1. What is this all about?
It happens pretty often - you're installing for the twentieth time some kind
of software when suddenly you stop: you must generate SSL certificate. So...
the next two hours you're googling, looking for a short description how to do this...
This document is a collection of descriptions how to generate certificates for a
particular software. I wrote it after checking and find working (under Slackware)
every example below. They really work :)
2. OpenSSL
OpenSSL (a cryptography library and tools) installed on your system is a must.
Well, you can do it from a package or from a source code. I chose the second
option (which seems to be more universal) and here is a brief description
how to do this.
You can get the latest version of OpenSSL (in my case: 0.9.7d) from:
http://www.openssl.org/source/
After unzipping and untarring, you do:
./config
make
make install
It takes some time. The default destination for our software is /usr/local/ssl/.
Additionally you have to make a few more steps:
* Create a symbolic link (some software is looking for SSL libraries in that place):
cd /usr/local/
ln -s ssl openssl
* Update the /etc/ld.so.conf file:
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
ldconfig
* Optionally. To the PATH variable, add a path to the OpenSSL binaries.
It's the most often in the /etc/profile file. The definiton of our variable
should look like this:
PATH="....................:/usr/local/ssl/bin"
* For the sake of peace - logout and login again.
Hmm... that's it. You've just installed the latest version of the OpenSSL library.
3. CA
After installing OpenSSL library you should become "Certificat Authority". It means
that you should be able to sign SSL requests (and create signed SSL certificates)
like for example VeriSign does.
So the next step is to generate CA certificate that will be use for signing other
certificates (f.e. for apache, postfix, stunnel, mysql and so on).
First of all, you should locate CA.sh file. If you had installed the library
the way I described (from the sourcecode) it's in /usr/local/ssl/misc/ directory.
Then you shoud edit the file and change the DAYS variable (in the beginning of the script)
from 365 to something much bigger - like 1850. It's because CA certificate ought to be
valid longer, than the certificates that are signed by it. After saving the changes you're ready.
Just do it:
./CA.sh -newca
You can leave the default file name as it is. Choose a good password. And remember it :)
The password'll be use for encrypting your private CA certificate. Now, answer the questions
and remember, that all your answers will be seen as "CA properities".
If you chose the default values, demoCA directory was created (/usr/local/ssl/misc/demoCA).
It contains all you need to become CA. So, we've got there cacert.pem file, which
is the public CA key and encrypted cakey.pem (in private directory) file that matches it.
Well, you've just become CA. Let's cut to the chase.
4. Postfix + TLS
You have to create destination directory and put there a copy of your CA certificate:
mkdir /etc/ssl/postfix
cp /usr/local/ssl/misc/demoCA/cacert.pem /etc/ssl/postfix/ca.pem
Create certificate for Postfix:
cd /usr/local/ssl/misc/
/usr/local/ssl/bin/openssl req -new -nodes -keyout key.pem -out newreq.pem
mv key.pem /etc/ssl/postfix/
./CA.sh -sign
mv newcert.pem /etc/ssl/postfix/cert.pem
Now, clean up a little bit:
rm newreq.pem
chmod 0600 /etc/ssl/postfix/*
Here goes Postfix's main.cf file and corresponding changes:
smtpd_tls_key_file = /etc/ssl/postfix/key.pem
smtpd_tls_cert_file = /etc/ssl/postfix/cert.pem
smtpd_tls_CAfile = /etc/ssl/postfix/ca.pem
5. Apache + mod_ssl
You have to create destination directory and put there a copy of your CA certificate:
mkdir /etc/ssl/apache
cp /usr/local/ssl/misc/demoCA/cacert.pem /etc/ssl/apache/ca.pem
Let's create "SSL request" that should be signed by CA:
cd /usr/local/ssl/misc/
./CA.sh -newreq
Now, answer all the questions.
Important: in the COMMON NAME field, you should put FQDN
(complete domain name) - f.e. mail.example.com (the root of your encrypted page)
Choose and remeber password for your Apache's certificate.
You don't have to answer any 'extra' questions, just hit "Enter".
It's time for signing our request with CA certificate. As a result
we've got certificate for our Apache:
./CA.sh -sign
mv newreq.pem /etc/ssl/apache/
mv newcert.pem /etc/ssl/apache/cert.pem
Remove the password from Apache's certificate:
cd /etc/ssl/apache/
openssl rsa -in newreq.pem -out req.pem
rm newreq.pem
chmod 0600 *
That's it.
Take a look at Apache's configuration file and proper changes:
SSLCertificateFile /etc/ssl/apache/cert.pem
SSLCertificateKeyFile /etc/ssl/apache/req.pem
SSLCACertificateFile /etc/ssl/apache/ca.pem
6. Stunnel
Stunnel is a pretty useful piece of software. It can be configured to work with Apache,
FTP, MySQL and so on. Well, we start with creating destination directory:
mkdir /etc/ssl/stunnel
cp /usr/local/ssl/misc/demoCA/cacert.pem /etc/ssl/stunnel/ca.pem
In the directory we unzipped the sourcecode, there's a subdirectory tools.
We can find there stunnel.cnf file.
cp stunnel.cnf /etc/ssl/stunnel/
cd /etc/ssl/stunnel/
openssl req -new -x509 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem
We've got what we wanted to have: stunnel.pem. Let's clean up:
rm stunnel.cnf
rm stunnel.rnd
chmod 0600 *
In Stunnel configuration file (stunnel.conf) you can put now:
CAfile = /etc/ssl/stunnel/ca.pem
cert = /etc/ssl/stunnel/stunnel.pem
7. OpenSSH
If you have a feeling you need new keys for your OpenSSH server...
mkdir /etc/ssl/ssh
RSA keys for the first version of OpenSSH:
ssh-keygen -t rsa1 -f /etc/ssl/ssh/ssh1_rsa.key
RSA keys for the second OpenSSH's verion:
ssh-keygen -t rsa -f /etc/ssl/ssh/ssh2_rsa.key
DSA keys for the second version of OpenSSH:
ssh-keygen -t dsa -f /etc/ssl/ssh/ssh2_dsa.key
When the program asks you a question about password, just hit Enter (leave it empty).
You can also add -N "" suffix every time you use ssh-keygen in the examples above.
To change the paths to your key, open sshd_config and correct:
HostKey /etc/ssl/ssh/ssh1_rsa.key
HostKey /etc/ssl/ssh/ssh2_rsa.key
HostKey /etc/ssl/ssh/ssh2_dsa.key
8. vsftpd
Vsftpd is my favourite FTP server. Second version of it can also use encryption:
mkdir /etc/ssl/vsftpd
cd /etc/ssl/vsftpd
Here we go - the main part:
openssl req -new -x509 -nodes -out vsftpd.pem -keyout vsftpd.pem
And configuration (vsftpd.conf):
rsa_cert_file=/etc/ssl/vsftpd/vsftpd.pem
9. MySQL
You can use secure connections to MySQL server (if this option is compiled into your server)
mkdir /etc/ssl/mysql
cp /usr/local/ssl/misc/demoCA/cacert.pem /etc/ssl/mysql/ca.pem
Let's do the work:
cd /usr/local/ssl/misc
./CA.sh -newreq
./CA.sh -sign
openssl rsa -in newreq.pem -out key.pem
rm newreq.pem
mv key.pem /etc/ssl/mysql/key.pem
mv newcert.pem /etc/ssl/mysql/cert.pem
It's time for changes in the configuration file:
[mysqld]
...................
ssl-ca = /etc/ssl/mysql/ca.pem
ssl-cert = /etc/ssl/mysql/cert.pem
ssl-key = /etc/ssl/mysql/key.pem
In the same way you create certificates for clients and change
[mysql] section of the config file. Additionally you have to give
proper permissions for your users in the database (GRANT command
with REQUIRE SSL in the end).
10. OpenLDAP
As usual: we start with creating destination directory with a copy of CA key:
mkdir /etc/ssl/ldap
cp /usr/local/ssl/misc/demoCA/cacert.pem /etc/ssl/ldap/ca.pem
Let's create the certificate:
cd /usr/local/ssl/misc/
/usr/local/ssl/bin/openssl req -new -nodes -keyout key.pem -out newreq.pem
mv key.pem /etc/ssl/ldap/
./CA.sh -sign
mv newcert.pem /etc/ssl/ldap/cert.pem
And here goes a part of the configuration file (slapd.conf) responsible for
paths to certificates:
TLSCACertificateFile /etc/ssl/ldap/ca.pem
TLSCertificateFile /etc/ssl/ldap/cert.pem
TLSCertificateKeyFile /etc/ssl/ldap/key.pem
To make the daemon listens on "encrypted" port, we've to start it like this:
/usr/local/libexec/slapd -4 -h "ldap:/// ldaps:///"
11. PostgreSQL
As (almost) always:
mkdir /etc/ssl/psql
cp /usr/local/ssl/misc/demoCA/cacert.pem /etc/ssl/psql/root.crt
Let's generate the certificates...
cd /usr/local/ssl/misc
./CA.sh -newreq
./CA.sh -sign
openssl rsa -in newreq.pem -out key.pem
rm newreq.pem
mv key.pem /etc/ssl/psql/server.key
mv newcert.pem /etc/ssl/psql/server.crt
Postgresql requires above files to be in the directory
that is equal to $PGDATA variable (default: /usr/local/pgsql/data)
under the names we've created (root.crt server.crt server.key).
But we don't want to destroy our directory structure, so we use
symbolic links:
ln -s /etc/ssl/psql/root.crt /usr/local/pgsql/data/root.crt
ln -s /etc/ssl/psql/server.crt /usr/local/pgsql/data/server.crt
ln -s /etc/ssl/psql/server.key /usr/local/pgsql/data/server.key
BTW: to ensure what is your PGDATA just use: "echo $PGDATA".
And the rights: you've to know the name of the user, your Postgresql works.
In my case it's pgsql, so that's what I do:
cd /etc/ssl/psql/
chmod 0600 *
chown pgsql *
Instead "pgsql" you should use your user's name.
Now: let's edit configuration file (postgresql.conf). You should make
sure there's a line: ssl = true,
and in pg_hba.conf file you should make use of hostssl word
(in the place of host).
This site has some great scripts to automate the process.
Self-Signed IIS SSL Certificates using OpenSSL
This tutorial assumes that you have a Linux box with OpenSSL installed,and that you want to create a self-signed certificate for IIS5.0
1. Set up your CA (you only have to do this once)
ON THE LINUX BOX...
* Create a private key
openssl genrsa -des3 -out CA.key 1024
(You'll need to supply a passphrase. DON'T FORGET THIS!!)
* Set this to read-only for root for security
chmod 400 CA.key
* Create the CA certificate
openssl req -new -key CA.key -x509 -days 1095 -out CA.crt
(Provide appropriate responses to the prompts...for Common Name, you might want to use something like "OurCompany CA")
* Set the certificate to read-only for root for security
chmod 400 CA.crt
2. Obtain a CSR
ON THE IIS BOX...
* Open the Internet Manager
* Select the site for which you want to create a key
* Right-click and choose Properties
* Select the "Directory Security" tab
* Click the "Server Certificate" button
* Follow the prompts to create a CSR
* Save your CSR, then transfer it to the Linux box for further processing. (For the following steps, we'll refer to your CSR as "new.csr")
3. Sign the CSR
ON THE LINUX BOX...
* Sign the CSR (all of this on one line)
openssl x509 -req -days 365 -in new.csr -CA CA.crt
-CAkey CA.key -CAcreateserial -out new.crt
* Transfer the new.crt file back to the IIS box
4. Install self-signed certificate
ON THE IIS BOX...
* Open the Internet Manager
* Select the site to install the key
* Right-click and choose properties
* Select the "Directory Security" tab
* Click the "Server Certificate" button
* Specify that you want to complete the pending request
* Select the .crt file that you just transferred
That's it!
Now...here's the updated info, with special thanks to David MacKenzie:David's comments: I found your instructions for creating a self-signed cert for IIS using OpenSSL invaluable--thanks! (I found them by google.) There's one subtlety I'd like to suggest you add to them. If the IIS server is Outlook Web Access for an Exchange server, then installing the SSL cert breaks Public Folders administration from the Exchange System Manager MMC console. ESM complains that the cert isn't connected to a recognized authority, and if you fix that, it complains that the system name is wrong. After more googling, I found an answer that worked for me, shown below as additional steps for your check list. I'm using Windows 2000 SP3 and Exchange 2000 SP3.
1. If the IIS server is running Outlook Web Access for Exchange, make ourselves recognized as a CA
ON THE IIS BOX...
* Open Internet Explorer
* Tools>Internet Options
* Content tab
* Certificates
* Import
* Next
* Browse
* Files of type: X.509 Certificate (*.cer, *.crt)
* Select CA.crt
* Open
* Next
* Next
* Finish
2. If the IIS server is running Outlook Web Access for Exchange, fix Public Folders management for the Exchange Server Manager
ON THE IIS BOX...
* Open Internet Services Manager
* Right-click on exchange>Default Web Site>Exadmin
* Properties
* Directory Security tab
* Secure communications Edit
* Uncheck Require secure channel (SSL)
* OK
* OK
These allergies are killing me. I want to be able to breath again! HELP!!!!!