TNick.github.io

home

Certificates and TSL

22 Dec 2014

Overview

Some general purpose information about the creation and use of certificates with TSL.

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communication security. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key.

Software Resources

XCA is a graphical user interface program that can be used to manage the certificates. It is open source and hosted at SourceForge.

Internally, XCA relies on OpenSSL - a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS) protocols as well as a full-strength general purpose cryptography library. .

OpenSSH is a FREE version of the SSH connectivity tools developed by the OpenBSD Project.

Creating Certificates

Keys

First, a private key for the certificate needs to be created. Keys are the basis of public key algorithms and PKI. Keys usually come in pairs, with one half being the public key and the other half being the private key. With OpenSSL, the private key contains the public key information as well, so a public key doesn't need to be generated separately.

Private key with a password:

openssl genrsa -des3 -out privkey.pem 4096

Private key without a password:

openssl genrsa -out privkey.pem 4096

See the HowTo for how to create a DSA key (for signing only).

Common Name

The important part in the questions asked by openssl is the Common Name (CN).

You’ll want to answer with the hostname or CNAME by which people will address the server. This is very important. If your web server’s real hostname is mybox.mydomain.com but people will be using www.mydomain.com to address the box, then use the latter name to answer the Common Name question.

Creating a Test Certificate

openssl req -new -x509 -key privkey.pem -out cacert.pem -days 365 

Testing the certificate is as easy as:

openssl s_server -cert cacert.pem -key privkey.pem -www

Then, if it does not fail, go to https://localhost:4433/.

Creating a Certificate Request

openssl req -new -key privkey.pem -out cert.csr

File Types

Converting to a .pfx file can be done using following command:

openssl pkcs12 -export -out outputfile.pfx -inkey privkey.pem -in cacert.pem
openssl pkcs12 -export -out outputfile.pfx -inkey privkey.pem -in cacert.pem -certfile authority_ca.crt

Where:

Windows specifics

The directory where OpenSSL is installed may be added to the PATH environment variable. Alternatively, an environment variable - say OSL - maybe defined to hold the path to the openssl.exe binary.

Resources

Tagged with walkthrough

"Any sufficiently advanced troll is indistinguishable from a genuine kook." Alan Morgan