May 10, 2005

Fast Certs

1. What is this all about?

It happens pretty often - you're installing for the twentieth time some kind
of software when suddenly you stop: you must generate SSL certificate. So...
the next two hours you're googling, looking for a short description how to do this...

This document is a collection of descriptions how to generate certificates for a
particular software. I wrote it after checking and find working (under Slackware)
every example below. They really work :)

2. OpenSSL

OpenSSL (a cryptography library and tools) installed on your system is a must.
Well, you can do it from a package or from a source code. I chose the second
option (which seems to be more universal) and here is a brief description
how to do this.

You can get the latest version of OpenSSL (in my case: 0.9.7d) from:

After unzipping and untarring, you do:

make install

It takes some time. The default destination for our software is /usr/local/ssl/.
Additionally you have to make a few more steps:

* Create a symbolic link (some software is looking for SSL libraries in that place):
cd /usr/local/
ln -s ssl openssl

* Update the /etc/ file:
echo "/usr/local/ssl/lib" >> /etc/

* Optionally. To the PATH variable, add a path to the OpenSSL binaries.
It's the most often in the /etc/profile file. The definiton of our variable
should look like this:

* For the sake of peace - logout and login again.

Hmm... that's it. You've just installed the latest version of the OpenSSL library.

3. CA

After installing OpenSSL library you should become "Certificat Authority". It means
that you should be able to sign SSL requests (and create signed SSL certificates)
like for example VeriSign does.
So the next step is to generate CA certificate that will be use for signing other
certificates (f.e. for apache, postfix, stunnel, mysql and so on).

First of all, you should locate file. If you had installed the library
the way I described (from the sourcecode) it's in /usr/local/ssl/misc/ directory.
Then you shoud edit the file and change the DAYS variable (in the beginning of the script)
from 365 to something much bigger - like 1850. It's because CA certificate ought to be
valid longer, than the certificates that are signed by it. After saving the changes you're ready.
Just do it:

./ -newca

You can leave the default file name as it is. Choose a good password. And remember it :)
The password'll be use for encrypting your private CA certificate. Now, answer the questions
and remember, that all your answers will be seen as "CA properities".

If you chose the default values, demoCA directory was created (/usr/local/ssl/misc/demoCA).
It contains all you need to become CA. So, we've got there cacert.pem file, which
is the public CA key and encrypted cakey.pem (in private directory) file that matches it.

Well, you've just become CA. Let's cut to the chase.

4. Postfix + TLS

You have to create destination directory and put there a copy of your CA certificate:

mkdir /etc/ssl/postfix
cp /usr/local/ssl/misc/demoCA/cacert.pem /etc/ssl/postfix/ca.pem

Create certificate for Postfix:

cd /usr/local/ssl/misc/
/usr/local/ssl/bin/openssl req -new -nodes -keyout key.pem -out newreq.pem
mv key.pem /etc/ssl/postfix/
./ -sign
mv newcert.pem /etc/ssl/postfix/cert.pem

Now, clean up a little bit:

rm newreq.pem
chmod 0600 /etc/ssl/postfix/*

Here goes Postfix's file and corresponding changes:

smtpd_tls_key_file = /etc/ssl/postfix/key.pem
smtpd_tls_cert_file = /etc/ssl/postfix/cert.pem
smtpd_tls_CAfile = /etc/ssl/postfix/ca.pem

5. Apache + mod_ssl

You have to create destination directory and put there a copy of your CA certificate:

mkdir /etc/ssl/apache
cp /usr/local/ssl/misc/demoCA/cacert.pem /etc/ssl/apache/ca.pem

Let's create "SSL request" that should be signed by CA:

cd /usr/local/ssl/misc/
./ -newreq

Now, answer all the questions.
Important: in the COMMON NAME field, you should put FQDN
(complete domain name) - f.e. (the root of your encrypted page)
Choose and remeber password for your Apache's certificate.
You don't have to answer any 'extra' questions, just hit "Enter".
It's time for signing our request with CA certificate. As a result
we've got certificate for our Apache:

./ -sign
mv newreq.pem /etc/ssl/apache/
mv newcert.pem /etc/ssl/apache/cert.pem

Remove the password from Apache's certificate:

cd /etc/ssl/apache/
openssl rsa -in newreq.pem -out req.pem
rm newreq.pem
chmod 0600 *

That's it.
Take a look at Apache's configuration file and proper changes:

SSLCertificateFile /etc/ssl/apache/cert.pem
SSLCertificateKeyFile /etc/ssl/apache/req.pem
SSLCACertificateFile /etc/ssl/apache/ca.pem

6. Stunnel

Stunnel is a pretty useful piece of software. It can be configured to work with Apache,
FTP, MySQL and so on. Well, we start with creating destination directory:

mkdir /etc/ssl/stunnel
cp /usr/local/ssl/misc/demoCA/cacert.pem /etc/ssl/stunnel/ca.pem

In the directory we unzipped the sourcecode, there's a subdirectory tools.
We can find there stunnel.cnf file.

cp stunnel.cnf /etc/ssl/stunnel/
cd /etc/ssl/stunnel/
openssl req -new -x509 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem

We've got what we wanted to have: stunnel.pem. Let's clean up:

rm stunnel.cnf
rm stunnel.rnd
chmod 0600 *

In Stunnel configuration file (stunnel.conf) you can put now:

CAfile = /etc/ssl/stunnel/ca.pem
cert = /etc/ssl/stunnel/stunnel.pem

7. OpenSSH

If you have a feeling you need new keys for your OpenSSH server...
mkdir /etc/ssl/ssh

RSA keys for the first version of OpenSSH:
ssh-keygen -t rsa1 -f /etc/ssl/ssh/ssh1_rsa.key

RSA keys for the second OpenSSH's verion:
ssh-keygen -t rsa -f /etc/ssl/ssh/ssh2_rsa.key

DSA keys for the second version of OpenSSH:
ssh-keygen -t dsa -f /etc/ssl/ssh/ssh2_dsa.key

When the program asks you a question about password, just hit Enter (leave it empty).
You can also add -N "" suffix every time you use ssh-keygen in the examples above.

To change the paths to your key, open sshd_config and correct:

HostKey /etc/ssl/ssh/ssh1_rsa.key
HostKey /etc/ssl/ssh/ssh2_rsa.key
HostKey /etc/ssl/ssh/ssh2_dsa.key

8. vsftpd

Vsftpd is my favourite FTP server. Second version of it can also use encryption:

mkdir /etc/ssl/vsftpd
cd /etc/ssl/vsftpd

Here we go - the main part:

openssl req -new -x509 -nodes -out vsftpd.pem -keyout vsftpd.pem

And configuration (vsftpd.conf):


9. MySQL

You can use secure connections to MySQL server (if this option is compiled into your server)

mkdir /etc/ssl/mysql
cp /usr/local/ssl/misc/demoCA/cacert.pem /etc/ssl/mysql/ca.pem

Let's do the work:

cd /usr/local/ssl/misc
./ -newreq
./ -sign
openssl rsa -in newreq.pem -out key.pem
rm newreq.pem
mv key.pem /etc/ssl/mysql/key.pem
mv newcert.pem /etc/ssl/mysql/cert.pem

It's time for changes in the configuration file:

ssl-ca = /etc/ssl/mysql/ca.pem
ssl-cert = /etc/ssl/mysql/cert.pem
ssl-key = /etc/ssl/mysql/key.pem

In the same way you create certificates for clients and change
[mysql] section of the config file. Additionally you have to give
proper permissions for your users in the database (GRANT command
with REQUIRE SSL in the end).

10. OpenLDAP

As usual: we start with creating destination directory with a copy of CA key:

mkdir /etc/ssl/ldap
cp /usr/local/ssl/misc/demoCA/cacert.pem /etc/ssl/ldap/ca.pem

Let's create the certificate:

cd /usr/local/ssl/misc/
/usr/local/ssl/bin/openssl req -new -nodes -keyout key.pem -out newreq.pem
mv key.pem /etc/ssl/ldap/
./ -sign
mv newcert.pem /etc/ssl/ldap/cert.pem

And here goes a part of the configuration file (slapd.conf) responsible for
paths to certificates:

TLSCACertificateFile /etc/ssl/ldap/ca.pem
TLSCertificateFile /etc/ssl/ldap/cert.pem
TLSCertificateKeyFile /etc/ssl/ldap/key.pem

To make the daemon listens on "encrypted" port, we've to start it like this:

/usr/local/libexec/slapd -4 -h "ldap:/// ldaps:///"

11. PostgreSQL

As (almost) always:

mkdir /etc/ssl/psql
cp /usr/local/ssl/misc/demoCA/cacert.pem /etc/ssl/psql/root.crt

Let's generate the certificates...

cd /usr/local/ssl/misc
./ -newreq
./ -sign
openssl rsa -in newreq.pem -out key.pem
rm newreq.pem
mv key.pem /etc/ssl/psql/server.key
mv newcert.pem /etc/ssl/psql/server.crt

Postgresql requires above files to be in the directory
that is equal to $PGDATA variable (default: /usr/local/pgsql/data)
under the names we've created (root.crt server.crt server.key).
But we don't want to destroy our directory structure, so we use
symbolic links:

ln -s /etc/ssl/psql/root.crt /usr/local/pgsql/data/root.crt
ln -s /etc/ssl/psql/server.crt /usr/local/pgsql/data/server.crt
ln -s /etc/ssl/psql/server.key /usr/local/pgsql/data/server.key

BTW: to ensure what is your PGDATA just use: "echo $PGDATA".
And the rights: you've to know the name of the user, your Postgresql works.
In my case it's pgsql, so that's what I do:

cd /etc/ssl/psql/
chmod 0600 *
chown pgsql *

Instead "pgsql" you should use your user's name.
Now: let's edit configuration file (postgresql.conf). You should make
sure there's a line: ssl = true,
and in pg_hba.conf file you should make use of hostssl word
(in the place of host).

Posted by MoMo at 11:43 AM | Comments (1)

Scripts for certs

This site has some great scripts to automate the process.

Posted by MoMo at 11:39 AM | Comments (0)

Self-Signed IIS SSL Certificates using OpenSSL

Self-Signed IIS SSL Certificates using OpenSSL

This tutorial assumes that you have a Linux box with OpenSSL installed,and that you want to create a self-signed certificate for IIS5.0

1. Set up your CA (you only have to do this once)
* Create a private key

openssl genrsa -des3 -out CA.key 1024

(You'll need to supply a passphrase. DON'T FORGET THIS!!)

* Set this to read-only for root for security

chmod 400 CA.key

* Create the CA certificate

openssl req -new -key CA.key -x509 -days 1095 -out CA.crt

(Provide appropriate responses to the prompts...for Common Name, you might want to use something like "OurCompany CA")

* Set the certificate to read-only for root for security

chmod 400 CA.crt

2. Obtain a CSR
* Open the Internet Manager
* Select the site for which you want to create a key
* Right-click and choose Properties
* Select the "Directory Security" tab
* Click the "Server Certificate" button
* Follow the prompts to create a CSR
* Save your CSR, then transfer it to the Linux box for further processing. (For the following steps, we'll refer to your CSR as "new.csr")

3. Sign the CSR
* Sign the CSR (all of this on one line)

openssl x509 -req -days 365 -in new.csr -CA CA.crt
-CAkey CA.key -CAcreateserial -out new.crt

* Transfer the new.crt file back to the IIS box

4. Install self-signed certificate
* Open the Internet Manager
* Select the site to install the key
* Right-click and choose properties
* Select the "Directory Security" tab
* Click the "Server Certificate" button
* Specify that you want to complete the pending request
* Select the .crt file that you just transferred

That's it!'s the updated info, with special thanks to David MacKenzie:David's comments: I found your instructions for creating a self-signed cert for IIS using OpenSSL invaluable--thanks! (I found them by google.) There's one subtlety I'd like to suggest you add to them. If the IIS server is Outlook Web Access for an Exchange server, then installing the SSL cert breaks Public Folders administration from the Exchange System Manager MMC console. ESM complains that the cert isn't connected to a recognized authority, and if you fix that, it complains that the system name is wrong. After more googling, I found an answer that worked for me, shown below as additional steps for your check list. I'm using Windows 2000 SP3 and Exchange 2000 SP3.

1. If the IIS server is running Outlook Web Access for Exchange, make ourselves recognized as a CA
* Open Internet Explorer
* Tools>Internet Options
* Content tab
* Certificates
* Import
* Next
* Browse
* Files of type: X.509 Certificate (*.cer, *.crt)
* Select CA.crt
* Open
* Next
* Next
* Finish
2. If the IIS server is running Outlook Web Access for Exchange, fix Public Folders management for the Exchange Server Manager
* Open Internet Services Manager
* Right-click on exchange>Default Web Site>Exadmin
* Properties
* Directory Security tab
* Secure communications Edit
* Uncheck Require secure channel (SSL)
* OK
* OK

Posted by MoMo at 11:32 AM | Comments (3)


These allergies are killing me. I want to be able to breath again! HELP!!!!!

Posted by MoMo at 10:22 AM | Comments (0)