The Moose and Squirrel Files

October 19, 2008

Creating Self-Signed Certificates with Openssl

Filed under: Certificates — Tags: , — networknerd @ 6:05 am

Once again I find myself in need of a certificate for TLS protection and authentication of data exchanges with a server in the lab. Go straight to openssl, create my own CA and sign my own certificates, right? Absolutely, but I always forget how, and I have never written it down.  Next time I can come back here for the recipe.

Step 1 – Create the CA

Remember when using CA.pl you can enter a “.” to leave a field blank.

C:\OpenSSL\bin>ca.pl -newca
CA certificate filename (or enter to create)

Making CA certificate …
Loading ‘screen’ into random state – done
Generating a 1024 bit RSA private key
……………………………………………………++++++
.++++++
writing new private key to ‘./demoCA/private/cakey.pem’
Enter PEM pass phrase: capassword
Verifying – Enter PEM pass phrase: capassword
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:Queensland
Locality Name (eg, city) []:Brisbane
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dodgy CA Pty Ltd
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:Trustmaster
Email Address []:.

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
Using configuration from C:\OpenSSL\bin\openssl.cfg
Loading ‘screen’ into random state – done
Enter pass phrase for ./demoCA/private/cakey.pem:capassword
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
d3:3e:29:89:ab:e7:62:3f
Validity
Not Before: Oct 17 21:53:00 2008 GMT
Not After : Oct 17 21:53:00 2011 GMT
Subject:
countryName               = AU
stateOrProvinceName       = Queensland
organizationName          = Dodgy CA Pty Ltd
commonName                = Trustmaster
X509v3 extensions:
X509v3 Subject Key Identifier:
73:FF:5D:2C:A9:CB:54:7B:0D:6B:25:47:7E:89:3C:5B:66:AE:68:D9
X509v3 Authority Key Identifier:
keyid:73:FF:5D:2C:A9:CB:54:7B:0D:6B:25:47:7E:89:3C:5B:66:AE:68:D9
DirName:/C=AU/ST=Queensland/O=Dodgy CA Pty Ltd/CN=Trustmaster
serial:D3:3E:29:89:AB:E7:62:3F

X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Oct 17 21:53:00 2011 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

Step 2 – Create Certifcate Request

Remember certifcate requests/private keys are writen to newreq.pem and newkey.pem, and will be overwritten when you generate the next request. For servers to start automatically the private key generally can’t be protected by a passphrase.  Use the openssl rsa <infile >outfile to create a keyfile with no passphrase.

C:\OpenSSL\bin>ca.pl -newreq
Loading ‘screen’ into random state – done
Generating a 1024 bit RSA private key
………..++++++
…….++++++
writing new private key to ‘newkey.pem’
Enter PEM pass phrase:ldappassword
Verifying – Enter PEM pass phrase:ldappassword
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:Queensland
Locality Name (eg, city) []:Brisbane
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Acme Pty Ltd
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:ldap.acme.com.au
Email Address []:ldapadmin@Acme.com.au

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
Request is in newreq.pem, private key is in newkey.pem

Step 3 – Sign the Certificate with the CA key

C:\OpenSSL\bin>ca.pl -sign
Using configuration from C:\OpenSSL\bin\openssl.cfg
Loading ‘screen’ into random state – done
Enter pass phrase for ./demoCA/private/cakey.pem: capassword
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
d3:3e:29:89:ab:e7:62:40
Validity
Not Before: Oct 17 22:41:00 2008 GMT
Not After : Oct 17 22:41:00 2009 GMT
Subject:
countryName               = AU
stateOrProvinceName       = Queensland
localityName              = Brisbane
organizationName          =  Acme Pty Ltd
commonName                = ldap.acme.com.au
emailAddress              = ldapadmin@Acme.com.au
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4F:BA:05:9F:34:5A:95:B5:37:7F:A7:4F:CD:14:76:B8:19:4B:3F:7B
X509v3 Authority Key Identifier:
keyid:73:FF:5D:2C:A9:CB:54:7B:0D:6B:25:47:7E:89:3C:5B:66:AE:68:D
9

Certificate is to be certified until Oct 17 22:41:00 2009 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

C:\OpenSSL\bin>ren newcert.pem ldap.pem

C:\OpenSSL\bin>ren newkey.pem ldapkey.pem

C:\OpenSSL\bin>openssl rsa <ldapkey.pem >>ldap.pem
Enter pass phrase:ldappassword
writing RSA key

C:\OpenSSL\bin>type ldap.pem
Certificate:
Data:
Version: 3 (0×2)
Serial Number:
d3:3e:29:89:ab:e7:62:40
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Queensland, O=Dodgy CA Pty Ltd, CN=Trustmaster
Validity
Not Before: Oct 17 22:41:00 2008 GMT
Not After : Oct 17 22:41:00 2009 GMT
Subject: C=AU, ST=Queensland, L=Brisbane, O= Acme Pty Ltd, CN=ldap.acme.
com.au/emailAddress=ldapadmin@Acme.com.au
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bf:5e:b8:de:dc:ad:87:05:6c:34:75:6e:ff:07:
67:f4:c1:da:f6:ec:dd:4e:57:5b:9e:76:71:3d:b6:
03:cb:2f:88:61:21:c8:ae:15:77:13:e2:86:39:a5:
26:71:f9:df:e4:d4:ee:28:d4:72:5d:0d:11:16:0c:
af:91:47:45:f4:6e:a4:d8:b9:71:0e:28:a7:5c:2f:
bc:25:9f:29:d4:50:c1:a5:18:f1:5d:a2:28:eb:a1:
91:2a:5d:8a:a8:1b:ee:8c:13:9d:dd:3c:fb:5c:60:
48:be:c0:50:35:a9:eb:2e:ae:5a:1f:b1:68:d0:c7:
61:db:bd:25:e3:33:b8:c4:95
Exponent: 65537 (0×10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4F:BA:05:9F:34:5A:95:B5:37:7F:A7:4F:CD:14:76:B8:19:4B:3F:7B
X509v3 Authority Key Identifier:
keyid:73:FF:5D:2C:A9:CB:54:7B:0D:6B:25:47:7E:89:3C:5B:66:AE:68:D
9

Signature Algorithm: sha1WithRSAEncryption
17:33:dc:15:98:46:20:32:62:1d:ed:a0:ce:47:40:b4:0d:c5:
72:d0:14:71:b3:df:46:d8:58:4a:94:e6:fa:44:3a:d5:b5:83:
45:59:db:33:f9:0b:76:f1:a0:8c:9d:03:81:48:ac:6e:59:e0:
86:b5:10:df:e4:17:2e:86:3c:e3:84:0f:1a:b7:24:b3:9c:ea:
80:99:37:29:16:7f:8c:ee:f7:9e:eb:1b:56:12:74:eb:f1:5e:
b8:d9:df:e1:53:a7:3f:20:c9:42:e3:f4:e4:fd:20:b2:7c:8a:
72:c7:8a:8a:bb:1b:8a:08:e7:04:78:1e:64:8f:70:2f:78:e4:
ba:3f
—–BEGIN CERTIFICATE—–
MIIC2zCCAkSgAwIBAgIJANM+KYmr52JAMA0GCSqGSIb3DQEBBQUAMFMxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMRkwFwYDVQQKExBEb2RneSBDQSBQ
dHkgTHRkMRQwEgYDVQQDEwtUcnVzdG1hc3RlcjAeFw0wODEwMTcyMjQxNTZaFw0w
OTEwMTcyMjQxNTZaMIGOMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFu
ZDERMA8GA1UEBxMIQnJpc2JhbmUxFjAUBgNVBAoTDSBBY21lIFB0eSBMdGQxGTAX
BgNVBAMTEGxkYXAuYWNtZS5jb20uYXUxJDAiBgkqhkiG9w0BCQEWFWxkYXBhZG1p
bkBBY21lLmNvbS5hdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAv1643tyt
hwVsNHVu/wdn9MHa9uzdTldbnnZxPbYDyy+IYSHIrhV3E+KGOaUmcfnf5NTuKNRy
XQ0RFgyvkUdF9G6k2LlxDiinXC+8JZ8p1FDBpRjxXaIo66GRKl2KqBvujBOd3Tz7
XGBIvsBQNanrLq5aH7Fo0Mdh270l4zO4xJUCAwEAAaN7MHkwCQYDVR0TBAIwADAs
BglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYD
VR0OBBYEFE+6BZ80WpW1N3+nT80UdrgZSz97MB8GA1UdIwQYMBaAFHP/XSypy1R7
DWslR36JPFtmrmjZMA0GCSqGSIb3DQEBBQUAA4GBABcz3BWYRiAyYh3toM5HQLQN
xXLQFHGz30bYWEqU5vpEOtW1g0VZ2zP5C3bxoIydA4FIrG5Z4Ia1EN/kFy6GPOOE
Dxq3JLOc6oCZNykWf4zu957rG1YSdOvxXrjZ3+FTpz8gyULj9OT9ILJ8inLHioq7
G4oI5wR4HmSPcC945Lo/
—–END CERTIFICATE—–
—–BEGIN RSA PRIVATE KEY—–
MIICXgIBAAKBgQC/Xrje3K2HBWw0dW7/B2f0wdr27N1OV1uednE9tgPLL4hhIciu
FXcT4oY5pSZx+d/k1O4o1HJdDREWDK+RR0X0bqTYuXEOKKdcL7wlnynUUMGlGPFd
oijroZEqXYqoG+6ME53dPPtcYEi+wFA1qesurlofsWjQx2HbvSXjM7jElQIDAQAB
AoGAWKwsX1/DrD+v/rK3ZsZovfmhWy8v8F/8HPXmzOBs65YvzEoaMcfScE1TQpyq
rr9IpkCfxh2CjGlElIH2TAvJdoZFYIeNPVGB7Es+scJolta6ySxAv6Fo5+AVEuAX
BKrYXqFd5x8fRAEI6NUc3eSZ1oDgWBiMtp7lS/tAQRyRKEECQQDz0vmxP4K51Ao1
FUX1MQv6UnoKO47Q6zqWCHFhtljS2rsuxhmApn/MpEcLWiO8vYeoCOW0Gbkd9/qp
oih8DSVxAkEAyO0tpxaEvdB/bvAsnS4kx9LbLlL5IJCO3n3uqnY/XtGPG1kYvuHw
pYG8fR0X6HFc6stBA0MlOIiq1xFpqZ1vZQJBALWcjO2wX7/op524db5XRRO0QUDD
8fG9dIrySPm+J9UOpWQGnFJOMl0Mc/qJrprUFWpdDjOjAVbIMcYOidc0t5ECQQDD
GrwX4Z/oCUuU2BcaUbJZbwByTROocXapybM1RzllwyupLK0AvbjFneL/wn5ysZG+
VLu+hTbhXKQ3zqrBjySZAkEAobGO/ivv1mZUzPfVnMN4TLI2jhfRixoIvCU18RRP
ikEnF83bpFha2QR2UXBfQPGH+TvGBstH9ZS0oyCYxFihQg==
—–END RSA PRIVATE KEY—–

Repeat Steps  2 and 3 as required

Step 4 – Convert Certificate to PKCS12 format for use with WIndows (Optional)

After creating a client side certificate for authentication as per steps 2 & 3 we can convert the cert and public key to PKCS12 format for importing to the windows certificate store.

C:\OpenSSL\bin>openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out ldapmgr.p12 -name “LDAP Manager Dude”
Loading ‘screen’ into random state – done
Enter pass phrase for newkey.pem:
Enter Export Password:
Verifying – Enter Export Password:

About these ads

1 Comment »

  1. Great write up, I will be sure to save this in my Diigo account. Have a good evening.

    Comment by Clarence Stampley — June 14, 2010 @ 2:09 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Shocking Blue Green Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: