Apache Security - Ivan Ristic [57]
$CA="$OPENSSL ca $SSLEAY_CONFIG";
$VERIFY="$OPENSSL verify";
$X509="$OPENSSL x509";
$PKCS12="$OPENSSL pkcs12";
You are ready to create a CA:
# cd /opt/openssl
# ./ssl/misc/CA.pl -newca
In the first stage of CA.pl execution to create a CA, you will be asked to provide the CA certificate name (this refers to any existing CA certificates you might have, so leave it blank by pressing return) and a passphrase (choose a long password). In the second stage, you will be required to enter the same fields as you did for a standard web server certificate (e.g., country, state, city). After the script ends, the following files and directories appear in /opt/openssl/demoCA:
cacert.pem
CA root certificate (with the public key inside)
certs/
Storage area for old certificates
crl/
Storage area for certificate revocation lists
index.txt
List of all signed certificates
newcerts/
Storage area for newly generated certificates
private/cakey.pem
CA private key
serial
Contains the serial number to be used for the next certificate created
All CA-related data is stored in the specified files and directories.
Preparing the CA Certificate for Distribution
The format in which certificates are normally stored (text-based PEM) is not suitable for distribution to clients. The CA certificate you created needs to be converted into binary DER format, which is the default format browsers expect:
# cd /opt/openssl/demoCA
# openssl x509 -inform PEM -outform DER -in cacert.pem -out demoCA.der
Now, you can distribute the file demoCA.der to your users. Importing a DER-encoded certificate (into a program, usually a browser) is easy: users can download it from a web page somewhere or double-click the file if it is on the filesystem (in which case the certificate is likely to be imported into Internet Explorer). For web server distribution, Apache must be configured to serve DER-encoded files using the application/x-x509-ca-cert MIME type. The default mod_ssl configuration already does this for the extension .crt. You can rename the DER file to have this extension or associate the MIME type with the .der extension by adding the following line to the httpd.conf configuration file:
AddType application/x-x509-ca-cert .der
Test the configuration by trying to import the certificate into your own browser. If the import process begins, the server is configured properly. If a standard download window appears, you need to investigate what has gone wrong. Perhaps you have forgotten to restart the web server after configuring the DER MIME type?
Issuing Server Certificates
To use SSL, each web server must be supplied with a server certificate. Before issuing a first certificate, you may need to adjust the default policy, specified in the openssl.cnf file. The policy controls which of the fields in the CA certificate must match fields in the issued certificates. The default policy requires the fields countryName, stateOrProvinceName, and organizationName to match:
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
Option values have the following meanings:
match
The field in the certificate must match the corresponding field in the CA certificate.
supplied
The field can contain any value.
optional
The field can contain any value, or be left empty.
To create a certificate, assuming you were given a CSR by some other web server administrator in your organization, rename the CSR file to newreq.pem and execute the following command to sign it:
# CA.pl -signreq
That is all there is to it. You will be asked to type in the CA passphrase, and you will be given an opportunity to verify the details are in order. When you type in your passphrase, only asterisks will be shown, helping to keep your passphrase private.
# CA.pl -signreq
Using configuration from /opt/openssl/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:******
Check that the request matches