SSL Self-signed Certificates

Table of Contents

OpenBSD ships with built in support for OpenSSL and OpenSSH for secure encrypted end-to-end communication between a localhost and a remotehost. Following are notes on configuring and using SS# (pronounced S-S-Sharp, that's a pun)

[Last verified with OpenBSD 3.5 June 2004]

[Ref: OpenBSD FAQ | mod_ssl/ssl_faq.html | /var/www/conf/httpd.conf]

SSL Communications assume the server has an authentication certificate which acts as a verification for whom the server publishes itself to be, and provides an envelope for the server's public key with which clients can encrypt communications bound for the server.

Creating a certificate was initially meant for a third-party authority to assist you in verifying that the server is who they say they are, so the creation of a self signing certificates requires 3 stages (a) creating a private signing key (b) creating a certificate request, and (c) self-authenticating your certificate request.

We are choosing our file names based on the standard OpenBSD/Apache configuration for SSLfiles

from /var/www/conf/httpd.conf

$ grep SSLCertificate /var/www/conf/httpd.conf

SSLCertificateFile    /etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

1. Generate a Signing key

# /usr/sbin/openssl genrsa -out /etc/ssl/private/server.key 4096

The generated key acts as our RSA private key for our 'internal' CA (Certificate Authority.)

We can call the key anything we want, and the general mod_ssl example is ca.key, but in the above scenario we will use server.key. Check the mod_ssl documentation for why it may be a better option to use 1024 bit key instead of 4096.

2. Generate a certificate signing request (csr)

We now generate a csr using the server key generated above (output will be PEM formatted.) 

# /usr/sbin/openssl req -new \
    -key /etc/ssl/private/server.key \
    -out /etc/ssl/private/server.csr

The above certificate request will prompt you to reply to a number of questions, most of which can be left as the default. You will be asked for the Fully Qualified Domain Name for this host. In my experience this requires the legitimate DNS name that the host will be responding to.

The last part of the above instructions is to ask for 'extra' attributes.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

For my test configuration (ie. I don't want to enter the password everytime I want to start Apache) I do not enter a 'challange password.' On a security conscious system, you probably want to specify a challenge password here and have someone on 24-hour availability incase the server restarts and someone must enter the 'challenge password' before the server starts.

The concept is that you send the above CSR for a trusted third party to sign, and record in their system, so users who recieve your key can validate from the trusted third party that you are who you are. But we don't want no third party saying who we are (for now anyway.)

3. Create a self-signed certificate (X509 structure.)

the output will be PEM formatted. (The documentation discusses a script sign.sh to do this task for you, but I can only find CA.pl and CA.sh with similar 'purpose.') 

# /usr/sbin/openssl x509 -req -days 3650 \
    -in /etc/ssl/private/server.csr \
    -signkey /etc/ssl/private/server.key \
    -out     /etc/ssl/server.crt

  • -x509 is the certificate structure we are using.
  • -days 365 is the number of days for which we want the certificate to be valid

    Testing your Keys

    You can test from a terminal connection the status of your keys by using the following commands

    # openssl rsa -noout -text -in /etc/ssl/private/server.key 
# openssl req -noout -text -in /etc/ssl/private/server.csr
# openssl x509 -noout -text -in /etc/ssl/server.crt

    Virtual Hosts

    Server CRTs for Virtual sites can be generated using the same above process, except you choose a different name for the CSR and CRT. One nice convention is to use the domain name of the site, for example: Certificate Request: /etc/ssl/private/virtualsite.com.csr and Certificate: /etc/ssl/virtualsite.com.crt

    Within the Virtual Host configuration you will then need to specify the appropriate SSL Directive.

    NameVirtualHost 192.168.101.49:*
<VirtualHost 192.168.101.49:*>
    ServerAdmin samt@qsc.com
    DocumentRoot /var/www/twig
    ServerName virtualsite.com
    ErrorLog logs/virtualsite.com-error_log
    CustomLog logs/virtualsite.com-access_log common
    SSLEngine on
    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    SSLCertificateFile /etc/ssl/virtualsite.com.crt
    SSLCertificateKeyFile /etc/ssl/private/server.key
</VirtualHost>

    Converting between formats.

    [Ref: IE9 Help - Certificate File Formats ]

    Because we can't agree on the "one-size-fits-all" file format for the SSL certificates, different applications/services use different formats for certificates. Thus, we need a brief overview of these formats, and hints for converting files between the different formats.

    Personal Information Exchange (PKCS #12)

    The Personal Information Exchange format (PFX, also called PKCS #12) supports secure storage of certificates, private keys, and all certificates in a certification path.

    The PKCS #12 format is the only file format that can be used to export a certificate and its private key.

    Cryptographic Message Syntax Standard (PKCS #7)

    The PKCS #7 format supports storage of certificates and all certificates in the certification path.

    DER-encoded binary X.509

    The Distinguished Encoding Rules (DER) format supports storage of a single certificate. This format does not support storage of the private key or certification path.

    Base64-encoded X.509

    The Base64 format supports storage of a single certificate. This format does not support storage of the private key or certification path.

    Converting Certificates

    From / To Command
    DER (.crt .cer .der) to PEM 
    openssl x509 -in input.crt -inform DER -out output.crt -outform PEM
    PEM to PKCS#12 (.pfx .p12) 
    openssl pkcs12 -export -in input.pem -inkey key.pem -out output.p12
    PEM to PKCS#12 (.pfx .p12) May contain a private key. 
    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key \
-in certificate.crt -certfile CACert.crt
    PKCS#12 to PEM 
    openssl pkcs12 -in input.p12 -out output.pem -nodes -clcerts
    PKCS#12 (.pfx .p12) to PEM May contain a private key and certificates 
    openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

    Converting KEYS

    From / To Command
    DER to PEM 
    openssl rsa -in input.key -inform DER -out output.key -outform PEM
    NET to PEM 
    openssl rsa -in input.key -inform NET -out output.key -outform PEM
    • RSS