Pages

Tuesday, September 23, 2014

Openssl create SSL certificate

What is SSL?


 SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser or a mail server and a mail client (e.g., Outlook, Thunderbird).

 So to make our server support SSL, we need to create SSL certificate for our server.

 SSL certificate can be either Self-signed or signed by some authority like OpenCA.

How to create a SSL certificate?

To create a certificate we have to use a tool called openssl available for all operating systems.

And, follow these steps:

1. Create a private key using following command:


openssl genrsa -des3 -out server.key 1024

This will ask for a secure password for our key:




Generating RSA private key, 1024 bit long modulus



.......++++++



..............++++++



unable to write 'random state'



e is 65537 (0x10001)



Enter pass phrase for server.key:



Verifying - Enter pass phrase for server.key:
A server.key file will be created in the directory.

2. Remove Passphrase from Key

openssl genrsa -out server.key 1024

This will not ask for pass phrase every time it will be used.

3. Create a signing request (Certificate Signing Request):


openssl req -new -key server.key -out server.csr

This as for server information




Enter pass phrase for server.key:



You are about to be asked to enter information that will be incorporated



into your certificate request.



What you are about to enter is what is called a Distinguished Name or a DN.



There are quite a few fields but you can leave some blank



For some fields there will be a default value,



If you enter '.', the field will be left blank.



-----



Country Name (2 letter code) [AU]:IN



State or Province Name (full name) [Some-State]:UP



Locality Name (eg, city) []:NOIDA



Organization Name (eg, company) [Internet Widgits Pty Ltd]:Open Source



Organizational Unit Name (eg, section) []:JAVA



Common Name (e.g. server FQDN or YOUR name) []:localhost



Email Address []:



Please enter the following 'extra' attributes



to be sent with your certificate request



A challenge password []:changeit



An optional company name []:localhost
A server.csr file will be created in the directory. This file can used to send to the signing authority or can be used to create a self signed certificate.

4. Create a Self signed certificate: 

Create a self signed certificate using private key:


openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

This will create a server.crt file in the directory.


5. Add certificate to trusted certificates list in JAVA:

Create a DER format file of certificate:


openssl x509 -in server.crt -out server.der -outform DER

Adding certificate to trusted certificates using java keytool which is available in java bin directory:


keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file server.der -alias server


This will add our created certificate to JAVA trusted certificates list which is necessary for java based applications.

6. Configuring SSL Enabled Virtual Hosts

Now edit virtual host configuration to add following lines:

SSLEngine on

SSLCertificateFile /path/to/server.crt

SSLCertificateKeyFile path/to/server.key


Posted by at
Labels: , , , , , ,

No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )