Please read first paragraph:
Welcome to my first large blog entry, take note that you better know a bit about what you are doing, and I assume you know how to KEEP those private keys protected, private and encrypted. Other than that, you’ll have to have 10 minutes of spare time to read the whole blog entry. Please bear in mind that I’m just a normal average computer geek, so if you find any errors in my blog entry, don’t hesitate to comment and I’ll fix it ASAP. And please use a different name then geekrevolution, that’s mine! Now your ready to go on.
You can download my geekrevolution-openssl.cnf file here
(tip: cp /usr/lib/ssl/openssl.cnf /etc/ssl/rootca_name-openssl.cnf , and edit this file as your needs.)
First of all, we better have openssl installed on our box:
apt-get install openssl
Now we will be using an already premade script which will be helping us, so we can avoid using the openssl binary directly when we don’t have to.
Navigate to /usr/lib/ssl/misc , where you will find CA.pl .
tleilaxu:/usr/lib/ssl/misc# ./CA.pl -help
usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify
usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify
I recommend editing CA.pl and change a couple of settings,
first start by fixing where we want to store our certificates and lifetime on our root-ca and a normal certificate:
$CATOP=”/etc/ssl/geekrevolution”;
$DAYS=”-days 730″; # 2 year
$CADAYS=”-days 3650″; # 10 years
If you have your own openssl.cnf file, I recommend updating your sections as described below – just a short description of what I’m changing: dir is where everything is kept. default_days is life-time on a normal certificate. default_bits is how strong the encryption should be. [ req_distinguished_name ] section I assume you understand:
[ CA_default ]
dir = /etc/ssl/geekrevolution # Where everything is kept
default_days = 730
default_bits = 2048[ req ]
default_bits = 2048[ req_distinguished_name ]
Go thru all fields and set them as you would like it.
We also want to add support for revocation list, and why not just add some other “fancy” urls under section [ usr_cert ] and [ proxy_cert_ext ]:
nsCaRevocationUrl = http://ssl.geekrevolution.net/ca.crl
nsRenewalUrl = http://ssl.geekrevolution.net
nsCaPolicyUrl = http://ssl.geekrevolution.net/policy
That should be fine. Now we just have to make sure that CA.pl take notes of those configuration values by exporting the SSLEAY_CONFIG environment variable:
tleilaxu:/usr/lib/ssl/misc# export SSLEAY_CONFIG=”-config /etc/ssl/geekrevolution-openssl.cnf”
Lets confirm it is added:
tleilaxu:/usr/lib/ssl/misc# echo $SSLEAY_CONFIG
-config /etc/ssl/geekrevolution-openssl.cnf
Now we’re ready to start rolling!
First we’ll have to start by creating our root certificate:
/usr/lib/ssl/misc/CA.pl -newca
<enter>
<follow onscreen instructions for information to put in root certificate>
…
Here what my screen looks like:
tleilaxu:/etc/ssl# /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)Making CA certificate …
Generating a 2048 bit RSA private key
……………………….+++
……………………………………………………………………………..+++
writing new private key to ‘/etc/ssl/geekrevolution/private/cakey.pem’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [NO]:
State or Province Name (full name) [Soer-Troendelag]:
Locality Name (eg, city) [Trondheim]:
Organization Name (eg, company) [gEEkRevolution]:
Organizational Unit Name (eg, section) [UAC]:
Common Name (eg, YOUR name) []:gEEkRevolution Root Certificate Authority
Email Address []:ssl@geekrevolution.netPlease enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/ssl/geekrevolution-openssl.cnf
Enter pass phrase for /etc/ssl/geekrevolution/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number:
b2:3a:d0:89:62:1f:2e:dc
Validity
Not Before: Nov 21 01:18:51 2008 GMT
Not After : Nov 19 01:18:51 2018 GMT
Subject:
countryName = NO
stateOrProvinceName = Soer-Troendelag
organizationName = gEEkRevolution
organizationalUnitName = UAC
commonName = gEEkRevolution Root Certificate Authority
emailAddress = ssl@geekrevolution.net
X509v3 extensions:
X509v3 Subject Key Identifier:
B9:D0:A1:C1:2F:90:38:FA:FB:51:D2:B7:E5:38:C1:63:71:D2:39:50
X509v3 Authority Key Identifier:
keyid:B9:D0:A1:C1:2F:90:38:FA:FB:51:D2:B7:E5:38:C1:63:71:D2:39:50
DirName:/C=NO/ST=Soer-Troendelag/O=gEEkRevolution/OU=UAC/CN=gEEkRevolution Root Certificate Authority/ emailAddress=ssl@geekrevolution.net
serial:B2:3A:D0:89:62:1F:2E:DCX509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Nov 19 01:18:51 2018 GMT (3650 days)Write out database with 1 new entries
Data Base Updated
tleilaxu:/etc/ssl#
Our root certificate is now valid for 10 years, which is good.
After this, we generate a new CSR(certificate signing request(s)) to be ready to get signed by root CA:
cd /etc/ssl/geekrevolution && mkdir tmptmp && cd tmptmp
/usr/lib/ssl/misc/CA.pl -newreq
<enter key for certificate>
<follow onscreen instructions>
Heres what mine look like:
tleilaxu:/etc/ssl/geekrevolution/tmptmp# /usr/lib/ssl/misc/CA.pl -newreq
Generating a 2048 bit RSA private key
…….+++
…………………+++
writing new private key to ‘newkey.pem’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [NO]:
State or Province Name (full name) [Soer-Troendelag]:
Locality Name (eg, city) [Trondheim]:
Organization Name (eg, company) [gEEkRevolution]:
Organizational Unit Name (eg, section) [UAC]:
Common Name (eg, YOUR name) []:ssl.geekrevolution.net
Email Address []:ssl@geekrevolution.netPlease enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
tleilaxu:/etc/ssl/geekrevolution/tmptmp#
Our CSR is now ready to get signed, and it’s time to
sign the certificate under our root-certificate:
/usr/lib/ssl/misc/CA.pl -sign
<enter root CA private key>
<y>
<y>
Here what my screen looks like:
tleilaxu:/etc/ssl/geekrevolution/tmptmp# /usr/lib/ssl/misc/CA.pl -sign
Using configuration from /etc/ssl/geekrevolution-openssl.cnf
Enter pass phrase for /etc/ssl/geekrevolution/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
b2:3a:d0:89:62:1f:2e:dd
Validity
Not Before: Nov 21 01:24:49 2008 GMT
Not After : Nov 21 01:24:49 2010 GMT
Subject:
countryName = NO
stateOrProvinceName = Soer-Troendelag
localityName = Trondheim
organizationName = gEEkRevolution
organizationalUnitName = UAC
commonName = ssl.geekrevolution.net
emailAddress = ssl@geekrevolution.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
31:21:30:D0:3C:75:F6:FF:89:4F:3E:74:F8:41:C7:B5:88:F5:FC:57
X509v3 Authority Key Identifier:
keyid:B9:D0:A1:C1:2F:90:38:FA:FB:51:D2:B7:E5:38:C1:63:71:D2:39:50Netscape CA Revocation Url:
http://ssl.geekrevolution.net/ca.crl
Netscape Renewal Url:
http://ssl.geekrevolution.net
Netscape CA Policy Url:
http://ssl.geekrevolution.net/policy
Certificate is to be certified until Nov 21 01:24:49 2010 GMT (730 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
tleilaxu:/etc/ssl/geekrevolution/tmptmp#
We can now inspect our certificate to see it is signed:
tleilaxu:/etc/ssl/geekrevolution/tmptmp# openssl x509 -noout -text -in newcert.pem
Certificate:
Data:
Version: 3 (0×2)
Serial Number:
b2:3a:d0:89:62:1f:2e:ddenvironment
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=NO, ST=Soer-Troendelag, O=gEEkRevolution, OU=UAC, CN=gEEkRevolution Root Certificate Authority/emailAddress=ssl@geekrevolution.net
Validity
Not Before: Nov 21 01:24:49 2008 GMT
Not After : Nov 21 01:24:49 2010 GMT
Subject: C=NO, ST=Soer-Troendelag, L=Trondheim, O=gEEkRevolution, OU=UAC, CN=ssl.geekrevolution.net/emailAddress=ssl@geekrevolution.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c0:6a:35:57:67:e2:b1:91:aa:bc:64:83:fc:46:
21:a8:92:05:3a:c4:d4:99:7d:9c:58:67:79:53:66:
bb:5c:9f:61:95:4e:e4:d6:52:a0:e5:ba:1b:41:66:
c4:ad:b4:bb:f1:f5:84:f7:da:b8:64:8a:6a:aa:06:
a8:0e:d0:32:97:9d:a7:2d:45:46:ea:73:f5:17:32:
b8:6c:65:96:9b:c0:6d:22:b1:3e:f7:e2:9b:6a:9a:
08:b4:e9:8c:fc:cd:a7:6d:b7:a7:ec:9a:fd:0d:b7:environment
2d:50:2c:9c:0e:a8:e9:b0:c8:4b:f2:9a:c8:9a:53:
2b:f2:94:0e:94:7b:6c:69:db:09:0d:b9:5f:3e:58:
1c:a7:a8:75:b1:f1:31:41:d0:af:60:c7:66:38:d1:environment
56:e5:d4:98:f4:38:a0:22:d8:ed:ce:4f:e4:06:b7:
00:e5:a2:88:3a:71:5f:bb:98:83:a5:2c:00:71:78:
ad:d7:85:b3:9c:03:08:b7:5a:76:7f:40:37:37:fe:
0a:91:14:05:05:b3:97:c0:91:7b:78:ab:2d:35:be:
5b:8d:fd:3e:43:44:68:03:dd:bf:91:b6:eb:ba:a1:
0e:e9:b4:e7:a6:60:2f:5c:77:d8:da:dc:ab:1c:49:
de:21:41:65:fc:0f:c5:92:e5:0c:db:48:f2:7e:18:
df:b9
Exponent: 65537 (0×10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
31:21:30:D0:3C:75:F6:FF:89:4F:3E:74:F8:41:C7:B5:88:F5:FC:57
X509v3 Authority Key Identifier:
keyid:B9:D0:A1:C1:2F:90:38:FA:FB:51:D2:B7:E5:38:C1:63:71:D2:39:50Netscape CA Revocation Url:
http://ssl.geekrevolution.net/ca.crl
Netscape Renewal Url:
http://ssl.geekrevolution.net
Netscape CA Policy Url:
http://ssl.geekrevolution.net/policy
Signature Algorithm: sha1WithRSAEncryption
6a:6c:c6:24:3b:c3:71:47:64:d2:19:e8:67:1b:3c:42:c5:fc:
73:ba:ba:bd:8f:17:f4:3c:d9:c9:91:89:c3:b7:63:50:17:bb:
2e:c4:42:d6:41:a8:30:a3:3c:de:59:13:1f:b5:4e:ca:e1:9d:
be:06:c0:82:ef:e1:a0:db:9f:97:ef:9a:4c:3b:1f:b3:4a:52:
30:98:e2:98:0f:52:06:75:c2:32:35:ec:19:57:da:ab:54:c3:
89:97:77:b3:42:7e:75:a3:6c:4e:74:c1:32:ff:fe:32:e7:94:
e9:d7:8e:ff:d8:a2:d7:44:56:74:5b:0a:dc:f0:51:d5:ba:e0:
99:a2:28:77:be:67:99:a6:3a:20:7f:a5:44:ac:b0:8e:86:f7:
e1:5e:98:d5:eb:21:91:aa:92:49:49:3c:cb:20:68:ee:2a:d2:
82:5e:f9:c0:8e:d1:c2:37:de:ba:d2:92:f7:57:1e:ba:60:fb:
7c:82:0f:b9:e5:53:b7:eb:b8:fa:a9:5c:df:fa:60:82:62:5f:
41:6c:65:ad:53:22:d5:78:8b:56:26:78:96:f4:50:eb:d0:37:
37:0e:a8:c9:e0:b8:09:ed:50:12:c7:ca:a4:22:2a:3c:27:0e:
9c:71:15:2f:6e:86:82:dd:93:1d:cc:bf:c5:a4:6a:ed:14:9e:
67:b5:24:d9
tleilaxu:/etc/ssl/geekrevolution/tmptmp#
As you can see, it is issued by our gEEkRevolution Root Certificate Authority. Good work!
We’re then cleaning up and moving our certificates into our storage and cleaning up our tmptmp directory. I always stand in my tmptmp directory when using CA.pl script, since it saves files to current directory you execute script.
tleilaxu:/etc/ssl/geekrevolution/tmptmp# mv newcert.pem ../certs/ssl.geekrevolution.net-cert.pem
tleilaxu:/etc/ssl/geekrevolution/tmptmp# mv newkey.pem ../private/ssl.geekrevolution.net-key.pem
tleilaxu:/etc/ssl/geekrevolution/tmptmp# rm newreq.pem
You should take note of /etc/ssl/geekrevolution/index.txt contains an index of the signed certificates. We store all our signed certificates by it’s serial in /etc/ssl/geekrevolution/newcerts ,
so we can easily revoke the certificates later.
Now, what happens when you want to remove a certificate, if certificate is used for accessing your private VPN and you want to remove that client?
That’s where revocation list comes in. As you probably noticed in our openssl.cnf configuration file, we made sure to add Netscape CA Revocation Url into our configurations.
Too bad CA.pl doesn’t have any easy option for this, so we’ll have to stick to being hardcore and using openssl directly. (it’s not that openssl is that hard, it’s just quicker to use a script 
)
openssl ca $SSLEAY_CONFIG -gencrl -out crl/ca.pem.crl
<CA root passord>
This will generate this CA Revocation list in PEM format:
tleilaxu:/etc/ssl/geekrevolution# cat crl/ca.pem.crl
—–BEGIN X509 CRL—–
MIICAzCB7AIBATANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMCTk8xGDAWBgNV
BAgTD1NvZXItVHJvZW5kZWxhZzEXMBUGA1UEChMOZ0VFa1Jldm9sdXRpb24xDDAK
BgNVBAsTA1VBQzEyMDAGA1UEAxMpZ0VFa1Jldm9sdXRpb24gUm9vdCBDZXJ0aWZp
Y2F0ZSBBdXRob3JpdHkxJTAjBgkqhkiG9w0BCQEWFnNzbEBnZWVrcmV2b2x1dGlv
bi5uZXQXDTA4MTEyMTAxMzMxN1oXDTA4MTIyMTAxMzMxN1qgDjAMMAoGA1UdFAQD
AgEBMA0GCSqGSIb3DQEBBQUAA4IBAQCTSrY9Aolo10k4coLjsQkJb2+T5nJZkVs+
UPlRkAFf6dIXkhmAUI2Lyz0qIfrgGXEO1JeCZBMk4/6cn9Sbih3Bs62ms39bUv46
Crp+9rM53ZEzlPz84Ywo0VRmyJPP8giesHmIV1a+xYvYDxHCmoMGp+LawroI+woT
u+sHMVGIWuba7g7dpIFGsMndQ0hzez/kNkV2XhnfvR5rQ7sxiwnJnl2sAKrzCVA2
MVT09bdRWGWmtKMF8tlg+cTqc5wEj+p9OhRn/DcfXzHRtan34+XL3GxLt9xdXSRr
0AudnPA+2PpdpquT22maCRdVBuCvrLS5BJ2nOcPXUMB28oqMWdn6
—–END X509 CRL—–
If we want our revocation list to be supported and being able to be used in www-browsers, we’ll have to convert the revocation list to DER-format. This is done by issuing this command:
tleilaxu:/etc/ssl/geekrevolution# openssl crl -in crl/ca.pem.crl -outform der -out crl/ca.der.crl
Now we will make sure this file is available under our web page as stated in our certificate, so I’ll do:
ln -s /etc/ssl/geekrevolution/crl/ca.der.crl /path/to/ssl.geekrevolution.net/public_html/ca.crl
Revocation list done. I’ll now show you how you can revoke a certificate and confirm afterwards that it is actually revoked.
So I’ll go ahead and revoke my ssl.geekrevolution.net certificate:
Normally after you have created a certificate for a friend and sent it over, you delete it. That’s why we have stored a copy of all signed certificates identified by serial number on certificate under /etc/ssl/geekrevolution/newcerts (gets added there automagically by CA.pl) . Because we have to have the certificate to be able to revoke it. First I’ll need to find my serial on ssl.geekrevolution.net certificate:
tleilaxu:/etc/ssl/geekrevolution# grep CN=ssl.geekrevolution.net index.txt
V 101121012449Z B23AD089621F2EDD unknown /C=NO/ST=Soer-Troendelag/L=Trondheim/O=gEEkRevolution/OU=UAC/CN=ssl.geekrevolution.net/emailAddress=ssl@geekrevolution.net
Third tab field is my serial id on the certificate. You could also find it by inspecting the certificate directly. Now let’s go ahead and revoke our certificate:
tleilaxu:/etc/ssl/geekrevolution# openssl ca $SSLEAY_CONFIG -revoke ./newcerts/B23AD089621F2EDD.pem
Using configuration from /etc/ssl/geekrevolution-openssl.cnf
Enter pass phrase for /etc/ssl/geekrevolution/private/cakey.pem: <your CA key>
Revoking Certificate B23AD089621F2EDD.
Data Base Updated
Then we’ll have to update our revocation list(s) again:
openssl ca $SSLEAY_CONFIG -gencrl -out crl/ca.pem.crl
<root ca password>
openssl crl -in crl/ca.pem.crl -outform der -out crl/ca.der.crl
Now, how would I verify that my ssl.geekrevolution.net certificate is actually revoked?
We can’t use CA.pl’s -verify option, as it only checks if the certificate is signed I guess. (atleast it says OK on the certificate when it is revoked, which is rather weird! It could be that you need to add the CAcert and CRL files back together into CACert. Anyway, I’ll leave that upto you guys to try!
So lets go back to being hardcore, and do this:
tleilaxu:/etc/ssl/geekrevolution# cat cacert.pem crl/ca.pem.crl > revoke.pem
tleilaxu:/etc/ssl/geekrevolution# openssl verify -CAfile revoke.pem -crl_check newcerts/B23AD089621F2EDD.pem
newcerts/B23AD089621F2EDD.pem: /C=NO/ST=Soer-Troendelag/L=Trondheim/O=gEEkRevolution/OU=UAC/CN=ssl.geekrevolution.net/ emailAddress=ssl@geekrevolution.net
error 23 at 0 depth lookup:certificate revoked
Wiii, it works. Now you should be able to use your own CA, lovley huh?
But we’re still not done, I still have some neat information to share. Your probably in the same situation as me, you have a real server(maybe virtual server) with one public IP address. You have probably been fighting over that you could only have one domain/subdomain/*.domain under SSL, and not multiple domains for your web hosting. Fear not, this is POSSIBLE!
There is a extension for SSL certificates, you can add Certificate Subject Alt Name’s, which identifies the same host under different DNS-names.
You can read more about one Common Name and multiple SA’s here: http://wiki.cacert.org/wiki/VhostTaskForce
, and check it’s interoperability here: http://wiki.cacert.org/wiki/VhostTaskForce#InteroperabilityTest
Please bear in mind, and read this nice paper by Nils: http://nils.toedtmann.net/pub/subjectAltName.txt , and run thru this demo: http://test.eonis.net
ALWAYS CHECK CERTIFICATES YOU ADD AS TRUSTED, AND BE CAREFULL BY WHO YOU ADD AS A TRUSTED CA! It is a very nice demo showing how dangerious it is to add untrusted parties as a trusted CA/CERT.
First of all, start by making a copy of your openssl.cnf file:
cp /etc/ssl/geekrevolution-openssl.cnf /etc/ssl/geekrevolution-multiple-openssl.cnf
Edit new configuration file as explained below:
Under [ req_distinguished_name ], fill in your primary SSL-domain as common name, and first subjectAltName,
then add your other required and wanted vhosts:commonName_default = ssl.geekrevolution.net
0.subjectAltName = ssl.geekrevolution.net
0.subjectAltName_default = ssl.geekrevolution.net
1.subjectAltName = Alternative dns for ssl.geekrevolution.net
1.subjectAltName_default = geekrevolution.net
2.subjectAltName = Alternative dns for ssl.geekrevolution.net
2.subjectAltName_default = www.geekrevolution.net
3.subjectAltName = Alternative dns for ssl.geekrevolution.net
3.subjectAltName_default = roysindre.no
4.subjectAltName = Alternative dns for ssl.geekrevolution.net
4.subjectAltName_default = *.roysindre.no
5.subjectAltName = Alternative dns for ssl.geekrevolution.net
5.subjectAltName_default = norrs.no
6.subjectAltName = Alternative dns for ssl.geekrevolution.net
6.subjectAltName_default = *.norrs.no
7.subjectAltName = Alternative dns for ssl.geekrevolution.net
7.subjectAltName_default = rockj.net
8.subjectAltName = Alternative dns for ssl.geekrevolution.net
8.subjectAltName_default = *.rockj.netUnder [ usr_cert ] you’ll need:
subjectAltName = @alt_namesUnder [ v3_req ] you’ll need:
subjectKeyIdentifier = hash
subjectAltName = @alt_namesthen we’ll have to add an section called [alt_names]
DNS.1 = ssl.geekrevolution.net
DNS.2 = geekrevolution.net
DNS.3 = www.geekrevolution.net
DNS.4 = roysindre.no
DNS.5 = *.roysindre.no
DNS.6 = norrs.no
DNS.7 = *.norrs.no
DNS.8 = rockj.net
DNS.9 = *.rockj.net
Save and exit, and export the config envoirement variable to our new config:
tleilaxu:/etc/ssl# export SSLEAY_CONFIG=”-config /etc/ssl/geekrevolution-multiple-openssl.cnf”
We’re ready to roll and generate a CSR (Certificate Signing Requests):
cd geekrevolution/tmptmp
tleilaxu:/etc/ssl/geekrevolution/tmptmp# /usr/lib/ssl/misc/CA.pl -newreq
Generating a 2048 bit RSA private key
………….+++
……..+++
writing new private key to ‘newkey.pem’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [NO]:
State or Province Name (full name) [Soer-Troendelag]:
Locality Name (eg, city) [Trondheim]:
Organization Name (eg, company) [gEEkRevolution]:
Organizational Unit Name (eg, section) [UAC]:
Common Name (eg, YOUR name) [ssl.geekrevolution.net]:
ssl.geekrevolution.net [ssl.geekrevolution.net]:
Alternative dns for ssl.geekrevolution.net [geekrevolution.net]:
Alternative dns for ssl.geekrevolution.net [www.geekrevolution.net]:
Alternative dns for ssl.geekrevolution.net [roysindre.no]:
Alternative dns for ssl.geekrevolution.net [*.roysindre.no]:
Alternative dns for ssl.geekrevolution.net [norrs.no]:
Alternative dns for ssl.geekrevolution.net [*.norrs.no]:
Alternative dns for ssl.geekrevolution.net [rockj.net]:
Alternative dns for ssl.geekrevolution.net [*.rockj.net]:
Email Address []:ssl@geekrevolution.netPlease enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
tleilaxu:/etc/ssl/geekrevolution/tmptmp#
Time to inspect our certificate and show you what is so special with it:
openssl req -in newreq.pem -noout -text
Certificate Request:
Data:
Version: 0 (0×0)
Subject: C=NO, ST=Soer-Troendelag, L=Trondheim, O=gEEkRevolution, OU=UAC, CN=ssl.geekrevolution.net/subjectAltName=ssl.geekrevolution.net/subjectAltName=geekrevolution.net/subjectAltName=www.geekrevolution.net/subjectAltName=roysindre.no/subjectAltName=*.roysindre.no/subjectAltName=norrs.no/subjectAltName=*.norrs.no/subjectAltName=rockj.net/subjectAltName=*.rockj.net/emailAddress=ssl@geekrevolution.net
As you see, one common name and multiple subjectAltName with different dns-names gets added as valid alternatives for ssl.geekrevolution.net, quite handy! That’s how we “trick” the www-browsers. Lets go ahead and sign it!
tleilaxu:/etc/ssl/geekrevolution/tmptmp# /usr/lib/ssl/misc/CA.pl -sign
Using configuration from /etc/ssl/geekrevolution-multiple-openssl.cnf
Enter pass phrase for /etc/ssl/geekrevolution/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
b2:3a:d0:89:62:1f:2e:de
Validity
Not Before: Nov 21 02:48:31 2008 GMT
Not After : Nov 21 02:48:31 2010 GMT
Subject:
countryName = NO
stateOrProvinceName = Soer-Troendelag
localityName = Trondheim
organizationName = gEEkRevolution
organizationalUnitName = UAC
commonName = ssl.geekrevolution.net
emailAddress = ssl@geekrevolution.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F8:B4:77:49:B6:55:0E:33:7A:09:BC:65:B0:3D:DE:6A:84:B6:3B:46
X509v3 Authority Key Identifier:
keyid:B9:D0:A1:C1:2F:90:38:FA:FB:51:D2:B7:E5:38:C1:63:71:D2:39:50Netscape CA Revocation Url:
http://ssl.geekrevolution.net/ca.crl
Netscape Renewal Url:
http://ssl.geekrevolution.net
Netscape CA Policy Url:
http://ssl.geekrevolution.net/policy
X509v3 Subject Alternative Name:
DNS:ssl.geekrevolution.net, DNS:geekrevolution.net, DNS:www.geekrevolution.net, DNS:roysindre.no, DNS:*.roysindre.no, DNS:norrs.no, DNS:*.norrs.no, DNS:rockj.net, DNS:*.rockj.net
Certificate is to be certified until Nov 21 02:48:31 2010 GMT (730 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
tleilaxu:/etc/ssl/geekrevolution/tmptmp#
We’re done! To make use of this in your apache2 web server, you’ll have to do the following tweak in your apache2 vhost (take note of the UseCanonicalName On):
UseCanonicalName On
SSLEngine on
SSLCertificateFile /etc/ssl/geekrevolution/certs/ssl.geekrevolution.net-cert.pem
SSLCertificateKeyFile /etc/ssl/geekrevolution/private/ssl.geekrevolution.net-key.pem
SSLCertificateChainFile /etc/ssl/geekrevolution/cacert.pem
ServerName ssl.geekrevolution.net
We’re done, and by browsing https://ssl.geekrevolution.net, https://roysindre.no and http://www.rockj.net – you’ll notice it’s the same certificate and it is working!
I would also do this:
ln -s /etc/ssl/geekrevolution/cacert.pem /path/to/ssl.geekrevolution.net/public_html/geekrevolution-cacert.crt , so you can easily import your root ca
If your using this certificate for a service running (like apache2), and you don’t want to enter in your password each time you have to restart apache2, you might want to remove the password protecting your private key file. If you do this, make sure you protect your key, so it is only readable by root!
I do this on my certificate with:
tleilaxu:/etc/ssl/geekrevolution/private# cp ssl.geekrevolution.net-key.pem ssl.geekrevolution.net-key-protected.pem
tleilaxu:/etc/ssl/geekrevolution/private# openssl rsa -in ssl.geekrevolution.net-key-protected.pem -out ssl.geekrevolution.net-key.pem
Enter pass phrase for ssl.geekrevolution.net-key-protected.pem:
writing RSA key
tleilaxu:/etc/ssl/geekrevolution/private#
That’s it, at the end, I’ll leave some private notes I took while fiddling with this blog entry:
Note 1:
As I’am a linux user, I’ll also give a short brief on my firefox 3.x experience.
I visit my website, ssl.geekrevolution.net and added an exception. This exception
overrides everything, even if CA later have added certificate to be revoked!
I took a quick trip into Edit -> Preferences, and went under Advanced tab,
then Encryption tab. Then select View Certificates and remove it.
If you now revisit your webpage, the known “The certificate is not trusted because the issuer certificate is not trusted”. arrives again. Even if you now try to add an exception, FF3 will automagically detect that the certificate is revoked by the authority who signed it. Last sentence is kinda a lie, I got random results and got quite confused by how Firefox handles the CRL. Why can’t it simply check the certificate for a CRL url each time and verify it automagically? Sometimes it does, sometimes not. I’ll probably have to fiddle more with that..
Note 2:
You might notice we use .crt as extention, this is because most webservers are setup as serving .crt files as correct MIME-types(which is x-x509-ca-cert), so browsers notice this is a certificate you can install in your browser. We could also fix this by fixing a MIME-type in your webserver. A default apache2 install in debian, you can edit /etc/apache2/modules-enabled/mime.conf and add
AddType application/x-x509-ca-cert pem .
Make sure you clear cache in firefox and restart webserver to test that .pem files actually get ossiscated with being a x509 certificate.
If you wonder why we store our files with .pem ending on our system, as far as I’ve learned – that’s because we save it in the format Privacy Enchanced Mail, which is openssl’s default format.
Note 3:
If you get this famious error code in firefox when trying to add your CRL to Firefox:
Error Code:ffffe009
Convert your CRL to DER format! If you don’t know how, then start reading from the top again
Some resources I found usefull while writing this entry:
- http://conshell.net/wiki/index.php/OpenSSL_Usage_tips
- http://www.section6.net/wiki/index.php/Basics_of_using_OpenSSL
One Response
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.
Continuing the Discussion