May 10, 2005

Fast Certs

1. What is this all about?

It happens pretty often - you're installing for the twentieth time some kind
of software when suddenly you stop: you must generate SSL certificate. So...
the next two hours you're googling, looking for a short description how to do this...

This document is a collection of descriptions how to generate certificates for a
particular software. I wrote it after checking and find working (under Slackware)
every example below. They really work :)

2. OpenSSL

OpenSSL (a cryptography library and tools) installed on your system is a must.
Well, you can do it from a package or from a source code. I chose the second
option (which seems to be more universal) and here is a brief description
how to do this.

You can get the latest version of OpenSSL (in my case: 0.9.7d) from:

After unzipping and untarring, you do:

make install

It takes some time. The default destination for our software is /usr/local/ssl/.
Additionally you have to make a few more steps:

* Create a symbolic link (some software is looking for SSL libraries in that place):
cd /usr/local/
ln -s ssl openssl

* Update the /etc/ file:
echo "/usr/local/ssl/lib" >> /etc/

* Optionally. To the PATH variable, add a path to the OpenSSL binaries.
It's the most often in the /etc/profile file. The definiton of our variable
should look like this:

* For the sake of peace - logout and login again.

Hmm... that's it. You've just installed the latest version of the OpenSSL library.

3. CA

After installing OpenSSL library you should become "Certificat Authority". It means
that you should be able to sign SSL requests (and create signed SSL certificates)
like for example VeriSign does.
So the next step is to generate CA certificate that will be use for signing other
certificates (f.e. for apache, postfix, stunnel, mysql and so on).

First of all, you should locate file. If you had installed the library
the way I described (from the sourcecode) it's in /usr/local/ssl/misc/ directory.
Then you shoud edit the file and change the DAYS variable (in the beginning of the script)
from 365 to something much bigger - like 1850. It's because CA certificate ought to be
valid longer, than the certificates that are signed by it. After saving the changes you're ready.
Just do it:

./ -newca

You can leave the default file name as it is. Choose a good password. And remember it :)
The password'll be use for encrypting your private CA certificate. Now, answer the questions
and remember, that all your answers will be seen as "CA properities".

If you chose the default values, demoCA directory was created (/usr/local/ssl/misc/demoCA).
It contains all you need to become CA. So, we've got there cacert.pem file, which
is the public CA key and encrypted cakey.pem (in private directory) file that matches it.

Well, you've just become CA. Let's cut to the chase.

4. Postfix + TLS

You have to create destination directory and put there a copy of your CA certificate:

mkdir /etc/ssl/postfix
cp /usr/local/ssl/misc/demoCA/cacert.pem /etc/ssl/postfix/ca.pem

Create certificate for Postfix:

cd /usr/local/ssl/misc/
/usr/local/ssl/bin/openssl req -new -nodes -keyout key.pem -out newreq.pem
mv key.pem /etc/ssl/postfix/
./ -sign
mv newcert.pem /etc/ssl/postfix/cert.pem

Now, clean up a little bit:

rm newreq.pem
chmod 0600 /etc/ssl/postfix/*

Here goes Postfix's file and corresponding changes:

smtpd_tls_key_file = /etc/ssl/postfix/key.pem
smtpd_tls_cert_file = /etc/ssl/postfix/cert.pem
smtpd_tls_CAfile = /etc/ssl/postfix/ca.pem

5. Apache + mod_ssl

You have to create destination directory and put there a copy of your CA certificate:

mkdir /etc/ssl/apache
cp /usr/local/ssl/misc/demoCA/cacert.pem /etc/ssl/apache/ca.pem

Let's create "SSL request" that should be signed by CA:

cd /usr/local/ssl/misc/
./ -newreq

Now, answer all the questions.
Important: in the COMMON NAME field, you should put FQDN
(complete domain name) - f.e. (the root of your encrypted page)
Choose and remeber password for your Apache's certificate.
You don't have to answer any 'extra' questions, just hit "Enter".
It's time for signing our request with CA certificate. As a result
we've got certificate for our Apache:

./ -sign
mv newreq.pem /etc/ssl/apache/
mv newcert.pem /etc/ssl/apache/cert.pem

Remove the password from Apache's certificate:

cd /etc/ssl/apache/
openssl rsa -in newreq.pem -out req.pem
rm newreq.pem
chmod 0600 *

That's it.
Take a look at Apache's configuration file and proper changes:

SSLCertificateFile /etc/ssl/apache/cert.pem
SSLCertificateKeyFile /etc/ssl/apache/req.pem
SSLCACertificateFile /etc/ssl/apache/ca.pem

6. Stunnel

Stunnel is a pretty useful piece of software. It can be configured to work with Apache,
FTP, MySQL and so on. Well, we start with creating destination directory:

mkdir /etc/ssl/stunnel
cp /usr/local/ssl/misc/demoCA/cacert.pem /etc/ssl/stunnel/ca.pem

In the directory we unzipped the sourcecode, there's a subdirectory tools.
We can find there stunnel.cnf file.

cp stunnel.cnf /etc/ssl/stunnel/
cd /etc/ssl/stunnel/
openssl req -new -x509 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem

We've got what we wanted to have: stunnel.pem. Let's clean up:

rm stunnel.cnf
rm stunnel.rnd
chmod 0600 *

In Stunnel configuration file (stunnel.conf) you can put now:

CAfile = /etc/ssl/stunnel/ca.pem
cert = /etc/ssl/stunnel/stunnel.pem

7. OpenSSH

If you have a feeling you need new keys for your OpenSSH server...
mkdir /etc/ssl/ssh

RSA keys for the first version of OpenSSH:
ssh-keygen -t rsa1 -f /etc/ssl/ssh/ssh1_rsa.key

RSA keys for the second OpenSSH's verion:
ssh-keygen -t rsa -f /etc/ssl/ssh/ssh2_rsa.key

DSA keys for the second version of OpenSSH:
ssh-keygen -t dsa -f /etc/ssl/ssh/ssh2_dsa.key

When the program asks you a question about password, just hit Enter (leave it empty).
You can also add -N "" suffix every time you use ssh-keygen in the examples above.

To change the paths to your key, open sshd_config and correct:

HostKey /etc/ssl/ssh/ssh1_rsa.key
HostKey /etc/ssl/ssh/ssh2_rsa.key
HostKey /etc/ssl/ssh/ssh2_dsa.key

8. vsftpd

Vsftpd is my favourite FTP server. Second version of it can also use encryption:

mkdir /etc/ssl/vsftpd
cd /etc/ssl/vsftpd

Here we go - the main part:

openssl req -new -x509 -nodes -out vsftpd.pem -keyout vsftpd.pem

And configuration (vsftpd.conf):


9. MySQL

You can use secure connections to MySQL server (if this option is compiled into your server)

mkdir /etc/ssl/mysql
cp /usr/local/ssl/misc/demoCA/cacert.pem /etc/ssl/mysql/ca.pem

Let's do the work:

cd /usr/local/ssl/misc
./ -newreq
./ -sign
openssl rsa -in newreq.pem -out key.pem
rm newreq.pem
mv key.pem /etc/ssl/mysql/key.pem
mv newcert.pem /etc/ssl/mysql/cert.pem

It's time for changes in the configuration file:

ssl-ca = /etc/ssl/mysql/ca.pem
ssl-cert = /etc/ssl/mysql/cert.pem
ssl-key = /etc/ssl/mysql/key.pem

In the same way you create certificates for clients and change
[mysql] section of the config file. Additionally you have to give
proper permissions for your users in the database (GRANT command
with REQUIRE SSL in the end).

10. OpenLDAP

As usual: we start with creating destination directory with a copy of CA key:

mkdir /etc/ssl/ldap
cp /usr/local/ssl/misc/demoCA/cacert.pem /etc/ssl/ldap/ca.pem

Let's create the certificate:

cd /usr/local/ssl/misc/
/usr/local/ssl/bin/openssl req -new -nodes -keyout key.pem -out newreq.pem
mv key.pem /etc/ssl/ldap/
./ -sign
mv newcert.pem /etc/ssl/ldap/cert.pem

And here goes a part of the configuration file (slapd.conf) responsible for
paths to certificates:

TLSCACertificateFile /etc/ssl/ldap/ca.pem
TLSCertificateFile /etc/ssl/ldap/cert.pem
TLSCertificateKeyFile /etc/ssl/ldap/key.pem

To make the daemon listens on "encrypted" port, we've to start it like this:

/usr/local/libexec/slapd -4 -h "ldap:/// ldaps:///"

11. PostgreSQL

As (almost) always:

mkdir /etc/ssl/psql
cp /usr/local/ssl/misc/demoCA/cacert.pem /etc/ssl/psql/root.crt

Let's generate the certificates...

cd /usr/local/ssl/misc
./ -newreq
./ -sign
openssl rsa -in newreq.pem -out key.pem
rm newreq.pem
mv key.pem /etc/ssl/psql/server.key
mv newcert.pem /etc/ssl/psql/server.crt

Postgresql requires above files to be in the directory
that is equal to $PGDATA variable (default: /usr/local/pgsql/data)
under the names we've created (root.crt server.crt server.key).
But we don't want to destroy our directory structure, so we use
symbolic links:

ln -s /etc/ssl/psql/root.crt /usr/local/pgsql/data/root.crt
ln -s /etc/ssl/psql/server.crt /usr/local/pgsql/data/server.crt
ln -s /etc/ssl/psql/server.key /usr/local/pgsql/data/server.key

BTW: to ensure what is your PGDATA just use: "echo $PGDATA".
And the rights: you've to know the name of the user, your Postgresql works.
In my case it's pgsql, so that's what I do:

cd /etc/ssl/psql/
chmod 0600 *
chown pgsql *

Instead "pgsql" you should use your user's name.
Now: let's edit configuration file (postgresql.conf). You should make
sure there's a line: ssl = true,
and in pg_hba.conf file you should make use of hostssl word
(in the place of host).

Posted by MoMo at May 10, 2005 11:43 AM

psiha acyclovir

Posted by: psiha at June 28, 2006 10:33 PM
Post a comment

Remember personal info?