About
Certificate Setup
Openssl.cnf
Setup Certificate Authority
Troubleshooting

About

This how to lists the steps needed to create a certificate authority and sign a certificate for use with internal webservers, mail servers, and LDAP databases.

Prerequisites:

Certificate (SSL/TLS) Setup

With openssl installed, make a directory where you will keep your cert files. In this example, we will use /var/sitename-ssl.

# mkdir -p /var/sitename-ssl

openssl.cnf

SuSE places the system-wide openssl.cnf in /etc/ssl. This file should be edited to provide defaults for your system. In /etc/ssl/openssl.cnf, change dir = ./demoCA to the name of the directory you just created. For example, dir = /var/sitename-ssl.

[ CA_default ]
                                                                                                             
dir             = /var/sitename-ssl	# Where everything is kept
certs           = $dir/certs		# Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
unique_subject  = no   			# Set to 'no' to allow creation of
                                        # several ctificates with same subject.

Adjust the default values for your system in the [ req_distinguished_name ] section.

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = US
countryName_min                 = 2
countryName_max                 = 2
                                                                                                             
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Washington
                                                                                                             
localityName                    = City or Town Name
localityName_default            = Seattle
                                                                                                             
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = erikberg.com
                                                                                                             
# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd
                                                                                                             
organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
                                                                                                             
commonName                      = Common Name (eg, YOUR name for CA; hostname for Certificates)
commonName_default		=
commonName_max                  = 64
                                                                                                             
emailAddress                    = Email Address (eg, user@domain.com)
emailAddress_default    	= ca@erikberg.com
emailAddress_max                = 64

Setup CA.pl Script

The SuSE OpenSSL package comes with a Perl script that we will use to create our Certificate Authority and Certificate Signing Requests. The script is located in /usr/share/ssl/misc/CA.pl. We need to make changes to this script so copy it to a personal location so it is not overwritten by openssl package updates.

# cd /var/sitename-ssl
# cp /usr/share/ssl/misc/CA.pl .

Edit CA.pl and find the $CATOP="./demoCA"; variable. Modify it like so:

$CATOP=".";
$CAKEY="cakey.pem";
$CACERT="cacert.pem";

Run the CA.pl script to create your new Certificate Authority.

# pwd
/var/sitename-ssl
# ./CA.pl -newca
CA certificate filename (or enter to create)
 
Making CA certificate ...
Generating a 1024 bit RSA private key
....++++++
.............................++++++
writing new private key to './private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Washington]:
City or Town Name [Seattle]:
Organization Name (eg, company) [erikberg.com]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name for CA; hostname for Certificates) []:Erik Berg CA
Email Address (eg, user@domain.com) [ca@erikberg.com]:

That creates your private key for your Certificate Authority. The next step is to create a certificate request for your CA to sign. Take care to enter the full hostname of the server where you wish to use the certificate. Wildcards are also valid here eg, *.erikberg.com would create a certificate request that would be valid on anyhost.erikberg.com.

# ./CA.pl -newreq-nodes
Generating a 1024 bit RSA private key
...........................++++++
........................................................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Washington]:
City or Town Name [Seattle]:
Organization Name (eg, company) [erikberg.com]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name for CA; hostname for Certificates) []:fore.erikberg.com
Email Address (eg, user@domain.com) [ca@erikberg.com]:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request (and private key) is in newreq.pem

Now, you are ready to sign the certificate. Use the following command:

# ./CA.pl -signreq
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /var/ssltest/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec  4 20:05:15 2004 GMT
            Not After : Dec  4 20:05:15 2005 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = Washington
            localityName              = Seattle
            organizationName          = erikberg.com
            commonName                = fore.erikberg.com
            emailAddress              = ca@erikberg.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                E0:65:26:00:C4:75:11:BE:E6:B0:10:D7:7F:B2:2F:46:57:F3:49:2F
            X509v3 Authority Key Identifier:
                keyid:3B:4F:A8:7C:5F:06:D9:03:65:61:86:10:A3:1A:2D:3E:4E:21:DD:8F
                DirName:/C=US/ST=Washington/L=Seattle/O=erikberg.com/CN=Erik Berg
CA/emailAddress=ca@erikberg.com
                serial:00
 
Certificate is to be certified until Dec  4 20:05:15 2005 GMT (365 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

OK, you have a signed certificate and a key. The private key is in newreq.pem and the certificate is in newcert.pem. Take the private key and the certificate (the bold sections below) and create a new file named server.pem.

# cat newreq.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCzMzVUYcROM8I+jok/Z1tT7y5Rr7e/jilcqhjpMGjUIiN0LeRp
7z9bHAWsthpuzwCj/2aeRC91ylbzvxJLTxx4ssk/8dLKjk0G4GrN2RBd018zGNpK
l8JalnrDUJ8MA/ohUJV9cR2vMzT0XZpl3v8qvU9Of2FBGOQ1Qybv527xxwIDAQAB
AoGAUwct9WvbBZTLsipegwcDdK9EWcq9qz5WAb46DolEeM1cee7tfvu/8hnYsz4o
nyDAHjwusrPK/ZuDkCn+cvAzsx3S7jlmzLjEhEPftYWRZatUGdBpVoVP8J8qgftT
o0UmnNKrtJEwu/6XQvTJREzT4tr0Wng5tQ5O1nH3LNZb6QECQQDkv+adlpMLhC+8
WELQPJu+mDk+J/giFANQAa1qdu5CTtW1znLwkLA7hSd25kLTs9c2cvMqG9SliGRy
osmQgQ+BAkEAyIw19Y6+l5byZxa4r0jmyn7qxpiq+ih4Lf0tbBlxEjE6Adj2et/T
nSNhqVnksH5PS8A+uyfJgludjHmJf2YlRwJBAL6hjjbWPUTjrERx6XxQhhqYEVxT
Qt5jfz81pqeK5ZQszrzsh60jZzqzBOh5jEeRIFEoCq2U8+nfeJZwQzpB1AECQAQD
AgVSgK+Jnnm/c5xWCf/dABdO8ISmkJji6qix7Zgekfl9fJjCp3oKPibkHHYHYNC0
HM0jo51O9dzchYqd4XsCQQCHi5BkLppFVvFWTu9Amf+3CE0KQaTawBF7t06IOave
9RccFJRaVMH/xCTVUPRbP2mMYl9LqKv0o7Xl7PINL9zm
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE REQUEST-----
MIIByDCCATECAQAwgYcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u
MRAwDgYDVQQHEwdTZWF0dGxlMRUwEwYDVQQKEwxlcmlrYmVyZy5jb20xGjAYBgNV
BAMTEWZvcmUuZXJpa2JlcmcuY29tMR4wHAYJKoZIhvcNAQkBFg9jYUBlcmlrYmVy
Zy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALMzNVRhxE4zwj6OiT9n
W1PvLlGvt7+OKVyqGOkwaNQiI3Qt5GnvP1scBay2Gm7PAKP/Zp5EL3XKVvO/EktP
HHiyyT/x0sqOTQbgas3ZEF3TXzMY2kqXwlqWesNQnwwD+iFQlX1xHa8zNPRdmmXe
/yq9T05/YUEY5DVDJu/nbvHHAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQCUzmfb
8jl7YOynytUHssmC0SlwR1I+KtjveC8U0f/pv8jSsMzjziGXNtOylks8WDrqFOj9
zTxhWWXU6+vnAoukvm/tL3hrjPqqGur84FVW4jKmNv5oqA5+DHw0KpDHeAaiVSCR
ygHhjYu/JX8m6DqQBM0+0w1UTJzEXnQEB5ixnA==
-----END CERTIFICATE REQUEST-----
# cat newcert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, ST=Washington, L=Seattle, O=erikberg.com, CN=Erik Berg CA/
emailAddress=ca@erikberg.com
        Validity
            Not Before: Dec  3 06:48:01 2004 GMT
            Not After : Dec  3 06:48:01 2005 GMT
        Subject: C=US, ST=Washington, L=Seattle, O=erikberg.com, CN=fore.erikberg
.com/emailAddress=ca@erikberg.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b3:33:35:54:61:c4:4e:33:c2:3e:8e:89:3f:67:
                    5b:53:ef:2e:51:af:b7:bf:8e:29:5c:aa:18:e9:30:
                    68:d4:22:23:74:2d:e4:69:ef:3f:5b:1c:05:ac:b6:
                    1a:6e:cf:00:a3:ff:66:9e:44:2f:75:ca:56:f3:bf:
                    12:4b:4f:1c:78:b2:c9:3f:f1:d2:ca:8e:4d:06:e0:
                    6a:cd:d9:10:5d:d3:5f:33:18:da:4a:97:c2:5a:96:
                    7a:c3:50:9f:0c:03:fa:21:50:95:7d:71:1d:af:33:
                    34:f4:5d:9a:65:de:ff:2a:bd:4f:4e:7f:61:41:18:
                    e4:35:43:26:ef:e7:6e:f1:c7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                FA:18:D2:37:54:32:C0:FB:A3:D7:1A:32:E2:B1:4F:77:03:A4:9B:6F
            X509v3 Authority Key Identifier:
                keyid:B2:4C:6D:87:84:E1:73:84:0A:6B:FB:75:E5:21:F9:27:7F:CB:B7:47
                DirName:/C=US/ST=Washington/L=Seattle/O=erikberg.com/CN=Erik Berg
CA/emailAddress=ca@erikberg.com
                serial:00
 
    Signature Algorithm: md5WithRSAEncryption
        54:07:32:f6:2f:f7:e9:16:d5:38:9f:16:e8:42:ed:ac:19:d0:
        7d:ef:be:47:91:f2:27:6a:fa:24:00:f6:1f:23:bf:27:2c:88:
        df:4f:0a:05:07:a5:6f:ab:c5:b5:1b:6c:cb:2d:b5:7e:35:f1:
        f8:51:37:23:15:08:84:8d:e0:7d:cd:86:8b:20:5e:2d:34:88:
        85:bd:c4:fb:7a:1c:bd:2f:e9:88:4e:b4:e4:af:95:8f:c5:ca:
        77:bf:cf:a7:3e:40:10:ce:93:4f:b7:31:39:0a:e1:f1:01:a7:
        ad:82:b5:ed:07:6c:53:b8:d5:00:d4:7c:2e:c9:df:13:f2:7a:
        36:b8
-----BEGIN CERTIFICATE-----
MIIDkTCCAvqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgjELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxFTATBgNVBAoT
DGVyaWtiZXJnLmNvbTEVMBMGA1UEAxMMRXJpayBCZXJnIENBMR4wHAYJKoZIhvcN
AQkBFg9jYUBlcmlrYmVyZy5jb20wHhcNMDQxMjAzMDY0ODAxWhcNMDUxMjAzMDY0
ODAxWjCBhzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV
BAcTB1NlYXR0bGUxFTATBgNVBAoTDGVyaWtiZXJnLmNvbTEaMBgGA1UEAxMRZm9y
ZS5lcmlrYmVyZy5jb20xHjAcBgkqhkiG9w0BCQEWD2NhQGVyaWtiZXJnLmNvbTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAszM1VGHETjPCPo6JP2dbU+8uUa+3
v44pXKoY6TBo1CIjdC3kae8/WxwFrLYabs8Ao/9mnkQvdcpW878SS08ceLLJP/HS
yo5NBuBqzdkQXdNfMxjaSpfCWpZ6w1CfDAP6IVCVfXEdrzM09F2aZd7/Kr1PTn9h
QRjkNUMm7+du8ccCAwEAAaOCAQ4wggEKMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgEN
BB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBT6GNI3
VDLA+6PXGjLisU93A6SbbzCBrwYDVR0jBIGnMIGkgBSyTG2HhOFzhApr+3XlIfkn
f8u3R6GBiKSBhTCBgjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x
EDAOBgNVBAcTB1NlYXR0bGUxFTATBgNVBAoTDGVyaWtiZXJnLmNvbTEVMBMGA1UE
AxMMRXJpayBCZXJnIENBMR4wHAYJKoZIhvcNAQkBFg9jYUBlcmlrYmVyZy5jb22C
AQAwDQYJKoZIhvcNAQEEBQADgYEAVAcy9i/36RbVOJ8W6ELtrBnQfe++R5HyJ2r6
JAD2HyO/JyyI308KBQelb6vFtRtsyy21fjXx+FE3IxUIhI3gfc2GiyBeLTSIhb3E
+3ocvS/piE605K+Vj8XKd7/Ppz5AEM6TT7cxOQrh8QGnrYK17QdsU7jVANR8Lsnf
E/J6Nrg=
-----END CERTIFICATE-----
# sed -ne '/BEGIN RSA/,/END RSA/w server.pem' newreq.pem
# sed -ne '/BEGIN/,/END/p' newcert.pem >> server.pem
# cat server.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCzMzVUYcROM8I+jok/Z1tT7y5Rr7e/jilcqhjpMGjUIiN0LeRp
7z9bHAWsthpuzwCj/2aeRC91ylbzvxJLTxx4ssk/8dLKjk0G4GrN2RBd018zGNpK
l8JalnrDUJ8MA/ohUJV9cR2vMzT0XZpl3v8qvU9Of2FBGOQ1Qybv527xxwIDAQAB
AoGAUwct9WvbBZTLsipegwcDdK9EWcq9qz5WAb46DolEeM1cee7tfvu/8hnYsz4o
nyDAHjwusrPK/ZuDkCn+cvAzsx3S7jlmzLjEhEPftYWRZatUGdBpVoVP8J8qgftT
o0UmnNKrtJEwu/6XQvTJREzT4tr0Wng5tQ5O1nH3LNZb6QECQQDkv+adlpMLhC+8
WELQPJu+mDk+J/giFANQAa1qdu5CTtW1znLwkLA7hSd25kLTs9c2cvMqG9SliGRy
osmQgQ+BAkEAyIw19Y6+l5byZxa4r0jmyn7qxpiq+ih4Lf0tbBlxEjE6Adj2et/T
nSNhqVnksH5PS8A+uyfJgludjHmJf2YlRwJBAL6hjjbWPUTjrERx6XxQhhqYEVxT
Qt5jfz81pqeK5ZQszrzsh60jZzqzBOh5jEeRIFEoCq2U8+nfeJZwQzpB1AECQAQD
AgVSgK+Jnnm/c5xWCf/dABdO8ISmkJji6qix7Zgekfl9fJjCp3oKPibkHHYHYNC0
HM0jo51O9dzchYqd4XsCQQCHi5BkLppFVvFWTu9Amf+3CE0KQaTawBF7t06IOave
9RccFJRaVMH/xCTVUPRbP2mMYl9LqKv0o7Xl7PINL9zm
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDkTCCAvqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgjELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxFTATBgNVBAoT
DGVyaWtiZXJnLmNvbTEVMBMGA1UEAxMMRXJpayBCZXJnIENBMR4wHAYJKoZIhvcN
AQkBFg9jYUBlcmlrYmVyZy5jb20wHhcNMDQxMjAzMDY0ODAxWhcNMDUxMjAzMDY0
ODAxWjCBhzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV
BAcTB1NlYXR0bGUxFTATBgNVBAoTDGVyaWtiZXJnLmNvbTEaMBgGA1UEAxMRZm9y
ZS5lcmlrYmVyZy5jb20xHjAcBgkqhkiG9w0BCQEWD2NhQGVyaWtiZXJnLmNvbTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAszM1VGHETjPCPo6JP2dbU+8uUa+3
v44pXKoY6TBo1CIjdC3kae8/WxwFrLYabs8Ao/9mnkQvdcpW878SS08ceLLJP/HS
yo5NBuBqzdkQXdNfMxjaSpfCWpZ6w1CfDAP6IVCVfXEdrzM09F2aZd7/Kr1PTn9h
QRjkNUMm7+du8ccCAwEAAaOCAQ4wggEKMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgEN
BB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBT6GNI3
VDLA+6PXGjLisU93A6SbbzCBrwYDVR0jBIGnMIGkgBSyTG2HhOFzhApr+3XlIfkn
f8u3R6GBiKSBhTCBgjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x
EDAOBgNVBAcTB1NlYXR0bGUxFTATBgNVBAoTDGVyaWtiZXJnLmNvbTEVMBMGA1UE
AxMMRXJpayBCZXJnIENBMR4wHAYJKoZIhvcNAQkBFg9jYUBlcmlrYmVyZy5jb22C
AQAwDQYJKoZIhvcNAQEEBQADgYEAVAcy9i/36RbVOJ8W6ELtrBnQfe++R5HyJ2r6
JAD2HyO/JyyI308KBQelb6vFtRtsyy21fjXx+FE3IxUIhI3gfc2GiyBeLTSIhb3E
+3ocvS/piE605K+Vj8XKd7/Ppz5AEM6TT7cxOQrh8QGnrYK17QdsU7jVANR8Lsnf
E/J6Nrg=
-----END CERTIFICATE-----

Move server.pem to where your service can read it. . .

Troubleshooting

Creative Commons License
Copyright © 2005-2006 Erik Berg