Copyright © Cloud Software Group, Inc. All Rights Reserved

Generate Private Keys And Public Certificates with OpenSSL

If you want to use SSL/TSL with the Apache HTTP server, you need to create an SSL certificate. This certificate is required for the authorization between the Apache HTTP server and client so that each party can clearly identify the other party. To ensure the integrity of the certificate, it must be signed by a party every user trusts.

This section describes the procedure for following tasks:

•	To generate a self-signed certificate using the OpenSSL toolkit.

•	To create your own certificate authority that you use to sign your own generated request by using the OpenSSL toolkit.

Generating Self-Signed SSL Certificates

Create Private Key

To create a private RSA key using the OpenSSL package to be used by the mod_ssl module of Apache HTTP serve, use the following command:

$ openssl genrsa -out asgserver01.key 1024

The above command generates a 1024 bit long RSA private key and stores the private key file in the asgserver01.key file.

As SSL is a PKI based encryption system, it requires a private key to reside on the server. The generated RSA private key asgserver01.key file is a digital file used to decrypt messages sent to the Apache HTTP server. This file has a public component that will be distributed (via a digital certificate file) to allow clients to encrypt messages before sending them to the server.

Generate Certificate Signing Request (CSR)

A Certificate Signing Request (CSR) is a digital file that contains the server's public key and the server's identity. Normally this file is sent to a Certifying Authority (CA) so that it can be converted into a real digital certificate. A digital certificate contains the server's RSA public key, it's name (or identity), the name of the CA, and it is digitally signed by your CA. The clients that know the CA can verify the signature on that digital certificate, thereby obtaining the server's RSA public key. This enables the clients to send messages that only a server can decrypt.

To generate a certificate signing request (CSR) for a previously generated private key file, use the following command:

$ openssl req -new -key asgserver01.key -out asgserver01.csr

This command retrieves the public key from the asgserver01.key key file and prompts the user to gather information to construct a Distinguished Name for your server's identity. Follow the prompts to enter the relevant information which will be incorporated into your certificate request including a Distinguished Name or a DN. Also enter a password that is used to encrypt the CSR.

For a widely used production deployment when you want that the certificate is automatically accepted by all major client implementations, you will send the CSR file to an officially established Certificate Authority.

For testing purposes, you can sign your own public key which will be perfectly usable certificate.

To generate a self signed certificate for the previously generated certificate signing request (CSR) signed with the generated private key file, use the following command:

$ openssl x509 -in asgserver01.csr -out tibasg.crt -req -signkey asgserver01.key -days 365

Generating SSL Keys and Certificates With Your Own your own Trusted CA

This section explains the simplified approach of generating the keys and certificates by using the CA.pl (or CA.sh) script that is shipped with OpenSSL tool kit.

The CA.pl (or CA.sh) script allows you to create your private Certificate Authority that you can use in turn to generate new private keys and certificates that are signed by your own private Certificate Authority. Use the CA.pl (perl) or CA.sh (shell) script that is shipped with OpenSSL.

Perform the following steps:

Create CA Hierarchy

This section explains the steps to create CA hierarchy for your private CA. This is a one time action. Once you have created your CA hierarchy, it will be used for every key/certificate pair you want to generate and sign with this CA.

Perform the following steps to create a CA hierarchy for your private CA:

1.	Open a command prompt window.

2.	Navigate to the directory.

3.	Enter the following command (with the -newca parameter) to create a CA hierarchy:

   CA.sh -newca

4.	Follow the prompt and enter filename of the CA certificates which should also contain the private key.

5.	Verify that the relevant files and directories are created in a directory.

Create Private Key and Certificate Signing Request (CSR)

After you have created a hierarchy for your own Certificate Authority (CA), you can use the same CA.sh script to create the private key and certificate signing request.

Perform the following steps to create the private key:

1.	Open a command prompt window.

2.	Navigate to the directory.

3.	Enter the following command (with the -newreq parameter) to create a new certificate request (CSR):

   CA.sh -newreq

4.	Verify that the output of this command contains both the private key and the certificate signing request. The private key is written to the file newkey.pem and the certificate request is written to the file newreq.pem.

5.	Enter the following command (with the -sign parameter) to have the certificate signing certificate request being signed by the CA:

   CA.sh -sign

The script expects the certificate request to be in the file newreq.pem. The new certificate is written to the file newcert.pem.

Create PKCS#12 archive (Optional)

Optionally, can also create a PKCS#12 archive. The PKCS#12 filed is an archive file format that contains the user certificate, private key and CA certificate. The PKCS#12 file can be imported directly into a browser.

Do the following steps to create the PKCS#12 file:

1.	Open a command prompt window.

2.	Navigate to the directory.

3.	Enter the following command (with the -pkcs12 parameter) to create a PKCS#12 file:

   CA.sh -pkcs12 "ASG Server Demo Certificate"

ASG Server Demo Certificate is typically displayed in the browser list box. If you do not provide the ASG Server Demo Certificate argument, the name My Certificate is used by default.

 

 

 

Copyright © Cloud Software Group, Inc. All Rights Reserved