Digital Certificate Generation and OpenSSL

Digital certificates are used to help secure communications across networks, including the Internet. Web servers that are accessed via the HTTPS protocol involve the use of digital certificates on the server side and, in some circumstances, on the client side as well. Signing and encrypting email with the use of S/MIME also involves the use of client and server-side digital certificates. Certain VPN software might also use digital certificates on both sides of the communication line.

The question one might ask is how to get these digital certificates and install them for use by applications on the client and server sides. Usually, organizations and individuals acquire their digital certificates from vendors that participate in an ecosystem of providers officially recognized by applications requiring digital certificates to enable secure communications. These providers are called certificate authorities (CAs).

Organizations can also become CAs within their own domain involving themselves and other parties that communicate with them. Software is readily available to give organizations the ability to become CAs. Platforms such as Linux, Microsoft Windows (Server), and Apple Mac OS have the necessary software to generate digital certificates. OpenSSL is one such software available on most platforms. Note that OpenSSL is not the only software available for this purpose.

Creating A Certificate Authority Digital Certificate

It is possible to become a certificate authority (CA) by generating your own CA digital certificate and private key. The CA digital certificate and private key are used to sign and generate digital certificates for servers and clients for the purpose of encrypting communications and digitally signing digital assets such as software, computer documents and email. The one caveat is that, unless you become one of globally-accepted certificate authorities, your CA is limited to your use within your own organization and with trusted third-parties.

The steps below assume you are using CentOS Linux 6 or 7.

In OpenSSL, one can generate what is called a self-signed CA certificate using this command:

openssl req -new -x509 -key privkey.pem -out cacert.pem -days 3650

The above command, however, is not the recommended way of generating a self-signed CA certificate.

Below is the sequence one must use in generating a CA self-signed certificate:

  1. Generate a private key.
  2. Create a certificate signing request (CSR).
  3. Sign the request and generate the certificate.

This can be illustrated by the OpenSSL commands below:

openssl genrsa -aes256 -out CA.key 2048
openssl req -new -key CA.key -text -out CA.csr
openssl ca -in CA.csr -out CA.crt -keyfile CA.key -selfsign -extensions v3_ca

The above commands assume that CA.key, CA.csr, and CA.crt are the private key, certificate signing request, and the CA certificate, respectively. The extension v3_ca refers to a section in the OpenSSL configuration file openssl.cnf that tags the generated certificate as a CA certificate. In CentOS, the configuration file is in /etc/pki/tls.  A sample openssl.cnf file is shown at the end of this article.

If an error is encountered about a couple of missing files in /etc/pki/CA, there may be a need to create these files in /etc/pki/CA before generating the certificate:

touch index.txt
echo 00 > serial

Note: Some would generate a subordinate CA using the above root CA certificate. The subordinate CA certificate and private key are then used to generate other certificates while the root CA certificate and private key are kept securely offline unless needed. It is of utmost importance to protect the root CA and private key.

Creating Other Certificates

Once the CA certificate and private key exist, creating other certificates should be reasonably easy:

  1. Generate a private key for the new certificate: openssl genrsa -aes256 -out somename.key 2048
  2. Generate a CSR: openssl req -new -key somename.key -text -out somename.csr
  3. As a CA, sign the CSR to generate certificate: openssl ca -in somename.csr -out somename.crt [-extensions server_cert|usr_cert]

server_cert tells OpenSSL to create a server certificate while usr_cert tells OpenSSL to generate a client certificate. These two are defined in /etc/pki/tls/openssl.cnf.

 Sample OpenSSL Configuration

Below is a sample configuration based on the default CentOS OpenSSL configuration file:

#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME            = .
RANDFILE        = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file        = $ENV::HOME/.oid
oid_section        = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions        = 
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

####################################################################
[ ca ]
default_ca    = CA_default        # The default ca section

####################################################################
[ CA_default ]

dir        = /etc/pki/CA        # Where everything is kept
certs        = $dir/certs        # Where the issued certs are kept
crl_dir        = $dir/crl        # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
#unique_subject    = no            # Set to 'no' to allow creation of
                    # several ctificates with same subject.
new_certs_dir    = $dir/newcerts        # default place for new certs.

certificate    = $certs/CA.crt     # The CA certificate
serial        = $dir/serial         # The current serial number
crlnumber    = $dir/crlnumber    # the current crl number
                    # must be commented out to leave a V1 CRL
crl        = $dir/crl.pem         # The current CRL
private_key    = $dir/private/CA.key  # The private key
RANDFILE    = $dir/private/.rand    # private random number file

x509_extensions    = usr_cert        # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt     = ca_default        # Subject Name options
cert_opt     = ca_default        # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions    = crl_ext

default_days    = 3650            # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md    = default        # use public key default MD
preserve    = no            # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy        = policy_match

# For the CA policy
[ policy_match ]
countryName        = match
stateOrProvinceName    = match
organizationName    = match
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName        = optional
stateOrProvinceName    = optional
localityName        = optional
organizationName    = optional
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

####################################################################
[ req ]
default_bits        = 2048
default_md        = sha1
default_keyfile     = privkey.pem
distinguished_name    = req_distinguished_name
attributes        = req_attributes
x509_extensions    = v3_ca    # The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options. 
# default: PrintableString, T61String, BMPString.
# pkix     : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName            = Country Name (2 letter code)
countryName_default        = XX
countryName_min            = 2
countryName_max            = 2

stateOrProvinceName        = State or Province Name (full name)
#stateOrProvinceName_default    = Default Province

localityName            = Locality Name (eg, city)
localityName_default    = Default City

0.organizationName        = Organization Name (eg, company)
0.organizationName_default    = My Organization

# we can do this but it is not needed normally :-)
#1.organizationName        = Second Organization Name (eg, company)
#1.organizationName_default    = World Wide Web Pty Ltd

organizationalUnitName        = Organizational Unit Name (eg, section)
organizationalUnitName_default    = IT

commonName            = Common Name (eg, your name or your server\'s hostname)
commonName_max            = 64

emailAddress            = Email Address
emailAddress_max        = 64

# SET-ex3            = SET extension number 3

[ req_attributes ]
challengePassword        = A challenge password
challengePassword_min        = 4
challengePassword_max        = 20

unstructuredName        = An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# and for everything including object signing:
nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment            = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl        = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping

[ server_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
nsCertType            = server

# This will be displayed in Netscape's comment listbox.
nsComment            = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl        = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]


# Extensions for a typical CA


# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always

[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType            = server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment            = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl        = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

####################################################################
[ tsa ]

default_tsa = tsa_config1    # the default TSA section

[ tsa_config1 ]

# These are used by the TSA reply generation only.
dir        = ./demoCA        # TSA root directory
serial        = $dir/tsaserial    # The current serial number (mandatory)
crypto_device    = builtin        # OpenSSL engine to use for signing
signer_cert    = $dir/tsacert.pem     # The TSA signing certificate
                    # (optional)
certs        = $dir/cacert.pem    # Certificate chain to include in reply
                    # (optional)
signer_key    = $dir/private/tsakey.pem # The TSA private key (optional)

default_policy    = tsa_policy1        # Policy if request did not specify it
                    # (optional)
other_policies    = tsa_policy2, tsa_policy3    # acceptable policies (optional)
digests        = md5, sha1        # Acceptable message digests (mandatory)
accuracy    = secs:1, millisecs:500, microsecs:100    # (optional)
clock_precision_digits  = 0    # number of digits after dot. (optional)
ordering        = yes    # Is ordering defined for timestamps?
                # (optional, default: no)
tsa_name        = yes    # Must the TSA name be included in the reply?
                # (optional, default: no)
ess_cert_id_chain    = no    # Must the ESS cert id chain be included?
                # (optional, default: no)

Adding Custom Services With systemd

[vc_row][vc_column][vc_column_text]systemd is a system and service manager for Linux similar to SysV init. Several Linux distributions, notably Red Hat Enterprise Linux, SuSE, CentOS, Fedora, Debian and Ubuntu, are adopting it for their current or future releases. You can now experience systemd on Fedora and Red Hat Enterprise Linux 7 Beta.

We decided to install customized versions of Apache httpd and Percona Server, both of which must be started on boot.  systemd configurations had to be created for these.  We based our configuration files on existing ones for Apache httpd and MySQL. Furthermore, we made sure that necessary directories for these software are created at boot time.

The procedures described below were done on a VMware installation of Red Hat Enterprise Linux 7 Beta. These procedures should work on Fedora 20 as well (we’ll verify this in the future).

First, we compile and install Apache httpd version 2.4.9 (we’ll write an article about this in the future). Our installation of Apache httpd is in /opt/apache. The configuration files are in /etc/opt/apache while the logs are in /var/opt/apache.  Note that this layout of the installation is the opt layout for Apache httpd which is specified during configuration of the source.

Let us take a look at the systemd configuration file for the built-in Red Hat httpd daemon:

[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/httpd
ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
ExecStop=/bin/kill -WINCH ${MAINPID}
# We want systemd to give httpd some time to finish gracefully, but still want
# it to kill httpd after TimeoutStopSec if something went wrong during the
# graceful stop. Normally, Systemd sends SIGTERM signal right after the
# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give
# httpd time to finish.
KillSignal=SIGCONT
PrivateTmp=true
[Install]
WantedBy=multi-user.target

The above file, named httpd.service, is found in /usr/lib/systemd/system.

We now create another file which we name as apache-httpd.service and place in /etc/systemd/system. Note that we must make sure that httpd.service is disabled. Let us disable it using the command:

sudo systemctl disable httpd.service

To check the status of a service, we can type the following command:

sudo systemctl status httpd.service

Now, our apache-httpd.service file for the custom Apache httpd installation contains the following:

[Unit]
Description=The Apache HTTP Server (akumubuild)
After=network.target remote-fs.target nss-lookup.target percona-server.service
[Service]
#Type=notify
Type=forking
#Type=dbus
#BusName=com.redhat.apache-httpd
EnvironmentFile=/etc/sysconfig/apache-httpd
#ExecStart=/opt/apache/sbin/httpd $OPTIONS -DFOREGROUND
ExecStart=/opt/apache/sbin/httpd $OPTIONS 
ExecReload=/opt/apache/sbin/httpd $OPTIONS -k graceful
ExecStop=/bin/kill -WINCH ${MAINPID}
# We want systemd to give httpd some time to finish gracefully, but still want
# it to kill httpd after TimeoutStopSec if something went wrong during the
# graceful stop. Normally, Systemd sends SIGTERM signal right after the
# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give
# httpd time to finish.
KillSignal=SIGCONT
PrivateTmp=true
PIDFile=/var/opt/apache/run/httpd.pid
[Install]
WantedBy=multi-user.target

The original httpd.service was used as a template. Note the differences. For apache-httpd.service, we allow httpd to fork. The Reload command does not use a kill command. Instead, '-k graceful' is passed to httpd.  Note that we also refer to the percona-server.service which we will discuss later.

We enable apache-httpd.service using ‘sudo systemctl enable apache-httpd.service‘.  Again, use the status command of systemctl to check on the service.  If it isn’t started, issue the command ‘sudo systemctl start apache-httpd.service‘.  The ‘enable‘ command makes sure that the service is started at boot time while ‘start‘ simply runs the service.

We should see the following by checking the status (‘sudo systemctl status apache-httpd’) of our custom installation of Apache httpd:

apache-httpd.service - The Apache HTTP Server (akumubuild)
   Loaded: loaded (/usr/lib/systemd/system/apache-httpd.service; enabled)
   Active: active (running) since Thu 2014-04-03 00:44:31 EDT; 1 day 17h ago
 Main PID: 1942 (httpd)
   CGroup: /system.slice/apache-httpd.service
           ├─1942 /opt/apache/sbin/httpd
           ├─1998 /opt/apache/sbin/httpd
           ├─1999 /opt/apache/sbin/httpd
           ├─2048 /opt/apache/sbin/httpd
           ├─2049 /opt/apache/sbin/httpd
           ├─2050 /opt/apache/sbin/httpd
           └─3237 /opt/apache/sbin/httpd
Apr 03 00:44:30 akumu.hq.linuxunbound.com systemd[1]: PID file /var/opt/apache/run/httpd.pid not re...rt.
Apr 03 00:44:31 akumu.hq.linuxunbound.com systemd[1]: Started The Apache HTTP Server (akumubuild).
Hint: Some lines were ellipsized, use -l to show in full.

Some things to consider:

  • Make sure the file /etc/sysconfig/apache-httpd exists.  This doesn’t have to contain anything though you can add some optional parameters to httpd by assigning them to the shell variable OPTIONS.
  • The directories /var/opt/apache/logs and /var/opt/apache/run must exist.

[GARD align=”center”]

Percona Server for MySQL

The MySQL-compatible Percona Server should have the following configuration file in /usr/lib/systemd/system named percona-server.service:

[Unit]
Description=The Percona Server (MySQL)
# See https://bugzilla.redhat.com/show_bug.cgi?id=714426
After=network.target remote-fs.target nss-lookup.target
Before=apache-httpd.service
[Service]
#Type=notify
#Type=forking
#Type=dbus
Type=simple
EnvironmentFile=/etc/sysconfig/percona-server
ExecStart=/usr/local/mysql/bin/mysqld --defaults-file=/etc/my.cnf --user=mysql $OPTIONS 
#ExecStop=/usr/local/mysql/bin/mysqladmin -u root -p shutdown
ExecStop=/bin/kill -TERM ${MAINPID}
ExecReload=/bin/kill -HUP ${MAINPID}
PrivateTmp=true
PIDFile=/var/run/mysqld/mysqld.pid
[Install]
WantedBy=multi-user.target

Again, we must make sure that certain files and directories exist:

  • the file /etc/sysconfig/percona-server
  • the directory /var/log/mysqld (or whatever is specified in /etc/my.cnf)
  • the directory /var/run/mysqld

Take note that /var/run/mysqld is a temporary directory that is created at boot time and deleted at shutdown.  We need to create a file called /etc/tmpfiles.d/percona.conf which contains the following:

d /run/mysqld 0755 mysql mysql -

This configuration file creates the directory /run/mysqld with mode 0755 and ownership by user ‘mysql‘ and group ‘mysql‘.

Enable the Percona Server service using systemctl as you did for Apache httpd.  Once it is running, you should see something like this status:

percona-server.service - The Percona Server (MySQL)
   Loaded: loaded (/usr/lib/systemd/system/percona-server.service; enabled)
   Active: active (running) since Thu 2014-04-03 00:44:28 EDT; 1 day 17h ago
 Main PID: 1842 (mysqld)
   CGroup: /system.slice/percona-server.service
           └─1842 /usr/local/mysql/bin/mysqld --defaults-file=/etc/my.cnf --user=mysql
Apr 03 00:44:28 akumu.hq.linuxunbound.com systemd[1]: Started The Percona Server (MySQL).

More information on systemd can be found on their wiki.[/vc_column_text][/vc_column][/vc_row]