Previous Page | Next Page

Installing and Configuring SSL under UNIX

Setting Up Digital Certificates for SSL under UNIX

Perform the following tasks to set up and use SSL:


Step 1. Download and Build SSL

If you want to use OpenSSL as your trusted Certification Authority (CA), follow the instructions for downloading and building OpenSSL that are given at www.openssl.org/source. For complete documentation about the OpenSSL utility, visit www.openssl.org/docs/apps/openssl.html.

The following sites provide information about alternative CA:


Step 2. Create a Digital Certificate Request

The tasks that you perform to request a digital certificate for the CA, the server, and the client are similar; however, the values that you specify are different.

In this example, Proton, Inc. is the organization that is applying to become a CA by using OpenSSL. After Proton, Inc. becomes a CA, it can serve as a CA for issuing digital certificates to clients (users) and servers on its network.

Perform the following tasks:

  1. Select the apps subdirectory of the directory where OpenSSL was built.

  2. Initialize OpenSSL.

    $ openssl

  3. Issue the appropriate command to request a digital certificate.

    Open SSL Commands for Requesting a Digital Certificate
    Request Certificate for OpenSSL Command
    CA req -config ./openssl.cnf -new -out sas.req -keyout saskey.pem -nodes
    Server req -config ./openssl.cnf -new -out server.req -keyout serverkey.pem
    Client req -config ./openssl.cnf -new -out client.req -keyout clientkey.pem

    Arguments and Values Used in OpenSSL Commands
    OpenSSL Arguments and Values Functions
    req Requests a certificate
    -config ./openssl.cnf Specifies the storage location for the configuration details for the OpenSSL program
    -new Identifies the request as new
    -out sas.req Specifies the storage location for the certificate request
    -keyout saskey.pem Specifies the storage location for the private key
    -nodes Prevents the private key from being encrypted

  4. Informational messages are displayed and prompts for additional information appear according to the specific request.

    To accept a default value, press the ENTER key. To change a default value, type the appropriate information and press the ENTER key.

    Note:   Unless the -NODES option is used in the OpenSSL command when creating a digital certificate request, OpenSSL will prompt you for a password before allowing access to the private key.  [cautionend]

    The following is an example of a request for a digital certificate:

    OpenSSL> req -config ./openssl.cnf -new -out sas.req -keyout saskey.pem -nodes
    Using configuration from ./openssl.cnf
    Generating a 1024 bit RSA private key
    ............................++++++
    ..........................................++++++
    writing new private key to 'saskey.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [US]:
    State or Province Name (full name) [North Carolina]:
    Locality Name (city) [Cary]:
    Organization Name (company) [Proton Inc.]:
    Organizational Unit Name (department) [IDB]:
    Common Name (YOUR name) []: proton.com
    Email Address []:Joe.Bass@proton.com
    Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: OpenSSL>

The request for a digital certificate is complete.

Note:   For the server, the Common Name must be the name of the computer that the server runs on; for example, apex.serv.com.  [cautionend]


Step 3. Generate a Digital Certificate from the Request

Perform the following tasks to generate a digital certificate for a CA, a server, and a client.

  1. Issue the appropriate command to generate a digital certificate from the digital certificate request.

    OpenSSL Commands for Generating Digital Certificates under UNIX
    Generate Certificate for OpenSSL Command
    CA x509 req -in sas.req -signkey saskey.pem -out sas.pem
    Server ca -config ./openssl.cnf -in server.req -out server.pem
    Client ca -config ./openssl.cnf -in client.req -out client.pem

    Arguments and Values Used in OpenSSL Commands under UNIX
    OpenSSL Arguments and Values Functions
    x509 Identifies the certificate display and signing utility
    req Specifies that a certificate be generated from the request
    ca Identifies the Certification Authority utility
    -config ./openssl.cnf Specifies the storage location for the configuration details for the OpenSSL utility
    -in filename.req Specifies the storage location for the input for the certificate request
    -out filename.pem Specifies the storage location for the certificate
    -signkey saskey.pem Specifies the private key that will be used to sign the certificate that is generated by the certificate request

  2. Informational messages are displayed and prompts for additional information appear according to the specific request.

    To accept a default value, press the ENTER key. To change a default value, type the appropriate information, and press the ENTER key.

    Here is a sample of the messaging for creating a server digital certificate:

    Note:   The password is for the CA's private key.  [cautionend]

    Using configuration from ./openssl.cnf 
    Enter PEM pass phrase: password 
    Check that the request matches the signature 
    Signature ok 
    The Subjects Distinguished Name is as follows 
    countryName           :PRINTABLE:'US' 
    stateOrProvinceName   :PRINTABLE:'NC' 
    localityName          :PRINTABLE:'Cary' 
    organizationName      :PRINTABLE:'Proton, Inc.' 
    organizationalUnitName:PRINTABLE:'IDB' 
    commonName            :PRINTABLE:'proton.com' 
    Certificate is to be certified until Oct 16 17:48:27 2003 GMT (365 days)
    Sign the certificate? [y/n]:y   
    1 out of 1 certificate requests certified, commit? [y/n]y 
    Write out database with 1 new entries Data Base Updated

    The subject's Distinguished Name is obtained from the digital certificate request.

    A root CA digital certificate is self-signed, which means that the digital certificate is signed with the private key that corresponds to the public key that is in the digital certificate. Except for root CAs, digital certificates are usually signed with a private key that corresponds to a public key that belongs to someone else, usually the CA.

    The generation of a digital certificate is complete.


Step 4. View Digital Certificates

To view a digital certificate, issue the following command:

openssl> x509  -text -in filename.pem

A digital certificate contains data that was collected to generate the digital certificate timestamps, a digital signature, and other information. However, because the generated digital certificate is encoded (usually in PEM format), it is unreadable.


Step 5. End OpenSSL

To end OpenSSL, type quit at the prompt.


Step 6. Create a CA Trust List for the SSL Client Application

After generating a digital certificate for the CA, the server, and the client (optional), you must identify for the OpenSSL client application one or more CAs that are to be trusted. This list is called a trust list.

If there is only one CA to trust, in the client application, specify the name of the file that contains the OpenSSL CA digital certificate.

If multiple CAs are to be trusted, create a new file and copy-and-paste into it the contents of all the digital certificates for CAs to be trusted by the client application.

Use the following template to create a CA trust list:

Certificate for OpenSSL CA

-----BEGIN CERTIFICATE-----

<PEM encoded certificate>

-----END CERTIFICATE-----


Certificate for Keon CA 

-----BEGIN CERTIFICATE-----

<PEM encoded certificate>

-----END CERTIFICATE-----


Certificate for Microsoft CA

-----BEGIN CERTIFICATE-----


-----END CERTIFICATE-----

Because the digital certificate is encoded, it is unreadable. Therefore, the content of the digital certificate in this example is represented as <PEM encoded certificate> . The content of each digital certificate is delimited with a -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- pair. All text outside the delimiters is ignored. Therefore, you might not want to use delimited lines for descriptive comments. In the preceding template, the file that is used contains the content of digital certificates for the CAs: OpenSSL, Keon, and Microsoft.

Note:   If you are including a digital certificate that is stored in DER format, you must first convert it to PEM format. For more information, see Converting between PEM and DER File Formats for SSL.  [cautionend]

Previous Page | Next Page | Top of Page