attributes:

# chmod 0400 /usr/local/apache2/conf/pki_vault/myCA/private/myca.key

More openssl configuration (mandatory)

Because we use a custom directory for our certificates’ management, some modifications to /usr/local/apache2/conf/pki_vault/myCA/openssl.my.cnf are necessary. Open it in your favorite text editor as root and find the following part (around line 35):

You should modify the following settings in order to conform to our custom directory and our custom CA key and certificate:

vi /usr/local/apache2/conf/pki_vault/myCA/openssl.my.cnf

[ CA_default ]
# Where everything is kept
dir     =  /usr/local/apache2/conf/pki_vault/myCA/  # < --CHANGE THIS
...
# The CA certificate
certificate = $dir/certs/myca.crt # < --CHANGE THIS
…
# The private key
private_key = $dir/private/myca.key # < --CHANGE THIS

Create a Server certificate

Further openssl.my.cnf file’s customization is possible, so that we define our policy for certificate creation and signing or define our desired extensions for the new certificates. I may add this info to a future version of this document. It’s easy though, just try to familiarize yourself with the openssl.cnf’s structure and you’ll figure it out.

Anyway, the certificates we are going to create, without customizing openssl.my.cnf any further, are general purpose certificates and their usage in not restricted to server authentication only. One thing that you should take a note of is that the private keys will not be protected by a passphrase, so that when the services are restarted they do not ask for a passphrase. This means that you should set restrictive permissions on the private keys, (chmod 0400) so that only root or the user under whose privileges a server runs can read these files.
———————————————————————————

Generate a Certificate Signing Request (CSR)
using the server RSA private key.

First, we change to our CA’s directory:

cd /usr/local/apache2/conf/pki_vault/myCA/

Next we’ll create the certificate request and server.key file :

openssl req -config openssl.my.cnf -new -nodes -keyout private/server.key -out server.csr -days 365

The -nodes flagged option above is needed so that the private key is not protected with a passphrase. If you do not intend to use the certificate for server authentication, you should not include it in the above command.

You can customize the number of days you want this certificate to be valid for.

You will be prompted for the certificate’s info. Here is an example:

Country Name (2 letter code) [US]:US
State or Province Name (full name) [Pennsylvania]:Pennsylvania
Locality Name (eg, city) [Philadelphia]:Chester
Organization Name (eg, company) [My Company Ltd]:My Network
Organizational Unit Name (eg, section) []:My Certificate Authority

Make sure you enter the FQDN (”Fully Qualified Domain Name”) of the server when OpenSSL prompts you for the “CommonName”,
Common Name (eg, your name or your server’s hostname) []:server.example.com
Email Address []:whatever@server.example.com

The Common Name (CN) is the info that uniquely distinguishes your service, so be sure that you type it correctly.
When prompted for some extra attributes (challenge password, optional company name) just hit the [Enter] key.

Two files are created:

• server.csr - this is the certificate request.
• private/server.key - this is the private key, which is not protected with a passphrase.

Set restrictive permissions on the private key. Only root or the user that is used to run the server should be able to read it. For example:

chown root.root /usr/local/apache2/conf/pki_vault/myCA/private/server.key
chmod 0400 /usr/local/apache2/conf/pki_vault/myCA/private/server.key

You can also check your CSR validity online here

Congrats !! you have generated a certificate request !
———————————————————————————

Sign a certificate request

Now we are going to sign the certificate request and generate the server’s certificate.

First, we change to our CA’s directory:

cd /usr/local/apache2/conf/pki_vault/myCA/

Then we sign the certificate request:

openssl ca -config openssl.my.cnf -policy policy_anything -out certs/server.crt -infiles server.csr

You will need to supply the CA’s private key in order to sign the request. You can check the openssl.my.cnf file about what policy_anything means. In short, the fields about the Country, State or City is not required to match those of your CA’s certificate.

After all this is done two new files are created:

• certs/server.crt - this is the server’s certificate, which can be made available publicly.
• newcerts/01.pem - This is exactly the same certificate, but with the certificate’s serial number as a filename. It is not needed.

You can now delete the certificate request (server.csr). It’s no longer needed:

rm -f /usr/local/apache2/conf/pki_vault/myCA/server.csr

Congrats there ya go  — you have signed a cert request
———————————————————————————-

Verify the certificate

You can see the certificate’s info with the following:openssl x509 -subject -issuer -enddate -noout -in /usr/local/apache2/conf/pki_vault/myCA/certs/server.crtOr the following:openssl x509 -in certs/server.crt -noout -textAnd verify that the certificate is valid for server authentication with the following:

openssl verify -purpose sslserver -CAfile /usr/local/apache2/conf/pki_vault/myCA/certs/myca.crt /usr/local/apache2/conf/pki_vault/myCA/certs/server.crt

Congrats there ya go  — you have successfully verified your newly create cert
———————————————————————————-

Server certificate and key in one fileSome servers, for example vsftpd, require that both the private key and the certificate exist in the same file.In a situation like that just do the following:cat /usr/local/apache2/conf/pki_vault/myCA/certs/server.crt /usr/local/apache2/conf/pki_vault/myCA/private/server.key > /usr/local/apache2/conf/pki_vault/myCA/private/server-key-cert.pemYou should restrict access to the finalized compiled PEM file and for ultimate security delete server.crt and server.key since thay are no longer needed in this instance.chown root.root usr/local/apache2/conf/pki_vault/myCA/private/server-key-cert.pem
chmod 0400 usr/local/apache2/conf/pki_vault/myCA/private/server-key-cert.pem
rm -f certs/server.crt
rm -f private/server.keyThere ya go - how  to combine your cert and key in one PEM file
————————————————————————————-

Revoke a Server Certificate

If you do not want a certificate to be valid any more, you have to revoke it. This is done with the command:

openssl ca -config openssl.my.cnf -revoke certs/server.crt

Then you should generate a new CRL (Certificate Revokation List):

openssl ca -config openssl.my.cnf -gencrl -out crl/myca.crl

The CRL file is crl/myca.crl.

————————————————————————————–

Distribute your certificates and CRL

Your CA’s certificate and your servers’ certificates should be distributed to those who trust you so they can import them in their client software (web browsers, ftp clients, email clients etc). The CRL should also be published for people to know who have been revoked status ‘blacklisted in a sense’. Remember CRL means Certificate Revokation List

and try
To create an RSA public and private key pair, use the following command:

$ openssl genrsa -out keyfilenamehere.pem 1024

This command creates a 1024-bit key pair and stores it in a file called key.pem.The bits (e.g. 1024) parameter is optional. The default key size is 512 bits.

# echo ‘01′ > /usr/local

keytool (a part of the Java install) is a great command to have knowledge of…
make sure there is only one keytool.exe on your computer.

keytool -import -file < filename.cer >
keytool -list -verbose -keystore < targetedkeystore >

Running programs can access the values of environment variables for configuration purposes. sometimes you can ADD a path in environment variables to shorthand your configs or to allow runtime to access certain includes…

To view or change environment variables:
1. Right-click My Computer, and then click Properties.
2. Click the Advanced tab.
3. Click Environment variables.
4. Click one the following options, for either a user or a system variable:
• Click New to add a new variable name and value.
• Click an existing variable, and then click Edit to change its name or value.
• Click an existing variable, and then click Delete to remove it.
5. If you want to add another additional path to an existing variable, simply insert an : (inheritance) continuator and the value of the new path on your existing variable…

If you need more help with any of the certificate creation steps, look on the OpenSSL (http://www.openssl.org) web site.

Lastly establish a restore point by making Backups of modified keystores.

————————————————————————————–

Installing your Cert on Apache
Now we need to add the following lines to the httpd.conf
heres a written example of capabilities http://www.apache-ssl.org/httpd.conf.example

here’s what I put in:
…
DocumentRoot /home/www/public_html/
ServerName yavin.widener.edu

allow from all
Options +Indexes

SSLCertificateFile /usr/local/apache2/conf/pki_vault/myCA/certs/server.crtSSLCertificateKeyFile /usr/local/apache2/conf/pki_vault/myCA/private/server.key
SSLEngine on

…

I suppose it is optional you could use an include by deleting the # comment out of line:

Include conf/extra/httpd-vhosts.conf

…

now we need to remove the default virtual host
setup

/usr/local/apache2/conf/pki_vault/myCA/openssl.my.cnf
/usr/local/apache2/conf/extra/httpd-ssl.conf

I appended virtualhost with the following:

• ErrorLog “/usr/local/apache2/logs/error_log”
• TransferLog “/usr/local/apache2/logs/access_log”
• SSLCertificateFile “/usr/local/apache2/conf/pki_vault/myCA/certs/server.crt”
• SSLCACertificatePath “/usr/local/apache2/conf/pki_vault/myCA/private/server-key-cert.pem”

/usr/local/apache2/conf/extra/httpd-vhosts.conf

here’s reference for vhosts
in

Digg it | Save to del.icio.us | Netscape | Reddit | Stumble It!

- - - - - S P O N S O R I N G     A D V E R T I S M E N T - - - - -

This entry was posted on Friday, March 7th, 2008 at 11:35 am and is filed under cyber-security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.