====== OpenSSL ======

//WORK IN PROGRESS// do not believe anything here yet.

The [[http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html|SSL Certificates HOWTO]] helps a little.


===== Installation =====

Well just do

  #> apt-get install openssl

Of course to use the SSL Certificates for your application you may need some more stuff (eg. ''libapache-mod-ssl'').

===== The Certificate Authority =====

Okay first things first. We need a Certificate Authority (CA) which will sign all our certificates. If you are a professional you want to buy this service from the big players like [[http://verisign.com/products-services/security-services/ssl/index.html|Verisign]], [[http://www.thawte.com/ssl/index.html|Thawte]] or some [[google>SSL Reseller]]. If you want it for your private server keep reading.

For the CA we need two things: A private key and a selfsigned certificate (signed by the private key just mentioned), for issuing certifcaes you need some kind of infrastructure (a few directories), too.

==== Infrastructure ====

Your CA needs to keep a record on issued certificates. This is needed to make it possible to revoke certificates when needed. These records will be stored in ''/etc/ssl/CA'' for the following examples. Lets initialize this "Database":

  #> mkdir -p /etc/ssl/CA/private
  #> mkdir -p /etc/ssl/CA/newcerts
  #> echo "01" > /etc/ssl/CA/serial
  #> touch /etc/ssl/CA/index.txt

Openssl needs to be informed about these locations. This is done in the ''/etc/ssl/openssl.conf''. This ini-style file already contains a section called ''[ CA_default ]]''. The only thing you should need to change there is the ''dir'' value. The following shows the mentioned section and how it should look like.

<code ini>
[ CA_default ]

dir             = /etc/ssl/CA           # !!! change this
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
#crlnumber      = $dir/crlnumber        # the current crl number must be
                                        # commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions        = crl_ext

default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = md5                   # which md to use.
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match
</code>

==== Private Key ====

The private key of our new CA is created with the following command. It says to create an RSA key encrypted by DES using a length of 1024 bits. You should enter a strong passphrase! You will only type this on signing certificates.

  #> openssl genrsa -des3 -out /etc/ssl/CA/private/cakey.pem 1024
  Generating RSA private key, 1024 bit long modulus
  .......................................++++++
  ..................................................++++++
  e is 65537 (0x10001)
  Enter pass phrase for CAkey.pem:
  Verifying - Enter pass phrase for CAkey.pem:


Protect the key from prying eyes:

  #> chmod 400 /etc/ssl/CA/private/cakey.pem

==== Selfsigned Certificate ====

We create a new selfsigned Certificate (''-new'') from our public key (''-key''). We want a x509 cert with a live of 10 years (''-days''). We have to supply the private key's passphrase and give some other informations.

  #> openssl req -new -key /etc/ssl/CA/private/cakey.pem -x509 -days 3650 -out /etc/ssl/CA/cacert.pem
  Enter pass phrase for CAkey.pem:
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [AU]:DE
  State or Province Name (full name) [Some-State]:.
  Locality Name (eg, city) []:Berlin
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:splitbrain.org
  Organizational Unit Name (eg, section) []:.
  Common Name (eg, YOUR name) []:ca.splitbrain.org
  Email Address []:ca@splitbrain.org

Note the ''-x509'' option tells openssl to create a selfsigned certificate instead of just a request. This certificate will used by clients to check the signature of other certificates. So you should make this certificate publically available.

eg.

  #> cp /etc/ssl/cacert.pem /var/www/certificate.crt


===== Application Certificates =====

This is how to generate a key/cert for the [[postfix]] MTA but it's the same for other software like Apache or an IMAP Server.

==== Private Key ====

First generate a new private Key again, but this time without encryptingit with DSA (we don't want to give a password)

  #> openssl genrsa -out postfixKey.pem 1024

==== Certificate Request ====

Now generate a certifiate request for this key. The important part is the //Common Name// it has to match the name of your mailserver!

  #> openssl req -new -key postfixKey.pem -out postfixCert.req
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [AU]:DE
  State or Province Name (full name) [Some-State]:.
  Locality Name (eg, city) []:Berlin
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:splitbrain.org
  Organizational Unit Name (eg, section) []:.
  Common Name (eg, YOUR name) []:hex.splitbrain.org
  Email Address []:postmaster@splitbrain.org

  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password []:
  An optional company name []:

==== Signing the Request ====

Now we need to generate a signed certificate from the request.

<code>
#> openssl ca -policy policy_anything -in postfixCert.req -out postfixCert.pem -days 1825 
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec  9 16:36:43 2004 GMT
            Not After : Dec  8 16:36:43 2009 GMT
        Subject:
            countryName               = DE
            localityName              = Berlin
            organizationName          = splitbrain.org
            commonName                = hex.splitbrain.org
            emailAddress              = postmaster@splitbrain.org
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                2B:4B:2A:10:13:18:11:8F:23:ED:9B:52:57:04:D0:C7:9E:CD:61:02
            X509v3 Authority Key Identifier: 
                keyid:0A:9B:C1:79:B6:34:0E:EE:76:3B:B3:D2:43:38:6F:29:7B:8A:D4:15
                DirName:/C=DE/L=Berlin/O=splitbrain.org/CN=ca.splitbrain.org/emailAddress=ca@splitbrain.org
                serial:D8:1D:E7:27:AA:4A:F5:00

Certificate is to be certified until Dec  8 16:36:43 2009 GMT (1825 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
</code>

Wow. Okay what did we do? We used the request (''-in'') to generate a certificate (''-out''). We specified a policy (''-policy'') about which attributes are mandatory (none besides the common name ((The policy is defined in the ''openssl.conf''))). Openssl took some more infos from the config file (eg. The CA's private Key and Certificate). The ''-days'' option told openssl for how long the issued certificate should be valid (5 years).

The request (''postfixCert.req'') is no longer needed and should be deleted. The private key and the issued certificate should now be installed to the appropiate place for the application (eg. ''/etc/postfix/''((See [[postfix]]))) make sure that the private key isn't readable by anyone but root.

For courier IMAP you'll need to place the key and the certificate together with some Diffie-Hellman code in a single file:

  #> cat postfixKey.pem postfixCert.pem > /etc/courier/imapd.pem
  #> openssl gendh >> /etc/courier/imapd.pem
  #> sh /etc/init.d/courier-imap-ssl restart