Setting Up Digital Certificates for SSL under UNIX

Perform the following tasks to set up and use SSL:
Step 1. Download and Build SSL
Step 2. Create a Digital Certificate Request
Step 3. Generate a Digital Certificate from the Request
Step 4. View Digital Certificates
Step 5. End OpenSSL
Step 6. Create a CA Trust List for the SSL Client Application

Step 1. Download and Build SSL

If you want to use OpenSSL as your trusted Certification Authority (CA), follow the instructions for downloading and building OpenSSL that are given at https://www.openssl.org/source. For complete documentation about the OpenSSL utility, visit https://www.openssl.org/docs/apps/openssl.html.
The following sites provide information about alternative CA:
  • For VeriSign, see http://www.verisign.com
  • For Thawte, see http://www.thawte.com

Step 2. Create a Digital Certificate Request

The tasks that you perform to request a digital certificate for the CA, the server, and the client are similar. However, the values that you specify are different.
In this example, Proton, Inc. is the organization that is applying to become a CA by using OpenSSL. After Proton, Inc. becomes a CA, it can serve as a CA for issuing digital certificates to clients (users) and servers on its network.
Perform the following tasks:
  1. Select the apps subdirectory of the directory where OpenSSL was built.
  2. Initialize OpenSSL. 
    $ openssl
  3. Issue the appropriate command to request a digital certificate.
    Open SSL Commands for Requesting a Digital Certificate
    Request Certificate for
    OpenSSL Command
    CA
    req -config ./openssl.cnf -new -out sas.req -keyout saskey.pem -nodes -sha1
    Server
    req -config ./openssl.cnf -new -out server.req -keyout serverkey.pem -sha1
    Client
    req -config ./openssl.cnf -new -out client.req -keyout clientkey.pem -sha1
    Note: The -sha1 command is specified only when using FIPS 140-2 compliant SSL.
    Arguments and Values Used in OpenSSL Commands
    OpenSSL Arguments and Values
    Functions
    req
    Requests a certificate
    -config ./openssl.cnf
    Specifies the storage location for the configuration details for the OpenSSL program
    -new
    Identifies the request as new
    -out sas.req
    Specifies the storage location for the certificate request
    -keyout saskey.pem
    Specifies the storage location for the private key
    -nodes
    Prevents the private key from being encrypted
    -sha1
    Specifies that the FIPS 140-2 compliant hash algorithm, SHA-256, will be used
  4. Informational messages are displayed and prompts for additional information appear according to the specific request.
    To accept a default value, press the Enter key. To change a default value, type the appropriate information and press the Enter key.
    Note: Unless the -NODES option is used in the OpenSSL command when creating a digital certificate request, OpenSSL prompts you for a password before allowing access to the private key.
    The following is an example of a request for a digital certificate: 
    OpenSSL> req -config ./openssl.cnf -new -out sas.req -keyout saskey.pem -nodes
Using configuration from ./openssl.cnf
Generating a 1024 bit RSA private key
............................++++++
..........................................++++++
writing new private key to 'saskey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [North Carolina]:
Locality Name (city) [Cary]:
Organization Name (company) [Proton Inc.]:
Organizational Unit Name (department) [IDB]:
Common Name (YOUR name) []: proton.com
Email Address []:Joe.Bass@proton.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
OpenSSL>
The request for a digital certificate is complete.
Note: For the server, the Common Name must be the name of the computer that the server runs on, for example, apex.serv.com.

Step 3. Generate a Digital Certificate from the Request

Perform the following tasks to generate a digital certificate for a CA, a server, and a client.
  1. Issue the appropriate command to generate a digital certificate from the digital certificate request.
    OpenSSL Commands for Generating Digital Certificates under UNIX
    Generate Certificate for
    OpenSSL Command
    CA
    x509 -req -in sas.req -signkey saskey.pem -out sas.pem -sha1
    Server
    ca -config ./openssl.cnf -in server.req -out server.pem -sha1
    Client
    ca -config ./openssl.cnf -in client.req -out client.pem -sha1
    Note: The -sha1 command is specified only when using FIPS 140-2 compliant SSL.
    Arguments and Values Used in OpenSSL Commands under UNIX
    OpenSSL Arguments and Values
    Functions
    x509
    Identifies the certificate display and signing utility
    -req
    Specifies that a certificate be generated from the request
    ca
    Identifies the Certification Authority utility
    -config ./openssl.cnf
    Specifies the storage location for the configuration details for the OpenSSL utility
    -in filename.req
    Specifies the storage location for the input for the certificate request
    -out filename.pem
    Specifies the storage location for the certificate
    -signkey saskey.pem
    Specifies the private key that will be used to sign the certificate that is generated by the certificate request
    -sha1
    Specifies that the FIPS 140-2 compliant hash algorithm, SHA-256, will be used
  2. Informational messages are displayed and prompts for additional information appear according to the specific request.
    To accept a default value, press the Enter key. To change a default value, type the appropriate information, and press the Enter key.
    Here is a sample of the messaging for creating a server digital certificate:
    Note: The password is for the CA's private key. 
    Using configuration from ./openssl.cnf 
Enter PEM pass phrase: password 
Check that the request matches the signature 
Signature ok 
The Subjects Distinguished Name is as follows 
countryName           :PRINTABLE:'US' 
stateOrProvinceName   :PRINTABLE:'NC' 
localityName          :PRINTABLE:'Cary' 
organizationName      :PRINTABLE:'Proton, Inc.' 
organizationalUnitName:PRINTABLE:'IDB' 
commonName            :PRINTABLE:'proton.com' 
Certificate is to be certified until Oct 16 17:48:27 2003 GMT (365 days)
Sign the certificate? [y/n]:y   
1 out of 1 certificate requests certified, commit? [y/n]y 
Write out database with 1 new entries Data Base Updated
    The subject's Distinguished Name is obtained from the digital certificate request.
    A root CA digital certificate is self-signed, which means that the digital certificate is signed with the private key that corresponds to the public key that is in the digital certificate. Except for root CAs, digital certificates are usually signed with a private key that corresponds to a public key that belongs to someone else, usually the CA.
    The generation of a digital certificate is complete.

Step 4. View Digital Certificates

To view a digital certificate, issue the following command: 
openssl> x509  -text -in filename.pem
A digital certificate contains data that was collected to generate the digital certificate timestamps, a digital signature, and other information. However, because the generated digital certificate is encoded (usually in PEM format), it is unreadable.

Step 5. End OpenSSL

To end OpenSSL, type quit at the prompt.

Step 6. Create a CA Trust List for the SSL Client Application

After generating a digital certificate for the CA, the server, and the client (optional), you must identify for the OpenSSL client application one or more CAs that are to be trusted. This list is called a trust list.
If there is only one CA to trust, in the client application, specify the name of the file that contains the OpenSSL CA digital certificate.
If multiple CAs are to be trusted, create a new file and copy-and-paste into it the contents of all the digital certificates for CAs to be trusted by the client application.
Use the following template to create a CA trust list: 
Certificate for OpenSSL CA

-----BEGIN CERTIFICATE-----

<PEM encoded certificate>

-----END CERTIFICATE-----


Certificate for Keon CA 

-----BEGIN CERTIFICATE-----

<PEM encoded certificate>

-----END CERTIFICATE-----


Certificate for Microsoft CA

-----BEGIN CERTIFICATE-----


-----END CERTIFICATE-----
Because the digital certificate is encoded, it is unreadable. Therefore, the content of the digital certificate in this example is represented as <PEM encoded certificate> . The content of each digital certificate is delimited with a -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- pair. All text outside the delimiters is ignored. Therefore, you might not want to use delimited lines for descriptive comments. In the preceding template, the file that is used contains the content of digital certificates for the CAs: OpenSSL, Keon, and Microsoft.
Note: If you are including a digital certificate that is stored in DER format, you must first convert it to PEM format. For more information, see Converting between PEM and DER File Formats for SSL.
Copyright © SAS Institute Inc. All rights reserved.