Using OpenSSL

From Gruff Goat Wiki
Jump to: navigation, search

Create a temporary central directory for storage of your keys. The directories should only be readable by root.

mkdir -p /root/privatekeys
chown root:root /root/privatekeys
chmod 600 /root/privatekeys

Create a Private Key

A private key is the first step for many following actions.

Generate a default RSA private key.

# openssl genrsa -out /root/privatekeys/default.pem 2048 (SUPERSEDED)
openssl genpkey -algorithm RSA -out /root/privatekeys/default.pem -pkeyopt rsa_keygen_bits:2048
    OUTPUT
    Generating RSA private key, 2048 bit long modulus
    ...............................++++++
    .++++++

Generate domain specific RSA private keys.

# openssl genrsa -out /root/privatekeys/domain.pem 2048 (SUPERSEDED)
openssl genpkey -algorithm RSA -out /root/privatekeys/domain.pem -pkeyopt rsa_keygen_bits:2048
    OUTPUT
    Generating RSA private key, 2048 bit long modulus
    ...............................++++++
    .++++++

Set the private keys to read only

chmod 400 /root/privatekeys/*

Create a Security Certificate

Generate a Self-signed Certificate

You may use this key for your default server, however; it will require you to explicitly accept the certificate. This is fine for a development or private server but it is not acceptable for a public production server. A public production server requires a certificate signed by a known Certificate Authority (see the section Get a CA Signed Certificate).

Create a self-signed certificate from the private key

 openssl req -new -x509 -key /root/privatekeys/default.pem -out /root/privatekeys/default.crt -days 1095

Fill in the following information.

 Country Name (2 letter code) [AU]:US
 State or Province Name (full name) [Some-State]:Wisconsin
 Locality Name (eg, city) []:Milwaukee
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Org Name
 Organizational Unit Name (eg, section) []:
 Common Name (eg, YOUR name) []:www.mydomain.tld
 Email Address []:email@mydomain.tld

Set the everything to read only

chmod 400 /root/privatekeys/*

Get a CA signed Certificate

Generate a Certificate Signing Request (CSR)

Now create a CSR from the private key

 openssl req -new -key /root/privatekeys/domain.pem -out /root/privatekeys/domain.csr

Fill in the following information. The Common Name you enter here must be the exact domain address that will be used to access SSL services on your server.

 Country Name (2 letter code) [AU]:US
 State or Province Name (full name) [Some-State]:Wisconsin
 Locality Name (eg, city) []:Milwaukee
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Org Name
 Organizational Unit Name (eg, section) []:
 Common Name (eg, YOUR name) []:www.mydomain.tld
 Email Address []:email@mydomain.tld
 
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:

Set everything to read only

chmod 400 /root/privatekeys/*

Submit your CSR

Submit your CSR to your chosen Certificate Authority (CA). Follow their procedures to receive your newly minted certificate. You may also receive a chaining certificate. The chaining certificate allows a means of linking your low-level certificate to the CAs trusted certificate. Search Certificate Authorities.

UCC Certificate

Unified Communications Certificates (UCC) are SSL Certificates that allow securing multiple domain names with one certificate.

The CSR for a UCC is generated in the same manner as a standard certificate. The extra domain names are added by the Certificate Authority. This article does not cover creation of a self-signed UCC.