1. Ssl Notes
1.1. Self-Signed Certificates
To create a self-signed cert, useful in a number of organization-private configurations (where the trust-model doesn't require a trusted 3rd party to verify who you are), do the following:
openssl req -new -x509 -days 10000 -nodes -out cert.pem -keyout cert.pem
This creates a private key, and self-signed certificate. The arguments mean:
-
-days 10000
-
-new
-
-x509
-
-nodes
-
-config openssl.cnf
-
-out cert.pem
-
-keyout cert.pem
-
Make this key valid for 10,000 days (essentially, forever).
-
Generate a new key.
-
Generate an X509 certificate (self sign) based on the key.
-
Don't put a password on this key.
-
The OpenSSL configuration file to use (create your own or modify the system-wide default to not answer so many questions).
-
File in which to store the SSL certificate.
-
Put the key in this file.
This command will ask you the following questions:
| Question | Example Answers |
| Country name | PL, UK, US, CA |
| State or Province name | Illinois, Ontario |
| Locality | Chicago, Toronto |
| Organization Name | Bill's Meats, Acme Anvils |
| Organizational Unit Name | Shared Hosting & Information Technology |
| Common Name (FQDN) | www.example.com |
Important Note: The Common Name (FQDN) should be the hostname of the machine running SSL and the name you will use to access this machine. If you can access the machine by more than one hostname some SSL clients will warn you that the certificate is being used on the wrong host, so it's best to have this match the hostname users will be accessing.
I usually put the cert and the key in the same file for convenience. If I have several services which I expect to all have SSL and use the same hostname, I create an ssl group and put them all in it and make the file readable by the group (mode 0440). I save the key and cert in a file with the name of the hostname, such as www.example.com.pem.
This information adapted from the ![[WWW]](/wiki/nakedape/img/moin-www.png){kind=small}
Stunnel FAQ
1.1.1. Updating a Self-Signed Certificate
I've recently found a handful of my self-signed certificates have expired and just generating a new certificate causes and error in Mozilla, because the Common Name and Serial Number are the same. Newer versions of !OpenSSL allow one to explicitly set the serial number of generated certificates with the -set_serial option to the req sub-command. My Fedora Core 1 box, with OpenSSL 0.9.7a, supports this while my Red Hat 7.3 box, with OpenSSL 0.9.6b, does not.
1.1.2. Importing a Self-Signed Certificate Into a Java Keystore
Java maintains its own CA certificate list to which any self-signed certficates or certificates not issued by one of the default CAs (the default list in Java is much more limited than the usual browser). After collecting the certificate or copying it to a convenient location, you can import it.
Import it into the keystore using the keytool command. Depending on how your JRE is installed, you might need to search to find the cacerts file and the keytool command. Typically, the cacerts file is located under $JAVA_HOME/jre/lib/security/cacerts:# $JAVA_HOME/jre/bin/keytool \
-keystore $JAVA_HOME/jre/lib/security/cacerts \
-alias mycertalias
-import -file cert.txt
Enter keystore password: changeit
...
Trust this certificate? [no]: yes
Certificate was added to keystore
As you can see, the default password for these keystores is changeit (which no one seems to ever do).
(This information adapted from a help page for fetchExc.)
1.2. Certficate Information
This command merely prints out information about your certificate to the screen:openssl x509 -text -noout -in cert.pem
This information adapted from the Stunnel FAQ
1.3. Collecting a Certificate
Sometimes you know the host and port providing the certificate, but actually getting the certificate into a file can be a challenge. The OpenSSL command s_client can help.$ openssl s_client -connect hostname:port </dev/null > cert.txt
Edit the cert.txt file, removing everything but the section delimited by the lines "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----". This is now a PEM-encoded certificate.
1.4. Printing the Subject of an X.509 Certficate (or CSR)
Here's a little GNU sed script:/Subject: / {
s/^[[:space:]]*//
s/, /\n/g
s/Subject: //
p
}
Call it certsub.sed, for example. Now pipe the output of a openssl x509 through it:
$ openssl x509 -text -noout -in foo.crt | sed -n -f certsub.sed C=US ST=Oregon L=Portland O=Naked Ape Consulting OU=Network Goobers CN=nakedape.ccOr for certificate signing requests:
$ openssl req -text -noout -in foo.crt | sed -n -f certsub.sed
1.5. SSL Certs HOWTO
I've just discovered theSSL Certificates HOWTO, which looks to be very useful in understanding SSL certs and their manipulation. It's a document I've wished for for a long time. 1.6. Debugging SSL/TLS-Wrapped Services
If you're accustomed to using telnet or nc to connect to a port and issue protocol commands for protocols such as SMTP, you won't be able to do that on SSL/TLS-wrapped servcies. In that case, you can use the s_client built into OpenSSL to connect and interoperate just like telnet.openssl s_client -connect localhost:smtps
1.7. Common Problems
TLS certificate verification: Error, self signed certificateBy default, self-signed certificates are not trusted. To enable them to be trusted, add TLS_REQCERT allow to /etc/openldap/ldap.conf.
