One of the most common forms of cryptography today is public-key cryptography. Public-key cryptography utilizes a public key and a private key. The system works by encrypting information using the public key. The information can then only be decrypted using the private key.
A common use for public-key cryptography is encrypting application traffic using a Secure Socket Layer (SSL) or Transport Layer Security (TLS) connection. For example, configuring Apache to provide HTTPS, the HTTP protocol over SSL. This allows a way to encrypt traffic using a protocol that does not itself provide encryption.
A Certificate is a method used to distribute a public key and other information about a server and the organization who is responsible for it. Certificates can be digitally signed by a Certification Authority or CA. A CA is a trusted third party that has confirmed that the information contained in the certificate is accurate.
The process of getting a certificate from a CA is fairly easy. A quick overview is as follows:
If the services on your network require more than a few self-signed certificates it may be worth the additional effort to setup your own internal Certification Authority (CA). Using certificates signed by your own CA, allows the various services using the certificates to easily trust other services using certificates issued from the same CA.
First, create the directories to hold the CA certificate and related files:
bash$ sudo mkdir /etc/ssl/CA
bash$ sudo mkdir /etc/ssl/newcerts
The CA needs a few additional files to operate, one to keep track of the last serial number used by the CA, each certificate must have a unique serial number, and another file to record which certificates have been issued:
bash$ sudo sh -c "echo '01' > /etc/ssl/CA/serial"
bash$ sudo touch /etc/ssl/CA/index.txt
The third file is a CA configuration file. Though not strictly necessary, it is very convenient when issuing multiple certificates. Edit /etc/ssl/openssl.cnf, and in the [ CA_default ] change:
dir = /etc/ssl/ # Where everything is kept
database = $dir/CA/index.txt # database index file.
certificate = $dir/certs/servercert.pem # The CA certificate
serial = $dir/CA/serial # The current serial number
private_key = $dir/private/serverkey.pem # The private key
Next, create the self-singed root certificate. You will then be asked to enter the details about the certificate.
bash$ openssl req -new -x509 -extensions v3_ca -keyout severkey.pem -out servercert.pem -days 3650
Now install the root certificate and key:
bash$ sudo mv serverkey.pem /etc/ssl/private/
bash$ sudo mv servercert.crt /usr/share/ca-certificates/
bash$ echo -e "servercert.crt" | sudo tee -a /etc/ca-certificates.conf
bash$ sudo update-ca-certificates
You are now ready to start signing certificates. The first item needed is a Certificate Signing Request (CSR), see the section called Generating a Certificate Signing Request (CSR) for details. Once you have a CSR, enter the following to generate a certificate signed by the CA:
bash$ sudo openssl ca -in server.csr -config /etc/ssl/openssl.cnf
After entering the password for the CA key, you will be prompted to sign the certificate, and again to commit the new certificate. You should then see a somewhat large amount of output related to the certificate creation.
There should now be a new file, /etc/ssl/newcerts/01.pem, containing the same output. Copy and paste everything between the -----BEGIN CERTIFICATE----- and ----END CERTIFICATE----- lines to a file named after the hostname of the server where the certificate will be installed. For example mail.example.com.crt, is a nice descriptive name. Subsequent certificates will be named 02.pem, 03.pem, etc.
Finally, copy the new certificate to the host that needs it, and configure the appropriate applications to use it. The default location to install certificates is /usr/share/ca-certificates/. This enables multiple services to use the same certificate without overly complicated file permissions. Then run this command to install the certificate on the system:
bash$ sudo update-ca-certificates
Whether you are getting a certificate from a CA or generating your own self-signed certificate, the first step is to generate a key. To generate the keys for the Certificate Signing Request (CSR) run the following command from a terminal prompt:
bash$ openssl genrsa -des3 -out SERVER_FQDN.key 1024
Generating RSA private key, 1024 bit long modulus
.........++++++
...............................++++++
e is 65537 (0x10001)
Enter pass phrase for SERVER_NAME.example.com.key:
Verifying - Enter pass phrase for SERVER_FQDN.key:
You can now enter your passphrase. For best security, it should at least contain eight characters. The minimum length when specifying -des3 is four characters. It should include numbers and/or punctuation and not be a word in a dictionary. Also remember that your passphrase is case-sensitive. Re-type the passphrase to verify. Once you have re-typed it correctly, the server key is generated and stored in the SERVER_FQDN.key file.
Note: You can also run your secure service without a passphrase. This is convenient because you will not need to enter the passphrase every time you start your secure service. But it is highly insecure and a compromise of the key means a compromise of the server as well. In any case, you can choose to run your secure service without a passphrase by leaving out the -des3 switch in the generation phase or by issuing the following command at a terminal prompt:
bash$ openssl rsa -in SERVER_FQDN.key -out SERVER_FQDN.key.insecure
Once you run the above command, the insecure key will be stored in the SERVER_FQDN.key.insecure file. You can use this file to generate the CSR without passphrase.
To create the CSR, run the following command at a terminal prompt:
bash$ openssl req -new -key SERVER_FQDN.key -out SERVER_FQDN.csr
It will prompt you enter the passphrase. If you enter the correct passphrase, it will prompt you to enter Company Name, Once you enter all these details, your CSR will be created and it will be stored in the SERVER_FQDN.csr file. Site Name, Email Id, etc.
You can now submit this CSR file to a CA for processing. The CA will use this CSR file and issue the certificate. On the other hand, you can create self-signed certificate using this CSR.
To create the self-signed certificate, run the following command at a terminal prompt:
bash$ openssl x509 -req -days 365 -in SERVER_FQDN.csr -signkey SERVER_FQDN.key -out SERVER_FQDN.crt
The above command will prompt you to enter the passphrase. Once you enter the correct passphrase, your certificate will be created and it will be stored in the SERVER_FQDN.crt file.
Note: If your secure server is to be used in a production environment, you probably need a CA-signed certificate. It is not recommended to use self-signed certificate.
You can install the key file SERVER_FQDN.key and certificate file SERVER_FQDN.crt, or the certificate file issued by your CA, by running following commands at a terminal prompt:
bash$ sudo mv SERVER_FQDN.crt /usr/share/ca-certificates/
bash$ sudo mv SERVER_FQDN.key /etc/ssl/private/
Edit the file /etc/ca-certificates.conf and add this line:
SERVER_FQDN.crt
Update the CA certificate of the system:
bash$ sudo update-ca-certificates