Scribd
Upload
193 views

OpenSSL HowTo

This document provides instructions for generating an OpenSSL server key and certificate signing request (CSR), supplying the CSR to a certificate authority, and installing the signed certificate. It explains how to generate the key and CSR, details the information included in the CSR, and notes that the signed certificate should be installed along with the key in applications like Apache.

Uploaded by

Bruce McIntyre
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
193 views

OpenSSL HowTo

This document provides instructions for generating an OpenSSL server key and certificate signing request (CSR), supplying the CSR to a certificate authority, and installing the signed certificate. It explains how to generate the key and CSR, details the information included in the CSR, and notes that the signed certificate should be installed along with the key in applications like Apache.

Uploaded by

Bruce McIntyre
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

OpenSSL

Bruce McIntyre <[email protected]>


31 August 2010

Table of Contents
1. Generate a Server Key ............................................................................................................... 1
1.1. Purpose ......................................................................................................................... 1
1.2. Command ...................................................................................................................... 1
2. Generate a CSR ........................................................................................................................ 1
2.1. Purpose ......................................................................................................................... 1
2.2. Command ...................................................................................................................... 1
3. Supplying the CSR to the Certificate Authority (CA) ....................................................................... 2
3.1. Purpose ......................................................................................................................... 2
4. Installing the Certificate ............................................................................................................. 3
4.1. Purpose ......................................................................................................................... 3
4.2. Things to remember ........................................................................................................ 3
4.3. Example Installations ....................................................................................................... 3

1. Generate a Server Key


1.1. Purpose
In order to generate Certificate Signing Requests (CSR), you need to generate a server key.

1.2. Command
Procedure 1. Generate a new server key
• openssl genrsa -des3 -out <name of key>.key 1024

Example 1. Generating an OpenSSL key


root@www:/etc/ssl/private# openssl genrsa -des3 -out <my server FQDN>.key 1024
Generating RSA private key, 1024 bit long modulus
...........++++++
....++++++
e is 65537 (0x10001)
Enter pass phrase for <my server FQDN>.key:
Verifying - Enter pass phrase for <my server FQDN>.key:

2. Generate a CSR
2.1. Purpose
This generates a CSR for use for a host. In the request, we describe all the details about the certificate.

2.2. Command
Procedure 2. Generate a new Certificate Signing Request (CSR)
• openssl req -new -key <name of key>.key -out <name of csr>.csr

1
OpenSSL

Example 2. Generate an OpenSSL csr


root@www:# openssl req -new -key <my server FQDN>.key -out <my server FQDN>.csr
Enter pass phrase for <my server FQDN>.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: AU
State or Province Name (full name) [Some-State]:State
Locality Name (eg, city) []:Some City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ACME CC
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:<my server FQDN>
Email Address []:[email protected]

Please enter the following 'extra' attributes


to be sent with your certificate request
A challenge password []:
An optional company name []:

Note
The most important item in this CSR is the Common Name. For web, it must correlate to the host name
you are wishing to secure.

3. Supplying the CSR to the Certificate Authority (CA)


3.1. Purpose
You now have to take the CSR to the CA and get the CA to sign the request. Generally, you email the CSR to
the CA, or just post it on their website.

Example 3. Example CSR


-----BEGIN CERTIFICATE REQUEST-----
MIIB2zCCAUQCAQAwgZoxCzAJBgNVBAYTAlpBMRAwDgYDVQQIEwdHYXV0ZW5nMRQw
EgYDVQQHEwtEb3VnbGFzZGFsZTEWMBQGA1UEChMNSXJpZGVzZW5zZSBDQzEhMB8G
A1UEAxMYd2VibWFpbC5pcmlkZXNlbnNlLmNvLnphMSgwJgYJKoZIhvcNAQkBFhlz
ZWN1cml0eUBpcmlkZXNlbnNlLmNvLnphMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDWnRfj5MjeZ4Bf+P57quhf5f9DetkYItcAG4EdLYFQl4SFm2sRiIu6ekkX
gRCpvfsEGTONTf9n0xbqmNX7LzPf6rHdbm6WMCf6MXX6ePNXxj/+vVovn6txnV04
aHRSpyC59C5BFSidteJs1nAFCIFvCTbc/XJMp+IeOJw3PJAIkwIDAQABoAAwDQYJ
KoZIhvcNAQEFBQADgYEAAs4ltVLOHQsi2HB710774LDxG/iZRSHvdZ46xodGDdmv
8nUzTxFIavhBPQYYkUMn/prx5yoxIaY0aaI4YdUk0wgP4TEa1gnwuLdGd++Mtvt8
8GXmR9lu0qKJqLT11x4yD+DZcCEny5z3dMTKzSb3sR7ScN0lMzLf/kTtyA1CMXQ=
-----END CERTIFICATE REQUEST-----

2
OpenSSL

Example 4. Example Signed Certificate


-----BEGIN CERTIFICATE-----
MIIFbzCCA1egAwIBAgIBBDANBgkqhkiG9w0BAQUFADB2MQswCQYDVQQGEwJaQTEQ
MA4GA1UECBMHR2F1dGVuZzEWMBQGA1UEChMNSXJpZGVzZW5zZSBDQzETMBEGA1UE
AxMKSXJpZGVzZW5zZTEoMCYGCSqGSIb3DQEJARYZc2VjdXJpdHlAaXJpZGVzZW5z
ZS5jby56YTAeFw0wODEyMDIwMzI4MzBaFw0xODEwMTEwMzI4MzBaMIGaMQswCQYD
VQQGEwJaQTEQMA4GA1UECBMHR2F1dGVuZzEUMBIGA1UEBxMLRG91Z2xhc2RhbGUx
FjAUBgNVBAoTDUlyaWRlc2Vuc2UgQ0MxITAfBgNVBAMTGHdlYm1haWwuaXJpZGVz
ZW5zZS5jby56YTEoMCYGCSqGSIb3DQEJARYZc2VjdXJpdHlAaXJpZGVzZW5zZS5j
by56YTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1p0X4+TI3meAX/j+e6ro
X+X/Q3rZGCLXABuBHS2BUJeEhZtrEYiLunpJF4EQqb37BBkzjU3/Z9MW6pjV+y8z
3+qx3W5uljAn+jF1+njzV8Y//r1aL5+rcZ1dOGh0UqcgufQuQRUonbXibNZwBQiB
bwk23P1yTKfiHjicNzyQCJMCAwEAAaOCAWUwggFhMAkGA1UdEwQCMAAwEQYJYIZI
AYb4QgEBBAQDAgZAMCsGCWCGSAGG+EIBDQQeFhxUaW55Q0EgR2VuZXJhdGVkIENl
cnRpZmljYXRlMB0GA1UdDgQWBBTs5AdEsQzK/VKEnFQQGEnleCiHXTCBqAYDVR0j
BIGgMIGdgBSBfrWhUH6k7cnokzC+DpqJD8fkJqF6pHgwdjELMAkGA1UEBhMCWkEx
EDAOBgNVBAgTB0dhdXRlbmcxFjAUBgNVBAoTDUlyaWRlc2Vuc2UgQ0MxEzARBgNV
BAMTCklyaWRlc2Vuc2UxKDAmBgkqhkiG9w0BCQEWGXNlY3VyaXR5QGlyaWRlc2Vu
c2UuY28uemGCCQCiOfAkVdxFETAkBgNVHRIEHTAbgRlzZWN1cml0eUBpcmlkZXNl
bnNlLmNvLnphMCQGA1UdEQQdMBuBGXNlY3VyaXR5QGlyaWRlc2Vuc2UuY28uemEw
DQYJKoZIhvcNAQEFBQADggIBALaNhRIp9YZM1BQR2E6hDrUUI913tHu1zn4vkDNN
FFtg04wt6zzry8EtFnxAvpIjJI7TExUuENY4kC9DizZrKmi9W9HWxrSqgBD1Z4R0
2BzelEdnV302RV9AHSnPr7nA35k4KrOzKvfJnPVzvjiMk/8WkugAx0bvCwosUbHP
/qc1D4Q/JlwMRDyRudDQueuKw/iP7xNEroPFtioO1hzxiUdJyBqwnF0UyTUXRRMj
nktrvLKxJpvkFNGA7bQxU4LEvajUK9ED5q26O/RA7ChCjJ7IcTHSqCHNjbRdr0t0
JCBtugu+1AiV0Q+iB0sjNV1fK++0RiCFFoPnH8wQXAKlc7CCbEX/tKdnxgaJQ44M
6uFSl+kYcs6L2niJuZ02RR9vJE/K/ioPccUdodFXqLrntAX+KVDjmQu1pgI+QDi0
gVwS+IFdvMQdfMOaO672chrmVeveGHxKARDtxio+vrI9LNBHUfiRsilBsXBF2vmb
1u7CRt2/MsJm9NSwTFkMx/coIQuGy4gRBd79FUiPrztTP/K8nTRc6XBAyR9/68bt
9xCfUz6Tn+1zpg8XD1Cs0Sc1t1AQN183/FNMZcCz/3lQ/SCNbgKcOv0KhVq0PWmd
GaMoHbxp5Cznh2TSAwP/Bg/WSGaiVszBgssgOodCTgb+GLhJxA0eoF+wZEzy/NH9
WIAG
-----END CERTIFICATE-----

4. Installing the Certificate


4.1. Purpose
Once you have a signed certificate back, you have to install it in what ever application you are using.

4.2. Things to remember


Here are a few things that you need to remember:

• The key that you used to generate the csr will have to have it's password removed, if you are going to use the
certificate in a service, such as apache2. Remove the password as follows:
openssl rsa -in <my server FQDN>.key -out <my server FQDN>.key.nopass

4.3. Example Installations


Example 5. Installation on Apache2
# SSL Stuff
SSLEngine on
SSLOptions +StrictRequire
SSLCertificateFile /etc/ssl/certs/<my server FQDN>.crt
SSLCertificateKeyFile /etc/ssl/private/<my server FQDN>.key.nopass

You might also like