Creating a SSL Certificate of Authority for FreeBSD

Home / Creating a SSL Certificate of Authority for FreeBSD

The Secure Socket Layer (SSL) protocol was created by Netscape to ensure secure transactions between two node (server and client). Not always, but usually it is used for web browsing transactions. The protocol uses a third party, a Certificate of Authority (CA) to identify one end or both end of the transactions. In short:

  1. A browser requests a secure page (usually https://)
  2. The web server sends its publik key with its certificate
  3. The browser checks that the certificates was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.
  4. The browser the use the publik key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
  5. The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data.
  6. The web server sends back the ewquested html document and http data encrypted with the symmetric key.
  7. The browser decyprts the http data and html document using the symmetric key and display the information

If you want to create your own SSL certificates for things such as Apache you need a CA. You can buy an SSL certificate generated by a trusted CA such as Thwate or Verisign, or you can generate one yourself using OpenSSL.Make sure you have install OpenSSL (by ports or binary).

In this article we will discuss about how to generate our own CA using OpenSSL.

openssl.cnf

On FreeBSD you can edit your OpenSSL config file with

ee /etc/ssl/openssl.cnf

This tutorial will use most of the default FreeBSD openssl.cnf settings. You just need to change the following settings in the file

dir = /usr/local/etc/certkeys
default_days = 3650

/usr/local/etc/certkeys is the directory we will be using in this tutorial (the directory is exists). The certificates will be valid for 3650 days or equal to 10 years. This number is freely configure with the default is 365 if you don’t configure it.

Filling out your location and company information is often the most tedious task when generating SSL certificates so it is best to set as much of it as you can in your openssl.cnf file. The places where it can be set end in _default such as

countryName_default = JP
stateOrProvinceName_default = KY
localityName_default = Kyoto

Setting up the directories

Now that the openssl.cnf file is set up it is time to create the directories where we will keep our CA and other certificates that we will generate if you don’t create it before. The best place to put these are in the root directory with 700 for the permissions to restrict access.

cd /usr/local/etc/
mkdir certkeys
chmod 700 certkeys

cd certkeys
mkdir certs private newcerts

Create a serial file which will be used to name the new certificates generated and an index.txt file.

echo 1000 > serial
touch index.txt

Creating the CA

Use the following command to generate the Certificate of Authority. The command is shown with slashes to fit it onto the page.

cd /usr/local/etc/certkeys
openssl req -new -x509 -days 3650 -extensions v3_ca \
-keyout private/cakey.pem -out cacert.pem \
-config /etc/ssl/openssl.cnf

The output will look similar to this. Fill in your own information as needed. Make SURE you choose a good password for your CA, and that you remember it for as many years as you generating the CA for. Without the password you will not be able to use it to generate any new certificates. For fields that show the correct default value you can just hit enter.

Generating a 1024 bit RSA private key
...................++++++
.....................++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that
will be incorporated
into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]:
State or Province Name (full name) [Kyoto]:
Locality Name (eg, city) [Kyoto]:
Organization Name (eg, company) []: Celestial Being
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: freebsd.xathrya.id
Email Address []: [email protected]

The CA should now be generated. You can double check it by looking at the two files that were created.

more ~root/sslCA/cacert.pem
more ~root/sslCA/private/cakey.pem

Keep the cakey.pem file and the password safe and you can now use it to generate SSL certificates.

,

About Author

about author

xathrya

A man who is obsessed to low level technology.

1 Comment
  1. Bandwidth Management using WebHTB - Xathrya.ID

    […] you have install it, create a certificate. This procedure is similar to creating SSL certificate on FreeBSD. In these commands, we will generate keys for the Certificate Signing Request (CSR). At first […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Social media & sharing icons powered by UltimatelySocial