Monday, April 21, 2008

OpenSSL Certificate Authority (CA)

# To Create the CA Private/Public Keys
openssl req -x509 -newkey rsa:1024 -keyout CA/private/cakey.pem -out
CA/cacert.pem -passout pass:capass -config openssl.cnf

# To sign a Certificate Signing Request
openssl ca -in user.csr -out user.crt -notext -passin pass:capass -config openssl.cnf

Generating a CRL

An empty CRL that is signed by the CA can be generated with the command

openssl ca -gencrl -crldays 15 -out crl.pem

If you omit the -crldays option then the default_crl_days value (30 days) specified in openssl.cnf is used.

If you prefer the CRL to be in binary DER format, then this conversion can be achieved with

openssl crl -in crl.pem -outform DER -out cert.crl

The directory /etc/ipsec.d/crls/ contains all CRLs either in binary DER or in base64 PEM format. Irrespective of the file suffix, pluto "automagically" determines the correct format.

Revoking a certificate

A specific host certificate stored in the file host.pem is revoked with the command

openssl ca -revoke host.pem

Next the CRL file must be updated

openssl ca -gencrl -crldays 15 -out crl.pem

The content of the CRL file can be listed with the command

openssl crl -in crl.pem -noout -text

in the case of a base64 CRL, or alternatively for a CRL in DER format

openssl crl -inform DER -in cert.crl -noout -text


How do I generate a certificate request for VeriSign?

Applying for a certificate signed by a recognized certificate authority like VeriSign is a complex bureaucratic process. You’ve got to perform all the requisite paperwork before creating a certificate request.

As in the recipe for creating a self-signed certificate, you’ll have to decide whether or not you want a passphrase on your private key. The recipe below assumes you don’t. You’ll end up with two files: a new private key called mykey.pem and a certificate request called myreq.pem.

openssl req \
-new -newkey rsa:1024 -nodes \
-keyout mykey.pem -out myreq.pem

If you’ve already got a key and would like to use it for generating the request, the syntax is a bit simpler.

openssl req -new -key mykey.pem -out myreq.pem

Similarly, you can also provide subject information on the command line.

openssl req \
-new -newkey rsa:1024 -nodes \
-subj '/CN=www.some-domain-name.com/O=My Dom, Inc./C=US/ST=New York/L=Portland' \
-keyout mykey.pem -out myreq.pem

When dealing with an institution like VeriSign, you need to take special care to make sure that the information you provide during the creation of the certificate request is exactly correct. I know from personal experience that even a difference as trivial as substituting “and” for “&” in the Organization Name will stall the process.

If you’d like, you can double check the signature and information provided in the certificate request.

# verify signature
openssl req -in myreq.pem -noout -verify -key mykey.pem

# check info
openssl req -in myreq.pem -noout -text

Save the key file in a secure location. You’ll need it in order to use the certificate VeriSign sends you. The certificate request will typically be pasted into VeriSign’s online application form.

No comments: