Digital Certificate Generation and OpenSSL

Digital certificates are used to help secure communications across networks, including the Internet. Web servers that are accessed via the HTTPS protocol involve the use of digital certificates on the server side and, in some circumstances, on the client side as well. Signing and encrypting email with the use of S/MIME also involves the use of client and server-side digital certificates. Certain VPN software might also use digital certificates on both sides of the communication line.

The question one might ask is how to get these digital certificates and install them for use by applications on the client and server sides. Usually, organizations and individuals acquire their digital certificates from vendors that participate in an ecosystem of providers officially recognized by applications requiring digital certificates to enable secure communications. These providers are called certificate authorities (CAs).

Organizations can also become CAs within their own domain involving themselves and other parties that communicate with them. Software is readily available to give organizations the ability to become CAs. Platforms such as Linux, Microsoft Windows (Server), and Apple Mac OS have the necessary software to generate digital certificates. OpenSSL is one such software available on most platforms. Note that OpenSSL is not the only software available for this purpose.

Creating A Certificate Authority Digital Certificate

It is possible to become a certificate authority (CA) by generating your own CA digital certificate and private key. The CA digital certificate and private key are used to sign and generate digital certificates for servers and clients for the purpose of encrypting communications and digitally signing digital assets such as software, computer documents and email. The one caveat is that, unless you become one of globally-accepted certificate authorities, your CA is limited to your use within your own organization and with trusted third-parties.

The steps below assume you are using CentOS Linux 6 or 7.

In OpenSSL, one can generate what is called a self-signed CA certificate using this command:

openssl req -new -x509 -key privkey.pem -out cacert.pem -days 3650

The above command, however, is not the recommended way of generating a self-signed CA certificate.

Below is the sequence one must use in generating a CA self-signed certificate:

  1. Generate a private key.
  2. Create a certificate signing request (CSR).
  3. Sign the request and generate the certificate.

This can be illustrated by the OpenSSL commands below:

openssl genrsa -aes256 -out CA.key 2048
openssl req -new -key CA.key -text -out CA.csr
openssl ca -in CA.csr -out CA.crt -keyfile CA.key -selfsign -extensions v3_ca

The above commands assume that CA.key, CA.csr, and CA.crt are the private key, certificate signing request, and the CA certificate, respectively. The extension v3_ca refers to a section in the OpenSSL configuration file openssl.cnf that tags the generated certificate as a CA certificate. In CentOS, the configuration file is in /etc/pki/tls.  A sample openssl.cnf file is shown at the end of this article.

If an error is encountered about a couple of missing files in /etc/pki/CA, there may be a need to create these files in /etc/pki/CA before generating the certificate:

touch index.txt
echo 00 > serial

Note: Some would generate a subordinate CA using the above root CA certificate. The subordinate CA certificate and private key are then used to generate other certificates while the root CA certificate and private key are kept securely offline unless needed. It is of utmost importance to protect the root CA and private key.

Creating Other Certificates

Once the CA certificate and private key exist, creating other certificates should be reasonably easy:

  1. Generate a private key for the new certificate: openssl genrsa -aes256 -out somename.key 2048
  2. Generate a CSR: openssl req -new -key somename.key -text -out somename.csr
  3. As a CA, sign the CSR to generate certificate: openssl ca -in somename.csr -out somename.crt [-extensions server_cert|usr_cert]

server_cert tells OpenSSL to create a server certificate while usr_cert tells OpenSSL to generate a client certificate. These two are defined in /etc/pki/tls/openssl.cnf.

 Sample OpenSSL Configuration

Below is a sample configuration based on the default CentOS OpenSSL configuration file:

#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME            = .
RANDFILE        = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file        = $ENV::HOME/.oid
oid_section        = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions        = 
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

####################################################################
[ ca ]
default_ca    = CA_default        # The default ca section

####################################################################
[ CA_default ]

dir        = /etc/pki/CA        # Where everything is kept
certs        = $dir/certs        # Where the issued certs are kept
crl_dir        = $dir/crl        # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
#unique_subject    = no            # Set to 'no' to allow creation of
                    # several ctificates with same subject.
new_certs_dir    = $dir/newcerts        # default place for new certs.

certificate    = $certs/CA.crt     # The CA certificate
serial        = $dir/serial         # The current serial number
crlnumber    = $dir/crlnumber    # the current crl number
                    # must be commented out to leave a V1 CRL
crl        = $dir/crl.pem         # The current CRL
private_key    = $dir/private/CA.key  # The private key
RANDFILE    = $dir/private/.rand    # private random number file

x509_extensions    = usr_cert        # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt     = ca_default        # Subject Name options
cert_opt     = ca_default        # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions    = crl_ext

default_days    = 3650            # how long to certify for
default_crl_days= 30            # how long before next CRL
default_md    = default        # use public key default MD
preserve    = no            # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy        = policy_match

# For the CA policy
[ policy_match ]
countryName        = match
stateOrProvinceName    = match
organizationName    = match
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName        = optional
stateOrProvinceName    = optional
localityName        = optional
organizationName    = optional
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

####################################################################
[ req ]
default_bits        = 2048
default_md        = sha1
default_keyfile     = privkey.pem
distinguished_name    = req_distinguished_name
attributes        = req_attributes
x509_extensions    = v3_ca    # The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options. 
# default: PrintableString, T61String, BMPString.
# pkix     : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName            = Country Name (2 letter code)
countryName_default        = XX
countryName_min            = 2
countryName_max            = 2

stateOrProvinceName        = State or Province Name (full name)
#stateOrProvinceName_default    = Default Province

localityName            = Locality Name (eg, city)
localityName_default    = Default City

0.organizationName        = Organization Name (eg, company)
0.organizationName_default    = My Organization

# we can do this but it is not needed normally :-)
#1.organizationName        = Second Organization Name (eg, company)
#1.organizationName_default    = World Wide Web Pty Ltd

organizationalUnitName        = Organizational Unit Name (eg, section)
organizationalUnitName_default    = IT

commonName            = Common Name (eg, your name or your server\'s hostname)
commonName_max            = 64

emailAddress            = Email Address
emailAddress_max        = 64

# SET-ex3            = SET extension number 3

[ req_attributes ]
challengePassword        = A challenge password
challengePassword_min        = 4
challengePassword_max        = 20

unstructuredName        = An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# and for everything including object signing:
nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment            = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl        = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping

[ server_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
nsCertType            = server

# This will be displayed in Netscape's comment listbox.
nsComment            = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl        = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]


# Extensions for a typical CA


# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always

[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType            = server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment            = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl        = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

####################################################################
[ tsa ]

default_tsa = tsa_config1    # the default TSA section

[ tsa_config1 ]

# These are used by the TSA reply generation only.
dir        = ./demoCA        # TSA root directory
serial        = $dir/tsaserial    # The current serial number (mandatory)
crypto_device    = builtin        # OpenSSL engine to use for signing
signer_cert    = $dir/tsacert.pem     # The TSA signing certificate
                    # (optional)
certs        = $dir/cacert.pem    # Certificate chain to include in reply
                    # (optional)
signer_key    = $dir/private/tsakey.pem # The TSA private key (optional)

default_policy    = tsa_policy1        # Policy if request did not specify it
                    # (optional)
other_policies    = tsa_policy2, tsa_policy3    # acceptable policies (optional)
digests        = md5, sha1        # Acceptable message digests (mandatory)
accuracy    = secs:1, millisecs:500, microsecs:100    # (optional)
clock_precision_digits  = 0    # number of digits after dot. (optional)
ordering        = yes    # Is ordering defined for timestamps?
                # (optional, default: no)
tsa_name        = yes    # Must the TSA name be included in the reply?
                # (optional, default: no)
ess_cert_id_chain    = no    # Must the ESS cert id chain be included?
                # (optional, default: no)

Using GnuTLS With Apache httpd 2.2

An alternative to using OpenSSL with Apache httpd is to use GnuTLS.  GnuTLS supports TLS 1.2 and TLS 1.1 aside from the cryptographic protocols supported by OpenSSL.  Note, however, that SSL 2.0 is not supported.

GnuTLS also supports secure renegotiation which stops attackers from intercepting and injecting data in a TLS connection.  Secure renegotiation is discussed in RFC5746

The following software are needed to get GnuTLS to work in Apache httpd:

The httpd module that enables GnuTLS in Apache httpd is mod_gnutls. One interesting feature is mod_gnutls’ support for Server Name Indication (SNI) which allows you to configure the web server to use one IP address for multiple TLS-enabled hostnames (just like the configuration for regular name-based virtual hosts).

The above software packages are to be installed in the same order.  These packages might be available for your favorite Linux distribution.  In our case, we simply compile and install from the original sources.

[GARD align=”center”]

Here are the configuration statements used:

GnuMP:

./configure
make
make check
make install

Nettle:

./configure --enable-shared
make
make check
make install

libgpg-error:

./configure
make
make check
make install

libgcrypt:

./configure
make
make check
make install

GnuTLS:

./configure
make
make check
make install

mod_gnutls:

./configure --with-apxs=/opt/apache2/sbin/apxs
make
make install

One thing to add to the Apache httpd configuration is the module specification:

LoadModule gnutls_module modules_dirname/mod_gnutls.so

The documentation for mod_gnutls is straightforward. You can find examples of configurations in the documentation.

A good way to test if your TLS-enabled site works properly is to use the testing tool of SSLLabs: http://www.ssllabs.com/. The test will determine the soundness of your security configuration. Take note that the test uses the features of Firefox 3.6.x to connect to your site. Apparently, this version of Firefox doesn’t seem to support SNI.

If you have trouble making the TLS cache to work for db/gdbm files, check the permissions on the filesystem to see if the web server is allowed to create, read, and write to the cache file. Make sure that Apache httpd, via the Apache Portable Runtime (APR), supports the use of the Berkeley DB and/or the GNU dbm libraries. In our case, we had to compile the APR to support db and gdbm explicitly.

Update:  25 Jul 2011

When installing the digital certificate for your site, make sure the certificate along with a certificate bundle from the issuer are in the proper order.  For example, for linuxunbound.com, the certificate hierarchy looks like this:

Linux Unbound Certificate Hierarchy

Linux Unbound Certificate Hierarchy

 

As for the actual certificate bundle, the certificates should be in the following order:

Digital Certificates In A Bundle

Sequence of Digital Certificates In A Bundle

As you can see above, the linuxunbound.com certificate comes first, followed by the rest in reverse order.  Compare this with the hierarchy as seen by the web browser.

In Apache httpd 2.x, the configuration shall look like this:

<IfModule gnutls_module>
  GnuTLSEnable on
  GnuTLSSessionTickets on
  GnuTLSPriorities NORMAL
  GnuTLSKeyFile /path_to_private/key
  GnuTLSCertificateFile /path_to_public/certificate_bundle.crt
</IfModule>

For performance reasons, a cache should be set up:

GnuTLSCache dbm "/path/to/tls-cache"
GnuTLSCacheTimeout 600

where tls-cache is the cache file. Note that in the above example, we use the BerkeleyDB format.