Creating X.509 Certificates With OpenSSL Overview This procedure describes one of the ways to use OpenSSL to create an X.509 Certificate file and an associated RSA Key file to use for ssl/tls certificates. The following assumptions are made in this discussion: The Operating System is Fedora 10 with the Gnome desktop installed. OpenSSL will be used with mod_ssl for Apache Server 2.2.xx. Install OpenSSL 1. Start the Package Manager from the Add/Remove Software entry on the System/Administration menu: 2. Enter openssl in the search box in the upper left column and click Find. When the search has completed, scroll down to the package named The OpenSSL toolkit. If the openssl package is not already installed, check the missing package and click the Apply button at the bottom right:
Configuration 1. Open a terminal window and sign in as root. Navigate to the /etc/pki/tls folder and open the openssl.cnf file with a text editor: [jay@fedora10 jay]$ su Password: [root@fedora10 jay] cd /etc/pki/tls [root@fedora10 tls] gedit openssl.cnf 2. Scroll down to the section titled [ req_distinguished_name ] :
3. For each variable field with _default at the end of the name, enter the appropriate information for the certificate location. Uncomment variables as required: Save and close the edited file. 4. Using a web browser, download the following file script to a temporary folder: http://jaywheeler.users.sourceforge.net/scripts/makesslcert.tgz 5. untar (tar -xvf) the script, then move the script named makesslcert to the /usr/local/bin folder. Set owner (root:root) and permissions (755) appropriately.
6. makesslcert is a shell script designed for use with Fedora (8 and newer). It has been, however, successfully installed and used on FreeBSD (7 and 8) and Ubuntu (9 and 10), but requires editing of the file locations. Navigate to the installation folder and edit the script file. Locate the comment block as shown below: User defined settings openssl=/usr/bin/openssl apache_dir=/etc/httpd/conf ssl_subdir_cert=ssl.crt ssl_subdir_key=ssl.key ssl_pem_passphrase=ewdesigns ssl_pem_name=server.pem ssl_cert_name=server.crt ssl_key_name=server.key ssl_cert_days=730 ssl_cert_cn=fedora13.ewdesigns.lan ssl_cert_debug=0 -a = -pass pem password phrase -p = -key pem file name -c = -out X509 certificate file name -k = -out rsa key file name -t = -days to expiration -h = -subj (host name) -d = debug level (0 = off) Make changes above this block ONLY Modify the settings to match the site installation parameters and needs. The settings with a comment following them are passed as parameters to the OpenSSL certificate generator. Alternatively, the parameters can be entered as arguments on the command line when executing the makesslcert script (a? as parameter will list the options). 7. To create a new X.509 Certificate and RSA Key file, simply execute the script. The files will be placed in the directories configured above.
Configuring mod_ssl for use with Apache server 1. Start the Package Manager from the Add/Remove Software entry on the System/Administration menu (see above for help). 2. Enter mod_ssl in the search box in the upper left column and click Find. When the search has completed, scroll down to the package named SSL/TLS module for the Apache HTTP Server. If the mod_ssl package is not already installed, check the missing package and click Apply at the bottom right: 3. After the file has been loaded and installed, exit the software updater. Start a terminal interface, su to root and navigate to /etc/httpd/conf. Edit the file named httpd.conf. 4. Locate Section 3 : Virtual Hosts: Section 3: Virtual Hosts NameVirtualHost *:80 <VirtualHost *:80> ServerAdmin admin@earthwalkvillage.com DocumentRoot /Data10/Internet/www ServerName fedora10.ewdesigns.lan ErrorLog /var/log/httpd/ssl_error_log CustomLog /var/log/httpd/ssl_access_log common LogLevel debug SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key </VirtualHost> 5. If there is no default VirtualHost, add the definition shown above. If it is already there, modify it to look similar to the one displayed above. Remember to change the settings to match those used by the Apache server installation and the location of the generated certificate(s).
6. Save the file, navigate to /etc/httpd/conf.d, and edit the file named ssl.conf. Modify the file contents to, at a minimum, look similar to the file shown below: LoadModule ssl_module modules/mod_ssl.so Listen 443 AddType application/x-x509-ca-cert.crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin <VirtualHost _default_:443> ErrorLog /var/log/httpd/ssl_error_log TransferLog /var/log/httpd/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key <Files ~ "\.(cgi shtml phtml php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> Save the modified file. 7. Restart the Apache HTTPD Server (/usr/sbin/apachectl restart).