OpenSSL + RootCA Certificate HOWTO
==================================

Shanker Balan
http://shankerbalan.com/

Changelog:

Thu May 22 13:46:30 IST 2003
- Added "openssl x509 -in newcert.pem >> imapd.pem"

Mon Apr 28 17:29:59 IST 2003
- Masked email addresses, am getting enuf spam as it is!

Wed Apr 16 12:48:54 IST 2003
- Note on checking the certificate

Create local CA certificate
---------------------------

1. Locate "CA.pl" and change to that directory:

	root# locate CA.pl
	/usr/share/man/man1/CA.pl.1ssl.gz
	/usr/share/ssl/misc/CA.pl

	root# cd /usr/share/ssl/misc/

2. Create a new CA

	root# ./CA.pl -newca

	Type a strong and long password when prompted. The CA's "CN" can be
	anything. Call it "Foobar Private Trust Network" if you want to. The above
	commands will create the following files under the certs/demoCA directory:

	cacert.pem 		- local issuer certificate (CA certificate) in PEM format
	private/cakey.pem - CA encrypted private key

	Store both the files in a cool and dry place away from sunlight.

	Make a copy of "cacert.pem" as "cacert.crt" so that it can be imported into
	browsers and other applications which have the .crt MIME type defined.


Create Server Certificate
-------------------------

1. cd to the certs/misc directory and run the following commands:

	root# ./CA.pl -newreq

	The "CN" should be set the the FQDN of the server who is being issued the
	certificate. For example, if the server's FQDN is "mail.domain.com", then
	the CN will also be "mail.domain.com". It is very important that the CN
	match the FQDN otherwise SSL clients will refuse to accept the certificate.

	<snip>
	shanu@godzilla:~/certs$ ./CA.pl -newreq
	Using configuration from /etc/ssl/openssl.cnf
	Generating a 1024 bit RSA private key
	....................................++++++
	................++++++
	writing new private key to 'newreq.pem'
	Enter PEM pass phrase:
	Verifying password - Enter PEM pass phrase:
	-----
	You are about to be asked to enter information that will be incorporated
	into your certificate request.
	What you are about to enter is what is called a Distinguished Name or a DN.
	There are quite a few fields but you can leave some blank
	For some fields there will be a default value,
	If you enter '.', the field will be left blank.
	-----
	Country Name (2 letter code) [IN]:
	State or Province Name (full name) [Karnataka]:
	Locality Name (eg, city) [Bangalore]:
	Organization Name (eg, company) [FooBar Consulting (P) Ltd]:
	Organizational Unit Name (eg, section) [Internet Division]:
	Common Name (eg, YOUR name) [godzilla.foobar.com]:
	Email Address [shanu@foobar.com]:

	Please enter the following 'extra' attributes
	to be sent with your certificate request
	A challenge password []:
	An optional company name []:
	Request (and private key) is in newreq.pem

	</snip>

	Use a password different from the root CA password and do not provide a
	"challange password"

2. Sign the request using the root CA key:

	root# ./CA.pl -sign

	Type in the root CA's password when prompted.

	<snip>
	shanu@godzilla:~/certs$ ./CA.pl -sign
	Using configuration from /etc/ssl/openssl.cnf
	Enter PEM pass phrase: <CA password>
	Check that the request matches the signature
	Signature ok
	The Subjects Distinguished Name is as follows
	countryName           :PRINTABLE:'IN'
	stateOrProvinceName   :PRINTABLE:'Karnataka'
	localityName          :PRINTABLE:'Bangalore'
	organizationName      :PRINTABLE:'FooBar Consulting (P) Ltd'
	organizationalUnitName:PRINTABLE:'Internet Division'
	commonName            :PRINTABLE:'godzilla.foobar.com'
	emailAddress          :IA5STRING:'shanu@foobar.com'
	Certificate is to be certified until Apr 11 14:23:09 2003 GMT (365 days)
	Sign the certificate? [y/n]:y


	1 out of 1 certificate requests certified, commit? [y/n]y
	Write out database with 1 new entries
	Data Base Updated
	Signed certificate is in newcert.pem
	</snip>


	The above steps will create 2 new files in the certs/ directory

	"newcert.pem" - a x509 encoded client certificate
	"newreq.pem" - a RSA encrypted client private key

3. Decrypt the private key so that it can be used by applications

	root# openssl rsa -in newreq.pem -out server.key

	-----BEGIN RSA PRIVATE KEY-----
	MIICXQIBAAKBgQCqtvmKovx3L5rhqz1pRD3RgmU9d3nhT0HEYvu2s0HJyUc/rVoF
	r3Ax+OXy7DX70sfqLxLyREf2Ij+8lXf8a0DusDjbYMxtI0MqLI21uG0WtmK1Pxsq
	Xz8POEfPU81Dg59zikR49ECTkRCbi47YhsfW/S9F7vdjP4K3BxpUaIzhzQIDAQAB
	AoGAPorufVYc/GVabtbXlttDcqA9CvnckykARTymT1b5AT5WdgPCeVa+2e///rF/
	TZT5XNiGLm/JlWkSxLpVzQpWLQLYnfJlWfwaChSQKUwLphW7JlDTH0IjKSNOjG9B
	gXjUNJoKhzv56cUmQEvXXCpJIoQY+MkTqdH9EktquQ9wIVkCQQDawi7IStHll1VZ
	N/wi9rpq8cd7/f0p1pyvj0uroaVIoBpjCoDhQ/sunBIdKeGkSmcWld7kl1wuVf6q
	Nx6kGFYHAkEAx8b5Pw7FK6xR4xHZyBOVlCpohvwqW+pdGRcylVzkIODhtl2Lwwzp
	QcO94203hd0yWGRWfgNHLA4owkDMRg10iwJALYeMxRMNbIN6t/728y/2zJtVsXDD
	aBnKsp9YWHhkNiFcXJCrEjdb5++DtZ4p4E+79O9sXJdEEEDFqBegwPZvsQJBAMDj
	V5JPw4YIakQQ3zJz3k9hpuz2GjwHC/6GzFs0hjtMhgIbTi90jt7ljLlCoYJJcSux
	LWWb6qMZxLbR86mLokMCQQCmvDjFxIlJ68hY32Smrj8hFdmkpvoi0mfD/gOnSfu1
	av0UoTlIwc2GfNmA+ONdOCFjwT3i8dFTaANlvWihwFjd
	-----END RSA PRIVATE KEY-----


	"server.key" is the decrypted version of the client's RSA private key. You
	may want to rename "newcert.pem" to "server.crt" for better legibility.
	
	root# mv newcert.pem server.crt


	You now have the following:
	
	 - a x509 server certificate: server.crt
	 - a decrypted RSA server private key: server.key
	 - and a local issuer (CA) certificate: cacert.crt

	This can be used with servers like Apache, Sendmail and OpenLDAP which
	require the certificate and keys to be in separate files.

Creating a self contained .pem files
------------------------------------

	Some server like imapd, pop3d and stunnel, require a single file which
	contains both the RSA private key and the certificate in this format:


	-----BEGIN RSA PRIVATE KEY-----
	
	[..]
	
	-----END RSA PRIVATE KEY-----

	-----BEGIN CERTIFICATE-----

	[..]
	
	-----END CERTIFICATE-----

	In order to build a self contained certificate, just copy the relevant
	portions of "server.crt" and "server.key" to a new PEM file.

	For example, to create "imapd.pem" to be used by the imap-uw IMAP daemon,
	copy "server.key" to "imapd.pem"

	root# cp server.key imapd.pem

	Add the x509 part of server.crt into imapd.pem. The text portion should not
	be copied over.

	root# openssl rsa -in server.crt >> imapd.pem

	The "imapd.pem" should now look like this:

	root# cat imapd.pem
	
	-----BEGIN RSA PRIVATE KEY-----
	MIICXQIBAAKBgQCqtvmKovx3L5rhqz1pRD3RgmU9d3nhT0HEYvu2s0HJyUc/rVoF
	r3Ax+OXy7DX70sfqLxLyREf2Ij+8lXf8a0DusDjbYMxtI0MqLI21uG0WtmK1Pxsq
	Xz8POEfPU81Dg59zikR49ECTkRCbi47YhsfW/S9F7vdjP4K3BxpUaIzhzQIDAQAB
	AoGAPorufVYc/GVabtbXlttDcqA9CvnckykARTymT1b5AT5WdgPCeVa+2e///rF/
	TZT5XNiGLm/JlWkSxLpVzQpWLQLYnfJlWfwaChSQKUwLphW7JlDTH0IjKSNOjG9B
	gXjUNJoKhzv56cUmQEvXXCpJIoQY+MkTqdH9EktquQ9wIVkCQQDawi7IStHll1VZ
	N/wi9rpq8cd7/f0p1pyvj0uroaVIoBpjCoDhQ/sunBIdKeGkSmcWld7kl1wuVf6q
	Nx6kGFYHAkEAx8b5Pw7FK6xR4xHZyBOVlCpohvwqW+pdGRcylVzkIODhtl2Lwwzp
	QcO94203hd0yWGRWfgNHLA4owkDMRg10iwJALYeMxRMNbIN6t/728y/2zJtVsXDD
	aBnKsp9YWHhkNiFcXJCrEjdb5++DtZ4p4E+79O9sXJdEEEDFqBegwPZvsQJBAMDj
	V5JPw4YIakQQ3zJz3k9hpuz2GjwHC/6GzFs0hjtMhgIbTi90jt7ljLlCoYJJcSux
	LWWb6qMZxLbR86mLokMCQQCmvDjFxIlJ68hY32Smrj8hFdmkpvoi0mfD/gOnSfu1
	av0UoTlIwc2GfNmA+ONdOCFjwT3i8dFTaANlvWihwFjd
	-----END RSA PRIVATE KEY-----

	-----BEGIN CERTIFICATE-----
	MIID/DCCA2WgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBoDELMAkGA1UEBhMCSU4x
	EjAQBgNVBAgTCUthcm5hdGFrYTESMBAGA1UEBxMJQmFuZ2Fsb3JlMRswGQYDVQQK
	ExJFeG9jb3JlIFRydXN0IFJpbmcxEDAOBgNVBAsTB1Jvb3QgQ0ExGDAWBgNVBAMT
	D0V4b2NvcmUgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRc2hhbnVAZXhvY29yZS5j
	b20wHhcNMDIwNDExMDY0NjEzWhcNMDMwNDExMDY0NjEzWjCBtjELMAkGA1UEBhMC
	SU4xEjAQBgNVBAgTCUthcm5hdGFrYTESMBAGA1UEBxMJQmFuZ2Fsb3JlMSMwIQYD
	VQQKExpFeG9jb3JlIENvbnN1bHRpbmcgKFApIEx0ZDEaMBgGA1UECxMRSW50ZXJu
	ZXQgRGl2aXNpb24xHDAaBgNVBAMTE21vbnN0ZXIuZXhvY29yZS5jb20xIDAeBgkq
	hkiG9w0BCQEWEXNoYW51QGV4b2NvcmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
	ADCBiQKBgQCqtvmKovx3L5rhqz1pRD3RgmU9d3nhT0HEYvu2s0HJyUc/rVoFr3Ax
	+OXy7DX70sfqLxLyREf2Ij+8lXf8a0DusDjbYMxtI0MqLI21uG0WtmK1PxsqXz8P
	OEfPU81Dg59zikR49ECTkRCbi47YhsfW/S9F7vdjP4K3BxpUaIzhzQIDAQABo4IB
	LDCCASgwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
	ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFIwMdt96+33SPfA+bcUL/BFdZUI5MIHN
	BgNVHSMEgcUwgcKAFIv7k9HBkTCoXElo0Gc+4NwViyz5oYGmpIGjMIGgMQswCQYD
	VQQGEwJJTjESMBAGA1UECBMJS2FybmF0YWthMRIwEAYDVQQHEwlCYW5nYWxvcmUx
	GzAZBgNVBAoTEkV4b2NvcmUgVHJ1c3QgUmluZzEQMA4GA1UECxMHUm9vdCBDQTEY
	MBYGA1UEAxMPRXhvY29yZSBSb290IENBMSAwHgYJKoZIhvcNAQkBFhFzaGFudUBl
	eG9jb3JlLmNvbYIBADANBgkqhkiG9w0BAQQFAAOBgQBxUz7BxjbjG0BsgItbnyJN
	ygeY6Jcuy5hrkcKVKC2HN5AcR2cgc7sQ/sg5zvy6BNxcC3t1QXghNzi3FIIJh2cu
	gOoRtxAHZcG6AHDCdcC3TApNvU36i+j0YjD0yAk/mJ/dm3EV5k5gcJAjACgD/FFe
	tO5dj7LtEBBYzpC1pBGeDw==
	-----END CERTIFICATE-----

	You should now have a self contained "imapd.pem" file which includes the
	server's decrypted RSA private at the top and the server's SSL certificate
	at the bottom with a blank line separating the 2 portions.


	NOTE: When you want to create a certificate for a new daemon do not create
	a new .pem file, just create a symlink to the .pem file which you have
	already created.

	For instance, if you want to enable POP3s, just make a symlink to
	"imapd.pem" called "ipop3d.pem"

	root# ln -sf imapd.pem ipop3d.pem

	NOTE: The certificates should be owned by root and should be readable only
	by root.
	
	root# chown root.root imapd.pem
	root# chmod 600 imapd.pem

Checking the Certificate using OpenSSL client
=============================================

Use the OpenSSL s_client to retrwive the SSL certifcate from any SSL port like
this:

root# echo | openssl s_client -showcerts -connect monster:ldaps


Importing the root CA certificate to client applications:
==========================================================
	
	All client applications which try to create a secure connection to the
	server will either refuse the connection or warn the user that the
	certificate being presented by the server is not valid certificate and
	cannot be trusted.

	This is because the client application (web browsers and mail clients)
	have no way of verifying who is the issuer of the server certificate. IOW,
	the client does not know who is the root CA authority who issued the
	certificate to the server you are trying to connect.

	Importing the root CA certificate
	=================================

	The most common way of importing the root CA certificate is to browse to
	the certificate and clicking on it. The browser will import the
	certificate. Make sure that the root CA certificate ends with a ".crt"
	which is the MIME type for a certificate otherwise the browser might
	display its contents instead of importing it.

	Place "cacert.crt" somewhere in the HTML directory where it can be
	accessible using a URL and then point your browser to this URL.

		http://foo.domain.com/cacert.crt

	The browser will prompt you for importing the CA certificate. Make sure
	that all the trust options are enabled.

	The other way to import the CA certificate is to import it using the
	certificate import function of your application.

	To verify whether the certificate has been imported, open the certificate
	manager property page and click on the "authority" tab. You should find the
	newly imported certificate somewhere in the trusted list.

	To confirm that the trust has been established, just make an SSL connection
	to the server and you should not be presented with a warning anymore.
	
	This has been tested on Internet Explorer, Netscape, Mozilla (and derived
	browsers) and Opera.