Installing and Configuring SSL under UNIX |
Perform the following tasks to set up and use SSL:
Step 1. Download and Build SSL |
If you want to use OpenSSL as your trusted Certification Authority (CA), follow the instructions for downloading and building OpenSSL that are given at www.openssl.org/source. For complete documentation about the OpenSSL utility, visit www.openssl.org/docs/apps/openssl.html.
The following sites provide information about alternative CA:
Step 2. Create a Digital Certificate Request |
The tasks that you perform to request a digital certificate for the CA, the server, and the client are similar; however, the values that you specify are different.
In this example, Proton, Inc. is the organization that is applying to become a CA by using OpenSSL. After Proton, Inc. becomes a CA, it can serve as a CA for issuing digital certificates to clients (users) and servers on its network.
Select the apps subdirectory of the directory where OpenSSL was built.
$ openssl
Issue the appropriate command to request a digital certificate.
Request Certificate for | OpenSSL Command |
---|---|
CA | req -config ./openssl.cnf -new -out sas.req -keyout saskey.pem -nodes |
Server | req -config ./openssl.cnf -new -out server.req -keyout serverkey.pem |
Client | req -config ./openssl.cnf -new -out client.req -keyout clientkey.pem |
OpenSSL Arguments and Values | Functions |
---|---|
req | Requests a certificate |
-config ./openssl.cnf | Specifies the storage location for the configuration details for the OpenSSL program |
-new | Identifies the request as new |
-out sas.req | Specifies the storage location for the certificate request |
-keyout saskey.pem | Specifies the storage location for the private key |
-nodes | Prevents the private key from being encrypted |
Informational messages are displayed and prompts for additional information appear according to the specific request.
To accept a default value, press the ENTER key. To change a default value, type the appropriate information and press the ENTER key.
Note: Unless the -NODES option is used in the OpenSSL command when creating a digital certificate request, OpenSSL will prompt you for a password before allowing access to the private key.
The following is an example of a request for a digital certificate:
OpenSSL> req -config ./openssl.cnf -new -out sas.req -keyout saskey.pem -nodes Using configuration from ./openssl.cnf Generating a 1024 bit RSA private key ............................++++++ ..........................................++++++ writing new private key to 'saskey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [North Carolina]: Locality Name (city) [Cary]: Organization Name (company) [Proton Inc.]: Organizational Unit Name (department) [IDB]: Common Name (YOUR name) []: proton.com Email Address []:Joe.Bass@proton.com
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: OpenSSL>
The request for a digital certificate is complete.
Note: For the server, the Common Name must be the name of the computer that the server runs on; for example, apex.serv.com.
Step 3. Generate a Digital Certificate from the Request |
Perform the following tasks to generate a digital certificate for a CA, a server, and a client.
Issue the appropriate command to generate a digital certificate from the digital certificate request.
Generate Certificate for | OpenSSL Command |
---|---|
CA | x509 req -in sas.req -signkey saskey.pem -out sas.pem |
Server | ca -config ./openssl.cnf -in server.req -out server.pem |
Client | ca -config ./openssl.cnf -in client.req -out client.pem |
OpenSSL Arguments and Values | Functions |
---|---|
x509 | Identifies the certificate display and signing utility |
req | Specifies that a certificate be generated from the request |
ca | Identifies the Certification Authority utility |
-config ./openssl.cnf | Specifies the storage location for the configuration details for the OpenSSL utility |
-in filename.req | Specifies the storage location for the input for the certificate request |
-out filename.pem | Specifies the storage location for the certificate |
-signkey saskey.pem | Specifies the private key that will be used to sign the certificate that is generated by the certificate request |
Informational messages are displayed and prompts for additional information appear according to the specific request.
To accept a default value, press the ENTER key. To change a default value, type the appropriate information, and press the ENTER key.
Here is a sample of the messaging for creating a server digital certificate:
Note: The password is for the CA's private key.
Using configuration from ./openssl.cnf Enter PEM pass phrase: password Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'NC' localityName :PRINTABLE:'Cary' organizationName :PRINTABLE:'Proton, Inc.' organizationalUnitName:PRINTABLE:'IDB' commonName :PRINTABLE:'proton.com' Certificate is to be certified until Oct 16 17:48:27 2003 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
The subject's Distinguished Name is obtained from the digital certificate request.
A root CA digital certificate is self-signed, which means that the digital certificate is signed with the private key that corresponds to the public key that is in the digital certificate. Except for root CAs, digital certificates are usually signed with a private key that corresponds to a public key that belongs to someone else, usually the CA.
The generation of a digital certificate is complete.
Step 4. View Digital Certificates |
To view a digital certificate, issue the following command:
openssl> x509 -text -in filename.pem
A digital certificate contains data that was collected to generate the digital certificate timestamps, a digital signature, and other information. However, because the generated digital certificate is encoded (usually in PEM format), it is unreadable.
Step 5. End OpenSSL |
To end OpenSSL, type quit at the prompt.
Step 6. Create a CA Trust List for the SSL Client Application |
After generating a digital certificate for the CA, the server, and the client (optional), you must identify for the OpenSSL client application one or more CAs that are to be trusted. This list is called a trust list.
If there is only one CA to trust, in the client application, specify the name of the file that contains the OpenSSL CA digital certificate.
If multiple CAs are to be trusted, create a new file and copy-and-paste into it the contents of all the digital certificates for CAs to be trusted by the client application.
Use the following template to create a CA trust list:
Certificate for OpenSSL CA -----BEGIN CERTIFICATE----- <PEM encoded certificate> -----END CERTIFICATE----- Certificate for Keon CA -----BEGIN CERTIFICATE----- <PEM encoded certificate> -----END CERTIFICATE----- Certificate for Microsoft CA -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
Because the digital certificate is encoded, it is unreadable. Therefore, the content of the digital certificate in this example is represented as <PEM encoded certificate> . The content of each digital certificate is delimited with a -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- pair. All text outside the delimiters is ignored. Therefore, you might not want to use delimited lines for descriptive comments. In the preceding template, the file that is used contains the content of digital certificates for the CAs: OpenSSL, Keon, and Microsoft.
Note: If you are including a digital certificate that is stored in DER format, you must first convert it to PEM format. For more information, see Converting between PEM and DER File Formats for SSL.
Copyright © 2010 by SAS Institute Inc., Cary, NC, USA. All rights reserved.