[Image] ssl-users Mail List Archives | Prev | Next | Index | Thread | Re: F2I? ------------------------------------------------------------------------ * To: trei@process.com * Subject: Re: F2I? * From: Tom Titchener * Date: Tue, 16 Jan 1996 09:49:26 -0500 * Cc: ssl-users@mincom.oz.au, trei@cc.uq.oz.au, tomt@osf.org * In-Reply-To: Your message of "Mon, 15 Jan 1996 22:39:45." <"bunyip.cc.uq:116120:960116062713"@cc.uq.oz.au> * Sender: ssl-lists-owner@mincom.oz.au ------------------------------------------------------------------------ Peter - I ran down eactly this rat hole when trying to generate a self-signed certificate for my own ca for testing and debugging. Here's my "don't forget" file. Sorry it's so long. The short of it is, the many and vast improvements to the tools in apps have yet to be documented. I found all this stuff out by poking around the sources... Have fun, TT. This file describes how you create a self-signed certificate with the SSLeay version 0.5.1. Find the tools in the apps directory. To avoid interacting with verisign, we create a self-signed certificate for the SDG as though it were a ceritifying authority. Then we use the key for the SDG CA certificate to sign certificates for the server and client. In order for the server and client to work, you have to install the SDG CA certificate into the SSLeay hashed certificate directory. The SSLeay certificate verification code requires at least one lookup to verify a certificate. That is, the client or server can't send a self-signed certificate. To create a certificate, you use the commands req and ca. You use req to create a self-signed certificate and a certificate request. Then you use ca to sign the request with the self-signed certificate's private key and issuer distinguished name. Both req and ca are links to ssleay. To control ssleay, you edit fields in a configuration file. The following examples show how I created the sdg server and client certificates. To create the sdg config file, I just cloned and edited the example ssleay.conf (apps/ssleay.conf). See the bottom of this file for a list of the changes (don't start typing the commands until you create your version of this file) ----------------------------------------------------------------------- 1) Use req to create the self-signed certificate and key. A) Run req with the switches new, x509, config. Answer the questions: -> req -config sdg.conf -x509 -new > sdgca.pem Generating a 512 bit private key ..........+++++ .....+++++ writing new private key to 'sdgkey.pem' Enter PEM pass phrase: Verifying password Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorperated into your certificate request. What you are about to enteris what is called a Distinguished Name or a DN. There are quite a few field but you can leave some blank For some field there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Queensland]:MA Locality Name (eg, city) []:Cambridge Organization Name (eg, company) [Mincom Pty Ltd]:OSF Organizational Unit Name (eg, section) [MTR]:RI Common Name (eg, YOUR name) []:SDG CA Email Address []:. B) You can use x509 to view the contents of your certificate: -> x509 -text < sdgca.pem Certificate: Data: Version: 0 (0x0) Serial Number: 0 (0x0) Signature Algorithm: md5withRSAEncryption Issuer: C=US, SP=MA, L=Cambridge, O=OSF, OU=RI, CN=SDG CA Validity Not Before: Jan 5 20:12:03 1996 Not After : Feb 4 20:12:03 1996 Subject:C=US, SP=MA, L=Cambridge, O=OSF, OU=RI, CN=SDG CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public Key: (512 bit) Modulus: 00:ec:bb:23:af:61:f5:a2:cf:9e:7b:7e:bb:fd:24: 4f:d0:07:57:9c:ba:8c:b4:1d:8a:c2:86:83:56:da: 82:59:5b:4b:e5:9e:9e:b2:d5:0a:67:9a:4a:ea:76: 5b:7e:4e:f7:22:8e:46:b9:66:47:8b:58:70:45:80: 6e:23:7a:b1:fd Exponent: 65537 (0x10001) Signature Algorithm: md5withRSAEncryption 99:74:c7:df:65:d1:81:e9:cc:35:dc:7a:73:60:6b:62:03:44: 07:6b:56:4d:02:a3:9a:fc:a2:93:df:4e:31:48:00:00:0c:48: 1b:29:ef:58:89:a5:40:5c:1e:40:e7:85:f6:1d:21:63:a3:89: da:dd:08:19:ff:c1:a5:f0:ab:7a -----BEGIN X509 CERTIFICATE----- MIIBnjCCAUgCAQAwDQYJKoZIhvcNAQEEBQAwWjELMAkGA1UEBhMCVVMxCzAJBgNV BAgTAk1BMRIwEAYDVQQHEwlDYW1icmlkZ2UxDDAKBgNVBAoTA09TRjELMAkGA1UE CxMCUkkxDzANBgNVBAMTBlNERyBDQTAeFw05NjAxMDUyMDEyMDNaFw05NjAyMDQy MDEyMDNaMFoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNQTESMBAGA1UEBxMJQ2Ft YnJpZGdlMQwwCgYDVQQKEwNPU0YxCzAJBgNVBAsTAlJJMQ8wDQYDVQQDEwZTREcg Q0EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA7Lsjr2H1os+ee367/SRP0AdXnLqM tB2KwoaDVtqCWVtL5Z6estUKZ5pK6nZbfk73Io5GuWZHi1hwRYBuI3qx/QIDAQAB MA0GCSqGSIb3DQEBBAUAA0EAmXTH32XRgenMNdx6c2BrYgNEB2tWTQKjmvyik99O MUgAAAxIGynvWImlQFweQOeF9h0hY6OJ2t0IGf/BpfCreg== -----END X509 CERTIFICATE----- C) Save the key under a new file name, as it'll get overwritten the next time you run req: -> mv sdgkey.pem sdgcakey.pem ----------------------------------------------------------------------- 2) Use req to create a certificate request. A) Run req with the switches new and config. Answer the questions: -> req -config sdg.conf -new > sdgsrvrreq.pem Generating a 512 bit private key ............+++++ ...............+++++ writing new private key to 'sdgkey.pem' Enter PEM pass phrase: Verifying password Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorperated into your certificate request. What you are about to enteris what is called a Distinguished Name or a DN. There are quite a few field but you can leave some blank For some field there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Queensland]:MA Locality Name (eg, city) []:Cambridge Organization Name (eg, company) [Mincom Pty Ltd]:OSF Organizational Unit Name (eg, section) [MTR]:RI Common Name (eg, YOUR name) []:SDG Server Email Address []:. Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:foobar An optional company name []: B) Save the key file under a new name, as it'll get overwritten the next time you run req. Note that the key you use to generate your request *is* the key for the server. -> mv sdgkey.pem sdgsrvrkey.pem ----------------------------------------------------------------------- 3) Use ca to sign the request with the self-signed certificate. A) Run ca with the config and in switches: ->ca -config sdg.conf -in sdgsrvrreq.pem > sdgsrvrcert.pem Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'MA' localityName :PRINTABLE:'Cambridge' organizationName :PRINTABLE:'OSF' organizationalUnitName:PRINTABLE:'RI' commonName :PRINTABLE:'SDG Server' Certificate is to be certified until Jan 4 20:31:26 1997 (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated B) You can use x509 to view the contents of your certificate: -> x509 -text < sdgsrvrcert.pem Certificate: Data: Version: 0 (0x0) Serial Number: 270 (0x10e) Signature Algorithm: md5withRSAEncryption Issuer: C=US, SP=MA, L=Cambridge, O=OSF, OU=RI, CN=SDG CA Validity Not Before: Jan 5 20:31:26 1996 Not After : Jan 4 20:31:26 1997 Subject:C=US, SP=MA, L=Cambridge, O=OSF, OU=RI, CN=SDG Server Subject Public Key Info: Public Key Algorithm: rsaEncryption Public Key: (512 bit) Modulus: 00:d0:70:b5:1f:e8:23:50:2c:7c:ca:03:f4:61:b1: dd:aa:f1:c6:bf:cc:ae:ff:fb:fc:e4:af:20:e1:8c: 0f:f5:24:9f:ee:2f:7b:3f:4e:70:63:8c:6c:b3:ba: aa:cd:f7:bf:54:c4:b0:ee:84:e9:a4:9e:f2:01:ab: 4f:3e:38:8a:97 Exponent: 65537 (0x10001) Signature Algorithm: md5withRSAEncryption af:9a:c3:9f:65:b1:36:f9:9d:76:3d:76:6e:3f:31:36:f6:e5: 9d:c3:16:89:12:a3:22:6b:f5:9d:e1:5e:9c:eb:89:80:6a:3e: d6:2e:02:ca:c4:20:66:b0:2a:13:f8:5a:4d:b0:44:2d:86:08: 66:54:e0:67:80:28:fd:42:f2:eb -----BEGIN X509 CERTIFICATE----- MIIBozCCAU0CAgEOMA0GCSqGSIb3DQEBBAUAMFoxCzAJBgNVBAYTAlVTMQswCQYD VQQIEwJNQTESMBAGA1UEBxMJQ2FtYnJpZGdlMQwwCgYDVQQKEwNPU0YxCzAJBgNV BAsTAlJJMQ8wDQYDVQQDEwZTREcgQ0EwHhcNOTYwMTA1MjAzMTI2WhcNOTcwMTA0 MjAzMTI2WjBeMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUExEjAQBgNVBAcTCUNh bWJyaWRnZTEMMAoGA1UEChMDT1NGMQswCQYDVQQLEwJSSTETMBEGA1UEAxMKU0RH IFNlcnZlcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDQcLUf6CNQLHzKA/Rhsd2q 8ca/zK7/+/zkryDhjA/1JJ/uL3s/TnBjjGyzuqrN979UxLDuhOmknvIBq08+OIqX AgMBAAEwDQYJKoZIhvcNAQEEBQADQQCvmsOfZbE2+Z12PXZuPzE29uWdwxaJEqMi a/Wd4V6c64mAaj7WLgLKxCBmsCoT+FpNsEQthghmVOBngCj9QvLr -----END X509 CERTIFICATE----- ----------------------------------------------------------------------- Configuration file changes. Not all of these may be necessary, particularly if you don't mind overwritting the files from the installation. A) capitalization not preserved dir = ./demoCA # Where everything is kept becomes dir = ./democa # Where everything is kept B) directory name change from new_certs to new_cert new_certs_dir = $dir/new_certs # default place for new certs. becomes: new_certs_dir = $dir/new_cert # default place for new certs. C) make unique certificatename in local directory certificate = $dir/CAcert.pem # The CA certificate becomes certificate = sdgca.pem # The CA certificate D) make unique certificate key name in local directory private_key = $dir/private/CAkey.pem# The private key becomes private_key = sdgcakey.pem # The private key E) make unique key file name for the req program default_keyfile = privkey.pem to default_keyfile = sdgkey.pem ------------------------------------------------------------------------ References: * F2I? o From: Peter Trei ------------------------------------------------------------------------ | Prev | Next | Index | Thread