Linuxdoc Linux Questions
Click here to ask our community of linux experts!
Custom Search

2.1. Installation

Nowadays, you do not have to worry too much about installing OpenSSL: most distributions use package management applications. Refer to your distribution documentation, or read the README and INSTALL file inside the OpenSSL tarball. I want also to avoid to make this HOWTO, an installation HOWTO rather than an HOWTO use certificates.

I describe here some standard installation options which are necessary to know for the samples following. Your installation may differ.

The directory for all OpenSSL certificates is /var/ssl/. All commands and paths in this document are issued from this directory, it is not mandatory but it will help the examples.

OpenSSL by default looks for a configuration file in /usr/lib/ssl/openssl.cnf so always add -config /etc/openssl.cnf to the commands openssl ca or openssl req for instance. I use /etc/openssl.cnf so all my configuration files are all in /etc.

Utilities and other libraries are located in /usr/lib/ssl.

2.1.1. The CA.pl utility

Ensure that the utility CA.pl is in an accessible directory such as /usr/sbin. CA.pl can be found inside /usr/lib/ssl directories. CA.pl is a utility that hides the complexity of the openssl command. In all the examples, when I use CA.pl, I will also put the openssl equivalent in brakets.

/usr/sbin/CA.pl needs to be modified to include -config /etc/openssl.cnf in ca and req calls.

#$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"}; 
$SSLEAY_CONFIG="-config /etc/openssl.cnf"; 
#$CATOP="./demoCA"; 
$CATOP="/var/ssl";

2.1.2. The openssl.cnf file

/etc/openssl.cnf must be configured accordingly to minimize input entry.

#---Begin---
# 
# OpenSSL example configuration file. 
# This is mostly being used for generation of certificate requests. 
#
RANDFILE  = $ENV::HOME/.rnd 
oid_file  = $ENV::HOME/.oid 
oid_section  = new_oids
# To use this configuration file with the "-extfile" option of the 
# "openssl x509" utility, name here the section containing the 
# X.509v3 extensions to use: 
# extensions  = 
# (Alternatively, use a configuration file that has only 
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'. 
# Add a simple OID like this: 
# testoid1=1.2.3.4 
# Or use config file substitution like this: 
# testoid2=${testoid1}.5.6
#################################################################### 
[ ca ] 
default_ca = CA_default  # The default ca section
#################################################################### 
[ CA_default ]
dir             = /var/ssl                # Where everything is kept 
certs           = $dir/certs              # Where the issued certs are kept 
crl_dir         = $dir/crl                # Where the issued crl are kept 
database        = $dir/index.txt          # database index file. 
new_certs_dir   = $dir/newcerts           # default place for new certs.
certificate     = $dir/cacert.pem         # The CA certificate 
serial          = $dir/serial             # The current serial number 
crl             = $dir/crl.pem            # The current CRL 
private_key     = $dir/private/cakey.pem  # The private key 
RANDFILE        = $dir/private/.rand      # private random number file
x509_extensions = usr_cert                # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days    = 365                     # how long to certify for 
default_crl_days= 7                       # how long before next CRL 
default_md      = sha1                    # which md to use. 
preserve        = no                      # keep passed DN ordering
# A few difference way of specifying how similar the request should look 
# For type CA, the listed attributes must be the same, and the optional 
# and supplied fields are just that :-) 
policy  = policy_match
# For the CA policy 
[ policy_match ] 
countryName            = match 
stateOrProvinceName    = optional 
localityName           = match 
organizationName       = match 
organizationalUnitName = optional 
commonName             = supplied 
emailAddress           = optional
# For the 'anything' policy 
# At this point in time, you must list all acceptable 'object' 
# types. 
[ policy_anything ] 
countryName            = optional 
stateOrProvinceName    = optional 
localityName           = optional 
organizationName       = optional 
organizationalUnitName = optional 
commonName             = supplied 
emailAddress           = optional
#################################################################### 
[ req ] 
default_bits       = 1024 
default_keyfile    = privkey.pem 
distinguished_name = req_distinguished_name 
attributes         = req_attributes 
default_md         = sha1
x509_extensions    = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for 
# input_password = secret 
# output_password = secret
# This sets a mask for permitted string types. There are several options. 
# default: PrintableString, T61String, BMPString. 
# pkix : PrintableString, BMPString. 
# utf8only: only UTF8Strings. 
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 
# MASK:XXXX a literal mask value. 
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 
# so use this option with caution! 
string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ] 
countryName         = Country Name (2 letter code) 
countryName_default = FJ 
countryName_min     = 2 
countryName_max     = 2
 
stateOrProvinceName         = State or Province Name (full name) 
stateOrProvinceName_default = Fiji
localityName          = Locality Name (eg, city) 
localityName_default  = Suva
0.organizationName         = Organization Name (eg, company) 
0.organizationName_default = SOPAC
# we can do this but it is not needed normally :-) 
#1.organizationName         = Second Organization Name (eg, company) 
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName         = Organizational Unit Name (eg, section) 
organizationalUnitName_default = ITU
commonName       = Common Name (eg, YOUR name) 
commonName_max   = 64
emailAddress     = Email Address 
emailAddress_max = 40
# SET-ex3   = SET extension number 3
[ req_attributes ] 
challengePassword     = A challenge password 
challengePassword_min = 4 
challengePassword_max = 20
unstructuredName      = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software 
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted 
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server. 
# nsCertType   = server
# For an object signing certificate this would be used. 
# nsCertType = objsign
# For normal client use this is typical 
# nsCertType = client, email
# and for everything including object signing: 
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate. 
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox. 
nsComment  = "Certificate issued by https://www.sopac.org/ssl/"
# PKIX recommendations harmless if included in all certificates. 
subjectKeyIdentifier=hash 
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname. 
# Import the email address. 
# subjectAltName=email:copy
# Copy subject details 
# issuerAltName=issuer:copy
# This is the base URL for all others URL addresses 
# if not supplied
nsBaseUrl  = https://www.sopac.org/ssl/
# This is the link where to download the latest Certificate
# Revocation List (CRL)
nsCaRevocationUrl = https://www.sopac.org/ssl/sopac-ca.crl
# This is the link where to revoke the certificate
nsRevocationUrl  = https://www.sopac.org/ssl/revocation.html? 
# This is the location where the certificate can be renewed
nsRenewalUrl  = https://www.sopac.org/ssl/renewal.html? 
# This is the link where the CA policy can be found
nsCaPolicyUrl  = https://www.sopac.org/ssl/policy.html 
# This is the link where we can get the issuer certificate
issuerAltName = URI:https://www.sopac.org/ssl/sopac.crt
# This is the link where to get the latest CRL
crlDistributionPoints = URI:https://www.sopac.org/ssl/sopac-ca.crl
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
 
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical 
# extensions. 
# basicConstraints = critical,CA:true 
# So we do this instead. 
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will 
# prevent it being used as an test self-signed certificate it is best 
# left out by default. 
# keyUsage = cRLSign, keyCertSign
# Some might want this also 
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation 
# subjectAltName=email:copy 
# Copy issuer details 
# issuerAltName=issuer:copy
# RAW DER hex encoding of an extension: beware experts only! 
# 1.2.3.5=RAW:02:03 
# You can even override a supported extension: 
# basicConstraints= critical, RAW:30:03:01:01:FF
# This will be displayed in Netscape's comment listbox. 
nsComment  = "Certificate issued by https://www.sopac.org/ssl/"
# This is the base URL for all others URL addresses 
# if not supplied
nsBaseUrl  = https://www.sopac.org/ssl/
# This is the link where to download the latest Certificate
# Revocation List (CRL)
nsCaRevocationUrl = https://www.sopac.org/ssl/sopac-ca.crl
# This is the link where to revoke the certificate
nsRevocationUrl  = https://www.sopac.org/ssl/revocation.html? 
# This is the location where the certificate can be renewed
nsRenewalUrl  = https://www.sopac.org/ssl/renewal.html? 
# This is the link where the CA policy can be found
nsCaPolicyUrl  = https://www.sopac.org/ssl/policy.html 
# This is the link where we can get the issuer certificate
issuerAltName = URI:https://www.sopac.org/ssl/sopac.crt
# This is the link where to get the latest CRL
crlDistributionPoints = URI:https://www.sopac.org/ssl/sopac-ca.crl
[ crl_ext ]
# CRL extensions. 
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy 
authorityKeyIdentifier=keyid:always,issuer:always
#----End----

A few comments on openssl.cnf.

  • Variable names can use the suffixes _default for default value, _min for the minimum number of characters required and _max for the maximum number of characters required.

  • The file is composed of [Sections] of variables.

dir:

Specifies the base directory.

default_ca:

Specifies which section contains the variables for a default certificate.

basicConstraints:

Defines the usage of the certificate, for instance with CA:TRUE, the certificate is a root CA Certificate.