Skip to content. Skip to navigation
Sections
Personal tools
You are here: Home » Tech » Tools » SSL Certificates
Document Actions

SSL Certificates

by David Hostetler [modified 20120211:21:52 (Sat)] [posted 20120114:15:52 (Sat)]

Describes the process of generating/requesting/updating SSL certificates, with a bias towards using StartSSL as the CA.

Obtain your CA's root cert and chain file

Many of the tools and services utilizing SSL will need to be told about your CA.  You typically need the CA root certificate, and the class1 chain file.  For startssl.com, they are:

 

Providing default cert values to OpenSSL

  • Edit /etc/ssl/openssl.cnf.
  • Put defaults in any field you want.
  • Now when you generate crt files, you'll have to provide a lot fewer values.
  • Note that if you're using startssl.com then it'll ignore everything in your CSR submissions except the private key used to generate them, and it'll use values from your account to fill in the other fields.

 

OpenSSL Tips:

  • Examine the contents of a crt file: 
    • openssl x509 -noout -text -in file.crt
  • Examine the contents of a csr file: 
    • openssl req -noout -text -in file.csr
  • Verify a crt file: 
    • openssl verify -CAfile yourCAchainfile.crt yourcrt.crt

 

Creating private keys

openssl genrsa -out domain.net.key.pem 4096
chmod 400 domain.net.key.pem
  • You'll want to generate one private key for each domain or set of services that you're hosting.  You can use a key for multiple CSRs, but just keep in mind that if the key is ever compromised then it risks every service relying upon certificates generated with that key.
  • Keys have no expiration date, and are valid indefinitely unless they get compromised (stolen).

 

Creating certificate signing requests (CSR)

openssl req -new -key domain.net.key.pem -out domain.net.csr
  • The critical field is 'Common Name', which must be set to the actual host name for which the certificate will be invoked.
  • Thus, if you're making a CSR for a website mapped to your domain ('foobar.com') then you'd use 'foobar.com' as the 'Common Name' value.  Not 'www.foobar.com' or '*.foobar.com'.

 

Here's a list of the CSRs I generate:

openssl req -new -key negativesum.net.key.pem -out negativesum.net.csr
openssl req -new -key negativesum.net.key.pem -out mail.negativesum.net.csr
openssl req -new -key negativesum.net.key.pem -out mysql.negativesum.net.csr
openssl req -new -key negativesum.net.key.pem -out svn.negativesum.net.csr
openssl req -new -key negativesum.net.key.pem -out tracker.negativesum.net.csr

openssl req -new -key ldap.negativesum.net.key.pem -out ldap.negativesum.net.csr

openssl req -new -key gridmotorsports.com.key.pem -out gridmotorsports.com.csr
openssl req -new -key gridmotorsports.com.key.pem -out mail.gridmotorsports.com.csr
openssl req -new -key gridmotorsports.com.key.pem -out svn.gridmotorsports.com.csr
openssl req -new -key gridmotorsports.com.key.pem -out tracker.gridmotorsports.com.csr

openssl req -new -key mumble.gridmotorsports.com.key.pem -out mumble.gridmotorsports.com.csr

 

Murmur (mumble server)

  • Murmur requires it's own key and certificate.
  • The certificate must be bundled with the class1 cert from the CA.
  1. Create the csr.
  2. Use the csr to obtain a crt from your CA (mumble.gridmotorsports.com.crt)
  3. Combine the CA chainfile with your new crt:
  4. cat sub.class1.server.ca.pem > mumble.gridmotorsports.com.concat.crt
cat mumble.gridmotorsports.com.crt >> mumble.gridmotorsports.com.concat.crt
chown 444 mumble.*.crt
chown root:murmur mumble.*

  5. Configure murmur via /etc/murmur/murmur.ini:

    • sslCert=/etc/ssl/private/mumble.gridmotorsports.com.concat.crt
sslKey=/etc/ssl/private/mumble.gridmotorsports.com.key.pem

 

Posted by john at 20120124:03:23 (Tue)
As a beginner this tutor was very informative for me and quite useful.