December 5, 2015 | Article | 1 Comment
The Secure Socket Layer (SSL) protocol was created by Netscape to ensure secure transactions between two node (server and client). Not always, but usually it is used for web browsing transactions. The protocol uses a third party, a Certificate of Authority (CA) to identify one end or both end of the transactions. In short:
- A browser requests a secure page (usually https://)
- The web server sends its publik key with its certificate
- The browser checks that the certificates was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.
- The browser the use the publik key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
- The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data.
- The web server sends back the ewquested html document and http data encrypted with the symmetric key.
- The browser decyprts the http data and html document using the symmetric key and display the information
If you want to create your own SSL certificates for things such as Apache you need a CA. You can buy an SSL certificate generated by a trusted CA such as Thwate or Verisign, or you can generate one yourself using OpenSSL.Make sure you have install OpenSSL (by ports or binary).
In this article we will discuss about how to generate our own CA using OpenSSL.
On FreeBSD you can edit your OpenSSL config file with
This tutorial will use most of the default FreeBSD openssl.cnf settings. You just need to change the following settings in the file
dir = /usr/local/etc/certkeys default_days = 3650
/usr/local/etc/certkeys is the directory we will be using in this tutorial (the directory is exists). The certificates will be valid for 3650 days or equal to 10 years. This number is freely configure with the default is 365 if you don’t configure it.
Filling out your location and company information is often the most tedious task when generating SSL certificates so it is best to set as much of it as you can in your openssl.cnf file. The places where it can be set end in _default such as
countryName_default = JP stateOrProvinceName_default = KY localityName_default = Kyoto
Setting up the directories
Now that the openssl.cnf file is set up it is time to create the directories where we will keep our CA and other certificates that we will generate if you don’t create it before. The best place to put these are in the root directory with 700 for the permissions to restrict access.
cd /usr/local/etc/ mkdir certkeys chmod 700 certkeys cd certkeys mkdir certs private newcerts
Create a serial file which will be used to name the new certificates generated and an index.txt file.
echo 1000 > serial touch index.txt
Creating the CA
Use the following command to generate the Certificate of Authority. The command is shown with slashes to fit it onto the page.
cd /usr/local/etc/certkeys openssl req -new -x509 -days 3650 -extensions v3_ca \ -keyout private/cakey.pem -out cacert.pem \ -config /etc/ssl/openssl.cnf
The output will look similar to this. Fill in your own information as needed. Make SURE you choose a good password for your CA, and that you remember it for as many years as you generating the CA for. Without the password you will not be able to use it to generate any new certificates. For fields that show the correct default value you can just hit enter.
Generating a 1024 bit RSA private key ...................++++++ .....................++++++ writing new private key to 'private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [JP]: State or Province Name (full name) [Kyoto]: Locality Name (eg, city) [Kyoto]: Organization Name (eg, company) : Celestial Being Organizational Unit Name (eg, section) : Common Name (eg, YOUR name) : freebsd.xathrya.id Email Address : [email protected]
The CA should now be generated. You can double check it by looking at the two files that were created.
more ~root/sslCA/cacert.pem more ~root/sslCA/private/cakey.pem
Keep the cakey.pem file and the password safe and you can now use it to generate SSL certificates.digital certificate, freebsd