Re: OpenSSL Certificate Creation

From: D. Stussy (kd6lvw@bde-arc.ampr.org)
Date: 05/09/02


From: "D. Stussy" <kd6lvw@bde-arc.ampr.org>
Date: Thu, 09 May 2002 00:15:05 GMT

On Thu, 2 May 2002, Ray Lassiter wrote:
>Well, I have been reading and testing for about a week now and can't quite
>find anything that ties it all together. I have an apache webserver,
>openssl, mod_ssl. I was able to generate a selfsigned cert using openssl -
>genrsa commands. I put the cert and key in the httpd/conf/ssl dir and
>everything seemed to work.
>
>My problem is that I can't figure out how to generate a client cert from the
>previously created server certs. I would like to make it so that the cert is
>required to connect to he server. I used the CA.pl script to generate a CA
>but I end up with some .pem files. I am even able to create a .p12 file that
>I can import to MSIE. The problem is how do I link them to server
>certificates so that they are needed to connect to wevserver.
>
>I have searched every possibility, that I can come up with, on google but to
>no avail. Any pointers to solving this problem??

I wish the documentation and stuff, including the web pages of others, were a
bit more straightforward on how to do this. Although it is nice to know how
things work, sometimes people simply want the "quick and dirty" approach.
Therefore, here are my scripts:

A single parameter: An Integer - number of days until certificate expires.

Generate Certificate Authority self-signed certificate:
-------------------------------------------------------------------------------
#!/bin/sh
cd /usr/local/ssl/private
CONFIG="-config ../openssl.cnf"
openssl req -new -x509 -keyout CAKey.pem -out CACert.pem -days $1 $CONFIG
exec openssl x509 -inform pem -outform der <CACert.pem >CACert.der
-------------------------------------------------------------------------------
The last step is needed only because ".der" is used by Micro$oft, but everyone
else uses ".pem". If you don't care about M$ programs, it may be skipped.

Generate THREE "user" certificates for web server, mail server, and mail client:
-------------------------------------------------------------------------------
#!/bin/sh
cd /usr/local/ssl
mkdir newcerts ; cd newcerts
echo Web Server Certificate:
openssl req -new -keyout newreq.pem -out newreq.pem -config ../openssl.cnf
openssl ca -policy policy_any -out ../certs/webserver.pem -infiles newreq.pem
openssl rsa <newreq.pem >webserver.key
rm -f newreq.pem

echo Mail Server Certificate:
openssl req -new -keyout newreq.pem -out newreq.pem -config ../openssl.cnf
openssl ca -policy policy_any -out ../certs/mailserver.pem -infiles newreq.pem
openssl rsa <newreq.pem >mailserver.key
rm -f newreq.pem

echo Mail Client Certificate:
openssl req -new -keyout newreq.pem -out newreq.pem -config ../openssl.cnf
openssl ca -policy policy_any -out ../certs/mailclient.pem -infiles newreq.pem
openssl rsa <newreq.pem >mailclient.key
rm -f newreq.pem

mv -v *.key ../private ; cd ..
chgrp html */web*
chgrp mail */mail*
exec rm -r newcerts
-------------------------------------------------------------------------------