Self-Signed Certificate using OpenSSL

In this section I will describe how to sign your own SSL certificate requests using the OpenSSL toolkit.

If you know what a self-signed certificate is and understand the concept of a certificate authority, great. If not, this should still work but you’ll have no idea what you’ve achieved when it does 🙂

Command transcripts are shown in monospaced type, with the bits you type shown in bold. Bits in italics are comments to explain what's going on and what you should be doing.

Steps:

Install and configure the OpenSSL toolkit

  1. Get OpenSSL (for Windows), and run the installer, accepting the defaults. These instructions assume OpenSSL is installed in C:\OpenSSL.
  2. Add C:\OpenSSL\bin to your system path (Control Panel, System, Advanced, Environment Variables, System Variables) – this isn’t strictly necessary but it makes things a lot easier.
  3. Create a working directory – here, we’ll use c:\ssl as our working folder.
  4. Download this copy of openssl.conf to your working folder. (Note: I have no idea what most of the options in this file mean. I just hacked it around until it worked…)
  5. Set up the directory structure and files required by OpenSSL:
    C:\ssl>md keys
    
    C:\ssl>md requests
    
    C:\ssl>md certs
    
  6. Create the file database.txt– an empty (zero-byte) text file. This can be done using the ‘touch’ command if you have it (it’s a Unix tool not available on Windows by default, but you might have one lying around), or by creating an empty file manually:
    c:\ssl>copy con database.txt
    ^Z
    
    C:\ssl>

    MS-DOS veterans will recognize this particular invocation. We’re copying from CON (the console) to a file called database.txt, and that’s a Control-Z end-of-file character on the first line. This should produce a zero-byte file called c:\ssl\database.txt

  7. Create the serial number file serial.txt. This is a plain ASCII file containing the string “01” on the first line, followed by a newline. Again, we can use a little bit of ancient DOS magic:
    C:\ssl>copy con serial.txt
    01
    ^Z
    
    C:\ssl>

    to achieve the desired effect. (That’s keystrokes zero, one, return, control-Z, return)

Set up a Certificate Authority (CA)

  1. First, we create a 1024-bit private key to use when creating our CA.:
    C:\ssl>openssl genrsa -des3 -out keys/ca.key 1024
    Loading 'screen' into random state - done
    warning, not much extra random data, consider using the -rand option
    Generating RSA private key, 1024 bit long modulus
    ...........++++++
    ..................++++++
    e is 65537 (0x10001)
    Enter PEM pass phrase:  - choose a memorable pass phrase to use for this key
    Verifying password - Enter PEM pass phrase:  - type your pass phrase again for verification

    The pass phrase will be requested whenever you use this certificate for anything, so make sure you remember it. This will create a file called c:\ssl\keys\ca.key, containing our certificate authority private key.

  2. Next, we create a master certificate based on this key, to use when signing other certificates:
    C:\ssl>openssl req -config openssl.conf -new -x509 -days 1001 -key keys/ca.key -out certs/ca.cer
    Using configuration from openssl.conf
    Enter PEM pass phrase:  - type your passphrase here.
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) []:IN
    State or Province Name (full name) []:UP
    Locality Name (eg, city) []:GRNOIDA
    Organization Name (eg, company) []:GCET
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your websites domain name) []:xyz@whatever.com
    Email Address []:xyz@whatever.com
    
    C:\ssl>
    

    This will create our CA certificate and store it as c:\ssl\certs\ca.cer

  3. Sign the Certificate Request

    1. Copy the certreq.txt file into c:\ssl\requests
    2. Sign the request
      C:\ssl>openssl ca -policy policy_anything -config openssl.conf -cert certs/ca.cer -in requests/certreq.txt -keyfile keys/ca.key -days 360 -out certs/iis.cer
      Using configuration from openssl.conf
      Loading 'screen' into random state - done
      Enter PEM pass phrase:
      Check that the request matches the signature
      Signature ok
      The Subjects Distinguished Name is as follows
      commonName            :PRINTABLE:'CommonName'
      organizationalUnitName:PRINTABLE:'OrganisationalUnit'
      organizationName      :PRINTABLE:'GCET'
      localityName          :PRINTABLE:'GRNOIDA'
      stateOrProvinceName   :PRINTABLE:'UP'
      countryName           :PRINTABLE:'IN'
      Certificate is to be certified until Feb  2 01:13:14 2004 GMT (360 days)
      Sign the certificate? [y/n]:y
      
      1 out of 1 certificate requests certified, commit? [y/n]y
      Write out database with 1 new entries
      Data Base Updated
      
      C:\ssl>
      

      Let’s just take a look at those command-line options in a bit more detail:

      • -policy policy_anything – specifies that we’re using the ‘policy_anything’ policy from our openssl.conf file. This is a relaxed policy in which the name, country, etc. in the certificate don’t need to match those used by the certification authority. Use -policy policy_match for a more restrictive CA.
      • -config openssl.conf – specifies we’re reading our configuration from openssl.conf in the current directory.
      • -cert certs/ca.cer – specifies we’re using our CA master certificate to sign the request.
      • -in requests/certreq.txt – the certificate request we’re signing.
      • -keyfile keys/ca.key – the private key for our CA master certificate, which proves we’re allowed to use it.
      • -days 360 – the time until the certficate will expire
      • -out certs/iis.cer – the file in which to place our newly-signed certificate
    3. Convert the signed certificate into x509 format for use with IIS:
      C:\ssl>openssl x509 -in certs/iis.cer -out certs/iisx509.cer
      
      C:\ssl>
      

      This will leave the new certificate in c:\ssl\certs\iisx509.cer signed, sealed and ready to install

    Happy Coding 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s