Tuesday, 24 January 2012

It's a self signed world - Part 2. The joy of certificates - Part 7

Back in August I wrote a blog post describing how to use makecert to create a self signed CA, I also said that I would repeat the process but using OpenSSL, well your prayers have been answered. Since OpenSSL ships with most Linux distros and also works in Windows, this is the ideal tool for the job.

The key point of a self signed certificate is that, well, it is self signed, which means that it is only really good for development or testing as it won't be trusted by external users, particularly if accessing a website using a modern web browser. I guess you could also use it for internal services too.

At any rate, I'm running this from CentOS 6.2 using OpenSSL 1.0.0-fips 29 Mar 2010. In order to get the OpenSSL version just type:
openssl version
These are the steps needed to create a  self signed certificate using OpenSSL:
  1. Create server certificate private key: 
    openssl genrsa -des3 -out phpmyadmin.key 1024
  2. Create Certificate Signing Request, this is what you would normally pass to a CA (e.g. Verisign) for them to generate a signed certificate with. They normally check that you say who you are and after money has exchanged hands they issue with the public key signed by their CA:
    openssl req -new -key phpmyadmin.key -out phpmyadmin.csr
  3. Remove Passphrase from key. If you want to be prompted for the passphrase everytime Apache starts, then skip to step 4:
    cp phpmyadmin.key phpmyadmin.key.pass
    openssl rsa -in phpmyadmin.key.pass -out phpmyadmin.key
  4. Create public server certificate:
    openssl x509 -req -days 1000 -in phpmyadmin.csr -signkey phpmyadmin.key -out phpmyadmin.crt
That is it, you now have a private/public key pair that can be used for Apache, see this post for details on how to configure the certificates. Do note, that you don't actually have a CA so these two lines need to be commented out:
#   Server Certificate Chain:
SSLCertificateChainFile /etc/httpd/conf.d/certs/win2k8ca.cer

#   Certificate Authority (CA):
SSLCACertificateFile /etc/httpd/conf.d/certs/win2k8ca.cer
If you want to use this private/public key with IIS, then you need to convert it into a pkcs#12 format certificate, which you can do with the following command:
openssl pkcs12 -export -in phpmyadmin.crt -inkey phpmyadmin.key -out phpmyadmin.pfx
Please remember to import the certificate to the trusted root certification authorities of the server as well as your personal store to prevent any problems.

No comments:

Post a Comment