Making SSL/TLS Certificates
The following article describes how to make certificates for Apache, Tomcat, Sendmail and Imap (imapd & ipopd). The certificates produced will probably be usable in other applications, but I know that the certificates are definitely acceptable to the named applications.
Apache+mod_ssl Key and Certificate Signing Request (CSR) Generation
Key and CSR Generation Instructions
First you have to know the Fully Qualified Domain Name (FQDN) of the website for which
you want to request a certificate. When you want to access your website through
https://www.virtualhost.com/
then the FQDN of your website is www.virtualhost.com
Generate the Key with the following command:
$ openssl genrsa -des3 -out www.virtualhost.com.key 1024
This command will generate 1024 bit RSA Private Key and stores it in the file www.virtualhost.com.key. It will
ask you for a pass phrase: use something secure and remember it. Your certificate will be useless
without the key. If you don't want to protect your key with a pass phrase (only if you absolutely trust that server
machine, and you make sure the permissions are carefully set so only you can read that key) you can leave out
the -des3 option above.
Now backup your www.virtualhost.com.key file and make a note of the pass phrase. A good choice is to backup this information onto a floppy or other removeable media.
Generate the CSR with the following command:
$ openssl req -new -key www.virtualhost.com.key -out www.virtualhost.com.csr
This command will prompt you for the X.509 attributes of your certificate. Remember to give the name
www.virtualhost.com when prompted for `Common Name (eg, YOUR name)'. Do not enter your personal name
here. We are requesting a certificate for a webserver, so the Common Name has to match the FQDN of your
website (a requirement of the browsers).
Generate a temporary self-signed Certificate
$ openssl x509 -req -days 30 -in www.virtualhost.com.csr \
This command will generate a self-signed certificate in www.virtualhost.com.crt which can be used as a
temporary certificate while you are waiting for a real certificate from Thawte, or whoever. If you plan to use this
as the permanent certificate you should set
-signkey www.virtualhost.com.key -out www.virtualhost.com.crt
days to, say, a year (365) or more.
You will now have a RSA Private Key in www.virtualhost.com.key and a Certificate Signing Request in www.virtualhost.com.csr. The file www.virtualhost.com.key is your secret key, and must be installed as per the instructions that come with mod_ssl. The file www.virtualhost.com.csr is your CSR, and the important bit looks something like this:
-----BEGIN CERTIFICATE REQUEST-----
MIIBPTCB6AIBADCBhDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2Fw
ZTESMBAGA1UEBxMJQ2FwZSBUb3duMRQwEgYDVQQKEwtPcHBvcnR1bml0aTEYMBYG
A1UECxMPT25saW5lIFNlcnZpY2VzMRowGAYDVQQDExF3d3cuZm9yd2FyZC5jby56
YTBaMA0GCSqGSIb3DQEBAQUAA0kAMEYCQQDT5oxxeBWu5WLHD/G4BJ+PobiC9d7S
6pDvAjuyC+dPAnL0d91tXdm2j190D1kgDoSp5ZyGSgwJh2V7diuuPlHDAgEDoAAw
DQYJKoZIhvcNAQEEBQADQQBf8ZHIu4H8ik2vZQngXh8v+iGnAXD1AvUjuDPCWzFu
pReiq7UR8Z0wiJBeaqiuvTDnTFMz6oCq6htdH7/tvKhh
-----END CERTIFICATE REQUEST-----
The CSR in www.virtualhost.com.csr is what you now paste into the appropriate online enrolment form for the certificate authority.
Installation
The file www.virtualhost.com.crt is your self-signed certificate. You can use it as a temporary certificate while
you are waiting for a real certificate, or permanently if you don't want a real certificate. You install it by
updating the virtual host section of your Apache configuration for www.virtualhost.com as follows:
SSLCertificateFile /path/to/your/www.virtualhost.com.crt
SSLCertificateKeyFile /path/to/your/www.virtualhost.com.key
When you receive your real certificate, you will install it in place of your self-signed certificate at /path/to/your/www.virtualhost.com.crt.
Tomcat/Java Certificate
If you want to run a Java server such as Tomcat you will need to manage
the certificates and keys using the keytool command which is part of the
JRE. I prefer to give
each application its own keystore, if that isn't the case (and you have
write permissions on the default store) you can miss out the
-keystore tomcat.keystore
parameter from the following keytool commands.
First we need to produce our public/private keypair. We will use the RSA
algorithm for compatibility and have a validity of about 10 years:
$ keytool -genkey -keystore tomcat.keystore -keyalg RSA -validity 3650
-alias tomcat
Enter keystore password:
changeit
What is your first and last name?
[Unknown]:
www.myserver.co.uk
What is the name of your organizational unit?
[Unknown]:
WebAdmin
What is the name of your organization?
[Unknown]:
Company Ltd
What is the name of your City or Locality?
[Unknown]:
Manchester
What is the name of your State or Province?
[Unknown]:
Grtr Manchester
What is the two-letter country code for this unit?
[Unknown]:
GB
Is CN=www.myserver.co.uk, OU=WebAdmin, O=Company Ltd, L=Manchester, ST=Grtr Manchester, C=GB correct?
[no]:
yes
Enter key password for <tomcat>
(RETURN if same as keystore password):
changeit
Now we need to produce a Certificate Signing Request (CSR) to be sent to
a CA such as Verisign,
Thawte or Syntegra. We will use the RSA algorithm because it seems to be
more widely accepted:
$ keytool -certreq -file tomcat.csr -alias tomcat
-keystore tomcat.keystore -keyalg RSA
Enter keystore password:
changeit
It is possible, but not necessary, to see the contents of the CSR by using the openssl program:
$ openssl req -in tomcat.csr -text
Using configuration from /etc/ssl/openssl.cnf
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=GB, ST=Grtr Manchester,
L=Manchester, O=Company Ltd,
OU=WebAdmin, CN=www.myserver.co.uk
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:f9:45:31:a9:c4:ab:b0:b5:75:fe:1b:4e:51:54:
01:f6:03:54:5e:85:b1:f3:a2:4f:8c:2c:19:13:07:
78:bb:84:77:51:ce:c4:75:06:b8:ea:b2:f3:45:fb:
69:dd:1f:2d:bb:1c:34:f4:be:72:81:53:6b:9f:d9:
12:c9:45:5d:6d:3e:f7:d0:6e:e1:17:10:36:d2:d3:
f6:0d:9e:da:8d:71:f9:db:ff:c1:15:e8:c7:6a:0b:
99:b5:62:b7:a3:6b:29:a6:26:9c:c5:e8:4f:0b:37:
fc:e4:4d:33:ce:88:2f:69:90:ee:dc:b9:84:72:9b:
f5:fa:e6:8d:c4:08:20:4b:15
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: md5WithRSAEncryption
e8:8a:85:a1:21:9d:eb:fd:0d:82:5a:1e:0d:3c:8b:b5:b3:c2:
0a:19:25:97:fe:f9:1c:29:a4:1c:e4:d2:3b:63:bc:d0:e7:3c:
8b:60:23:6d:31:db:c3:b6:d3:a3:47:ff:9c:ea:91:71:0f:d9:
16:5f:ab:ce:3e:c1:70:87:f5:29:0c:46:44:10:7d:92:6d:ce:
65:78:d5:40:9b:bd:ca:52:6f:1d:21:16:7c:e6:62:f6:74:66:
e6:84:ee:e1:67:b4:f4:41:7f:8e:01:9e:4b:bd:d4:ff:fa:d9:
60:10:7f:a8:a2:79:81:1a:d3:05:3b:e9:99:4f:b0:79:3e:51:
bd:7a
-----BEGIN CERTIFICATE REQUEST-----
MIIBwzCCASwCAQAwgYIxCzAJBgNVBAYTAkdCMRgwFgYDVQQIEw9HcnRyIE1hbmNo
ZXN0ZXIxEzARBgNVBAcTCk1hbmNoZXN0ZXIxFDASBgNVBAoTC0NvbXBhbnkgTHRk
MREwDwYDVQQLEwhXZWJBZG1pbjEbMBkGA1UEAxMSd3d3Lm15c2VydmVyLmNvLnVr
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD5RTGpxKuwtXX+G05RVAH2A1Re
hbHzok+MLBkTB3i7hHdRzsR1BrjqsvNF+2ndHy27HDT0vnKBU2uf2RLJRV1tPvfQ
buEXEDbS0/YNntqNcfnb/8EV6MdqC5m1YrejaymmJpzF6E8LN/zkTTPOiC9pkO7c
uYRym/X65o3ECCBLFQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEA6IqFoSGd6/0N
gloeDTyLtbPCChkll/75HCmkHOTSO2O80Oc8i2AjbTHbw7bTo0f/nOqRcQ/ZFl+r
zj7BcIf1KQxGRBB9km3OZXjVQJu9ylJvHSEWfOZi9nRm5oTu4We09EF/jgGeS73U
//rZYBB/qKJ5gRrTBTvpmU+weT5RvXo=
-----END CERTIFICATE REQUEST-----
The next step is to send the
CSR to the
CA for them to sign. You
will receive a signed certificate and possibly one or more "root"
certificates. If you get root certificates they must be installed in the
keystore:
$ keytool -keystore tomcat.keystore -import -file CAroot.der
-alias CAroot
Enter keystore password:
changeit
Owner: CN=RootCA, OU=CA, O=bigCA
Issuer: CN=RootCA, OU=CA, O=bigCA
Serial number: 4077f561
Valid from: Sat Apr 10 13:53:49 BST 2004 until: Wed Apr 10 14:23:49 BST 2024
Certificate fingerprints:
MD5: 29:03:44:8C:EA:4F:85:FF:96:BB:E9:55:01:BC:AC:A1
SHA1: EC:68:2E:46:8D:5F:63:1F:10:96:CC:EE:86:11:95:A8:4D:B5:DB:5E
Trust this certificate? [no]:
yes
Certificate was added to keystore
$ keytool -keystore tomcat.keystore -import -file CAsub.der
-alias CAsub
Enter keystore password:
changeit
Certificate was added to keystore
Note: if you are using the Java default keystore the root certificates need to be put in the Java root keystore. The location will vary from one JRE to another, but the file will be called cacerts. Use the full path to the file as the value of the keystore parameter.
Finally the signed certificate must be imported into the keystore:
$ keytool -import -keystore tomcat.keystore -file myserver.co.uk.cert -trustcacerts -alias tomcat
Enter keystore password:
changeit
Certificate reply was installed in keystore
POP3 certificate
The certificates used by imapd, ipopd and stunnel are essentially the same as those used for Apache. The only
difference is that the key and cert are concatenated into a single file with a .pem extension. If you want a self-signed
cert for your server you can follow the steps below to produce a .pem certificate for the server and a .cer
certificate which can be easily imported into mail clients such as Outlook. Alternatively you can use the steps from the
Apache instructions to get a real cert (don't passphrase protect the key) and then concatenate the key and cert as shown
below:
# cd /etc/ssl/private/
# openssl req -newkey rsa:1024 -keyout ipop3d.pem -nodes -x509 \
-days 3650 -out ipop3d.cer
Now you need to answer all of the questions. When finished the key is in the .pem file and the self-signed cert is in
the .cer file. Finally we need to add the cert to the .pem file and protect it from viewing by anybody other than root:
# echo "" >> ipop3d.pem
# cat ipop3d.cer >> ipop3d.pem
# chmod 400 ipop3d.pem
Repeat the process for imapd.pem and stunnel.pem files if required.
Sendmail certificate
Make certificate authority:
# cd /usr/share/ssl
# mkdir demoCA
# cd demoCA
# ln -s . demoCA
# mkdir certs crl newcerts private
# echo "01" > serial
# touch index.txt
# openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650 -config ../openssl.cnf
Make a new certificate:
# openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem -days 3650 -config ../openssl.cnf
Certificate and private key in file newreq.pem. Sign new certificate with certificate authority:
# openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
# openssl ca -config ../openssl.cnf -days 3650 -policy policy_anything -out newcert.pem -infiles tmp.pem
# rm -f tmp.pem
newcert.pem contains signed certificate, newreq.pem still contains unsigned certificate and private key. Relevant files need moving to sendmail directory:
# cd /etc/mail
Copy cacert.pem, newcert.pem and newreq.pem to /etc/mail, optionally renaming them
# mkdir certs
# chmod 600 cacert.pem newreq.pem newcert.pem
