[Previous] [Next] [Table of Contents]

3.1 Configuring file for generating your own SSL certificates.

You have done the following:

and now you want to generate SSL certificates.

Here's what you have to do.

  1. Go to the directory where you told the OpenSSL INSTALL.COM script to put your OpenSSL files. The simplest way to do this is to go to the SSLROOT: directory which is the "root" directory of your installed OpenSSL kit.

    
    	$ SET DEFAULT SSLROOT:[000000]
    
         
  2. Create the directories of CRL and NEWCERTS.

    
    	$ CREATE/DIRECTORY [.CRL]
    
    	$ CREATE/DIRECTORY [.NEWCERTS]
    
         
  3. Create a file in the [.PRIVATE] directory called RANDFILE.; that will contain a few hundred bytes of random data that will be used to prime the random number generators in the encrypton libraries. The easiest way is to just do a SHOW SYSTEM/FULL into a file.

    
    	$ SHOW SYSTEM/FULL/OUTPUT=SSLROOT:[PRIVATE]RANDFILE.;
    
         
  4. Define the logical RANDFILE to point to where the RANDIFLE.; file is kept.

    
    	$ DEFINE/SYSTEM/EXEC RANDFILE SSLROOT:[PRIVATE]RANDFILE.;
    
         
  5. Create the file INDEX.TXT with nothing in it and place it in the SSLROOT:[000000] directory.

  6. Create the file SERIAL.; with a just "01" in it and place it in the SSLROOT:[000000] directory.

  7. Edit the OPENSSL.CNF file and modify the line.

    
    	dir	= sys\$disk:[.demoCA	#Where everything is kept
    
         

    to point to SSLROOT:[000000] directory tree like this.

    
    	dir	= SSLROOT:[000000	#Where everything is kept
    
         

    Also modify the line for the RANDFILE.;.

    
    	RANDFILE = $dir.private].rand	# private random number file
    
         

    to look like...

    
    	RANDFILE = $dir.private]RANDFILE.;	# private random number file
    
         

    and just completely remove the line.

    
    	RANDFILE	= $ENV::HOME/.rnd
    
         

    at the top of the file.

    Now, depending on what you want, you have the following option. If you want a user certificate for just a server, find the following lines...

    
    	# This is OK for an SSL server.
    
    	# nsCertType			= server
    
         

    and modify it to look like....

    
    	# This is OK for an SSL server.
    
    	nsCertType			= server
    
         

    If you want a user certificate for "everything", don't do the above and find the lines....

    
    	# and for everything including object signing:
    
            # nsCertType = client, email, objsign
    
         

    and modify these lines instead to look like...

    
    	# and for everything including object signing:
    
            nsCertType = client, email, objsign, server
    
         

    Now, for a CA certificate, find the following lines...

    
    	# Some might want this also
    
    	# nsCertType = sslCA, emailCA
    
         

    and modify them to look like...

    
    	# Some might want this also
    
    	nsCertType = sslCA, emailCA, server
    
         
  8. You might also want to look through this file to customize other settings like the default_bits for key generation.


3.2 Creating your own self-signed SSL certificate.

You have done the following:

and you want to generate your own self-signed SSL certificate.

Here are the steps.

  1. Execute the SSLROOT:[VMS]OPENSSL_UTILS.COM file to define the symbol for the OPENSSL utility.

    
    	$ @SSLROOT:[VMS]OPENSSL_UTILS.COM
    
         
  2. Go to your SSLROOT:[000000] directory.

    
    	$ SET DEFAULT SSLROOT:[000000]
    
         
  3. Now, generate a certificate request using the OPENSSL utility.

    
         $ OPENSSL
    
         OpenSSL> req -config openssl.cnf -nodes -new -days 365 -x509 
    
                      -keyout test_key.pem -out test.pem
    
         

    Here's a description of what the parameters mean.

    
    	-config			Which configuration file to use.
    
    
    
    	-nodes			Don't DES encode the output key.
    
    				(This is only necessary if the certificate
    
                                     is going to be use with the OpenVMS OSU
    
                                     HTTPD server or a application that don't
    
                                     allow key passwords to be specified.)
    
    
    
    	-new			This is a new certificate request.
    
    
    
            -days                   The number of days the x509 certificate
    
                                    is good for.
    
    
    
    	-x509			Output a X509 certificate instead of a
    
                                    regular certificate request.
    
    
    
    	-keyout			File to output the key to.
    
    
    
    	-out			File to output the certificate to.
    
         
  4. The program will ask you some questions and just answer them. You have to make sure that when the OPENSSL program asks you.

    
    	Common Name (eg, YOUR name) []:
    
         

    that if you intend to use this on a WEB server to use the servers host name. So if the server will be referenced in DNS tables as "www.buttnet.net" that you enter that here. This also applies to CNAME DNS entries referencing your WWW server. If the "offical" DNS host name of your server is "beavis.buttnet.net" and you have a CNAME DNS entry of "www.buttnet.net" and you are going to use "www.buttnet.net" for your server, you need to enter "www.buttnet.net" here.

  5. If that went well exit the OPENSSL program. You should have two files, the key file and the certificate file. You now need to append the key file (the one you generated when you created the certificate) to the end of the certificate file.

    
    	$ APPEND TEST_KEY.PEM TEST.PEM
    
         
  6. Now use OPENSSL to "verify" the certificate.

    
    	$ OPENSSL
    
    	OpenSSL> verify test.pem
    
         
  7. If that went well and the OPENSSL utility says that its O.K. then you have a working self-signed certificate.


3.3 Creating SSL certificate request to send to a CA.

You have done the following:

and you want to generate a SSL certificate request to send to a CA.

Here are the steps.

  1. Execute the SSLROOT:[VMS]OPENSSL_UTILS.COM file to define the symbol for the OPENSSL utility.

    
    	$ @SSLROOT:[VMS]OPENSSL_UTILS.COM
    
         
  2. Go to your SSLROOT:[000000] directory.

    
    	$ SET DEFAULT SSLROOT:[000000]
    
         
  3. Now, generate a certificate request using the OPENSSL utility.

    
         $ OPENSSL
    
         OpenSSL> req -config openssl.cnf -nodes -new -days 365
    
                      -keyout newreq_key.pem -out newreq.pem
    
         

    Here's a description of what the parameters mean.

    
    	-config			Which configuration file to use.
    
    
    
    	-nodes			Don't DES encode the output key.
    
    				(This is only necessary if the certificate
    
                                     is going to be use with the OpenVMS OSU
    
                                     HTTPD server or a application that don't
    
                                     allow key passwords to be specified.)
    
    
    
    	-new			This is a new certificate request.
    
    
    
    	-days			The number of days the x509 certificate
    
                                    is good for.
    
    
    
    	-keyout                 File to output the key to.
    
    
    
    	-out                    File to output the certificate request to.
    
         
  4. The program will ask you some questions and just answer them. You have to make sure that when the OPENSSL program asks you.

    
    	Common Name (eg, YOUR name) []:
    
         

    that if you intend to use this on a WEB server to use the servers host name. So if the server will be referenced in DNS tables as "www.buttnet.net" that you enter that here. This also applies to CNAME DNS entries referencing your WWW server. If the "offical" DNS host name of your server is "beavis.buttnet.net" and you have a CNAME DNS entry of "www.buttnet.net" and you are going to use "www.buttnet.net" for your server, you need to enter "www.buttnet.net" here.

    Now, having said that, some CA's may have you use your real DNS host name here. If in doubt check with the CA as to what they expect you to enter here.

    You will also see where it will ask you to enter "extra" attributes. Unless the CA you are sending the request to tells you to, just leave these blank and just press though them.

  5. If that went well exit the OPENSSL program. You should have two files, the key file and the certificate file.

  6. Send the ceritficate file to the CA and hold the key file in a safe place.

  7. When you get your signed certificate back from the CA, you will have to append your key (the one you generated with the certificate request) to the end of the signed certificate.

    
    	$ APPEND NEWREQ_KEY.PEM <certificate the CA signed>
    
         

3.4 Creating your own CA certificate.

You have done the following:

and you want to generate your very own CA certificate to sign certificate requests.

Here are the steps.

  1. Execute the SSLROOT:[VMS]OPENSSL_UTILS.COM file to define the symbol for the OPENSSL utility.

    
    	$ @SSLROOT:[VMS]OPENSSL_UTILS.COM
    
         
  2. Go to your SSLROOT:[000000] directory.

    
    	$ SET DEFAULT SSLROOT:[000000]
    
         
  3. Now, generate a certificate request using the OPENSSL utility.

    
         $ OPENSSL
    
         OpenSSL> req -config openssl.cnf -new -x509 -days 1825
    
                      -keyout [.private]cakey.pem -out cacert.pem
    
         

    Here's a description of what the parameters mean.

    
    	-config 		Which configuration file to use.
    
    
    
    	-new			This is a new certificate request.
    
    
    
    	-x509			Output a X509 certificate instead of a
    
                                    regular certificate request.
    
    
    
    	-days			The number of days the the x509 generated
    
                                    certificate is good for.
    
    
    
    	-keyout                 File to output the key to.
    
    
    
    	-out                    File to output the certificate to.
    
         

    You will notice that the number of days the CA certificate is good for as set by the "-days" qualifier is pretty large (five years in fact). This is because some browsers complain if the CA certificate is not valid for a period longer than the certificate request you are signing. So if you generate a CA certificate good only for a year and you are signing a certificate request also good for one year, some browsers will complain. So it's good to have a CA certificate with a long lifetime to keep browsers happy.

  4. The OPENSSL program will ask you to enter a PEM password. This is to encrypt the CA key so that only YOU or someone that knows the password can sign certificates. SO KEEP YOUR PASSWORD SAFE!

  5. The program will ask you some questions and just answer them. You have to make sure that when the OPENSSL program asks you.

    
    	Common Name (eg, YOUR name) []:
    
         

    that you use YOUR name or something like "CA Authority" and NOT your SERVER name like "beavis.buttnet.net".

  6. If all went well, you should have the file CACERT.PEM in your SSLROOT:[000000] directory and the CAKEY.PEM file in the SSLROOT:[PRIVATE] or SSLPRIVATE: directory.

    You might want to protect the SSLROOT:[PRIVATE] directory to prevent others from accessing your CA key.

  7. Now use the OPENSSL utility to "verify" the certificate.

    
            $ OPENSSL
    
    	OpenSSL> verify cacert.pem
    
         
  8. If that went well and the OPENSSL utility says that its O.K. then you have a CA certificate.

  9. Now, if you plan to sign certificates with your new CA certificate, you need to make your CA certificate available to the public. So first, you need to convert your PEM formatted certificate into DER format using the following.

    
    	$ OPENSSL
    
    	OpenSSL> x509 -inform pem -in yourcacert.pem
    
    	              -outform der -out yourcacert.der
    
         
  10. Check the suffixes table or "mime type" table for your WEB server and look for the following definition.

    
    	application/x-x509-ca-cert pem BINARY 1.0
    
         

    If the definition is not there, put it there and restart your WEB server.

  11. Place your CA certificate in a directory where people can access it and make a link to it in a WEB page so people can find it.

  12. If all went well, when you click on the link for your CA certificate and your browser should ask you if you want to load and save it and go through the process of installing it.

    Some browsers (i.e. Microsoft Internet Explorer) might want to save the certificate to the hard disk instead of installing it. When it asks you what you want to do select "Open this file from it's current location" and Internet Explorer will install it into the certificate database.


3.5 Signing SSL certificate requests with your CA certificate.

You have done the following:

and you want to sign certificate requests.

Here are the steps.

  1. Execute the SSLROOT:[VMS]OPENSSL_UTILS.COM file to define the symbol for the OPENSSL utility.

    
    	$ @SSLROOT:[VMS]OPEN_UTILS.COM
    
         
  2. Take the certificate request file (we'll assume it is called NEWREQ.PEM for this example) and put it in your SSLROOT:[000000] directory.

  3. Go to your SSLROOT:[000000] directory.

    
    	$ SET DEFAULT SSLROOT:[000000]
    
         
  4. Execute the OPENSSL program with the following options to sign the certificate request.

    
            $ OPENSSL
    
            OpenSSL> ca -config openssl.cnf -policy policy_anything
    
                        -out sslcerts:signed_newreq.pem -infiles newreq.pem
    
         

    Here's a description of what the parameters mean.

    
    	-config			Which configuration file to use.
    
    
    
    	-policy			Which "policy" in the configuration
    
                                    file to use.
    
    
    
    	-out                    File to output the signed certificate
    
    				to.
    
    
    
    	-infiles		The file containing the certificate
    
                                    request we are going to sign.
    
         
  5. The OPENSSL program will ask you to enter the PEM password. This is the password you entered when you created the CA key to encode it so that only you can access it.

  6. You will then be shown the information about the certificate. If it looks good to you (and you know the source, etc.) then you will be asked if you want to sign the certificate.

  7. The program will then tell you that the certificate request was certified and if you want to commit it.

  8. If that went well, the signed certificate file SIGNED_NEWREQ.PEM should be placed in the SSLCERTS: or SSLROOT:[CERTS] directory.

  9. Now use the OPENSSL utility to "verify" the signed certificate.

    
            $ OPENSSL
    
    	OpenSSL> verify "-CApath" sslroot:[000000]
    
                            "-CAfile" cacert.pem SSLCERTS:signed_newreq.pem
    
         
  10. If that went well and the OPENSSL utility says that its O.K. then you have sucessfully signed the certificate request and you can send the SSLCERTS:SIGNED_NEWREQ.PEM to the user.


[Previous] [Next] [Table of Contents]