apt-get install opensslNow that you have the OpenSSL packages, you are ready to generate certificates. To do this, we'll need to go through these steps:
1) Create Root Certificate
2) Create Certificate Request
3) Enroll/Sign Certificate
First of all, to be a Certificate Authority, you'll need something that represents you. This comes in the form of a Root Certificate. Think of certification as a hierarchy, and this Root Certificate sits on top of the certificate chain. A root certificate comes in a pair, with a public and private key. Certificates signed by the Root's key (Private Key) can be verified by decrypting it with the Root's public key (Public Key). The "signing" action actually means encryption with a private key. To create this keypair, we'll first browse over to the SSL directory, then invoke the CA.pl script:
cd /etc/ssl/
/usr/lib/ssl/misc/CA.pl -newcaWhen prompted, hit ENTER to create a new Root Certificate. The private key would be stored as /etc/ssl/demoCA/cacert.pem and the public key would be stored as /etc/ssl/demoCA/private/cakey.pem. At this point, your system is considered a Certificate Authority!
Now, to create certificates for others, we'll need to create a certificate request, then sign the request using the Root Certificate's private key and package it into X.509 format. This can be done in two steps. First we'll need to create the certificate request. This request generates a public and a private key:
/usr/lib/ssl/misc/CA.pl -newreqNote that if you're creating a certificate for a Web Server, the Common Name should be either the Web Server's FQDN or IP Address (depending on how you access it). You should have a newreq.pem in the /etc/ssl/ folder. This newreq.pem actually contains your credentials signed with your private key and an attached public key. To view the information in your request, use:
openssl req -in newreq.pem -noout -textNow, to make this certificate valid, you must turn it into a real X.509 certificate. To do this, we'll need to sign it with the CA's private key. This is the command for it:
/usr/lib/ssl/misc/CA.pl -signCANow you should have three files: newreq.pem, newcert.pem and newkey.pem. Your new X.509 formatted certificate signed by the CA is in newcert.pem, and the corresponding private key is in newkey.pem. You can safely delete newreq.pem. To view the X509 certificate, use:
openssl x509 -in newcert.pem -noout -textYou can now use this key in Web Servers or any application you like. To use the certificate generated here in APache2, simply follow along this article.
Now, if you attempt to access the site, you may get a message that says that the certificate is not valid. These are the two most common reasons for that message:
1) The security certificate presented by this website was issued for a different website's address.
2) The certificate is not trusted because the issuer certificate is unknown.
If your CN doesn't match the URL of the Web Server, you will need to regenerate a new certificate. The CN MUST match the IP or domain name of the server (e.g. If you're accessing it through 8.8.8.130, then the CN must be 8.8.8.130. If you are accessing it through syraxius.ath.cx, then the CN must be syraxius.ath.cx).
For the certificate to be trusted, you'll need to add it into the Trusted Root Certification Authorities store. To add the certificate to the store, simply download /etc/ssl/demoCA/cacert.pem into your computer, then rename it to .crt extension. Next, double-click on it and choose Install Certificate:
Next, you'll need to place it in the Trusted Root Certification Authorities container like this:
You should now be able to access your Web Server from Internet Explorer. For Firefox, you'll need to add the same certificate through Tools - Options - Advanced - Encryption - View Certificates - Authorities - Import:
No comments :
Post a Comment