OpenSSL and the Certificate Dance in FreeBSDKeep in mind this is just one way to do this, there are a million others with different variables, order, and even using a perl script. This is just one of many that works. Preparing to do SSL stuffFirst, edit /etc/ssl/openssl.cnf. Edit "dir = ./demoCA" to where you're going to store your certs and keys. I set it to /etc/ssl/CA (remember to create this dir after you're done). Other vars that I set: default_days = 3650 default_bits = 2048 countryName_default = US stateOrProvinceName_default = Washington localityName_default = Seattle 0.organizationName_default = My Company commonName_default = example.com emailAddress_default = root@example.com
Also make sure that certificate = $dir/cacert.pem or you'll get errors if you have another openssl installed you'll want to make sure you're on the same page no matter which one you're using: rm /usr/local/etc/openssl.cnf ln -s /etc/ssl/openssl.cnf /usr/local/etc/openssl.cnf Caveat: Not using -nodes will make your key secure if someone breaks into your box and steals your private keys, but you'll need to worry about typing a password all the time. Making your own CAThis is necessary if you're not going to use someone like Verisign to sign your key for you. mkdir /etc/ssl/CA cd /etc/ssl/CA mkdir certs mkdir crls mkdir newcerts mkdir private touch index.txt echo 01 > serial openssl req -nodes -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650 This makes a certificate authority certificate in cacsr.pem and a certificatekey in private/cakey.pem. Create a Certificate Revocation Listopenssl ca -gencrl -out crls/crl.pem To View the CSR infoopenssl req -noout -text -in cert.csr Making a new CertificateHere's how to generate public and private certs, the optional company name is the server name ie private.example.com. cd certs openssl req -nodes -new -keyout www.example.com.key -out www.example.com.csr Then you'll want to sign this certificate (This is what verisign does too) openssl ca -out www.section6.net.crt -in www.section6.net.csr -policy policy_anything So now you have 3 files designated by their common name: www.example.com.crt # The Signed server certificate www.example.com.key # The private key for the server cert these files # are what a hacker would want so keep them secure. www.example.com.csr # Encrypted private key for the server cert, # and the cert request. Installing Certs in ApacheThis is here because this is a fairly common example everyone uses, but it can be used for other apps too. Copy www.example.com.key to /usr/local/etc/apache/ssl.key Revoking a cetificateFor the paths below you'll want to look up where openssl.cnf says where your crl (cerficate revocation list) is stored. It should be under the "crl" and "crl_dir" derivatives state. On mine it's $dir/crl for crl_dir and $dir/crl/pem<tt> where dir is <tt>/etc/ssl/CA You'll want to revoke a certificate if you find you no longer need it, it's been compromised, or in the case of openvpn you wish to deny a user access: openssl ca -revoke certifcate.crt openssl ca -gencrl -out /etc/ssl/CA/crl/crl.pem To verify the cert has been revoked: cat cacert.csr /etc/ssl/CA/crl/crl.pem > revoke.pem openssl verify -CAfile revoke.pem -crl_check cerficate.crt You can delete revoke.pem when you're done. Generating Diffie Hellman parametersThis isn't needed for Apache, but is needed for other apps such as openvpn. Here's how: You can use the script at: /usr/local/share/doc/openvpn/easy-rsa/build-dh or you can do it manually (recommended) with: openssl dhparam -out dh1024.pem 1024 You can replace 1024 with whatever your preferred keysize is which should be defined in default bits in you openssl.cnf (see 1st section). References |
Tutorial Home >