Problem

One problem that I found when creating self signed SSL certificates was trying to remembering all the qualifiers that OpenSSL supports and requires. When generating a self signed SSL certification you usually have to refer to the OpenSSL man page(s) or usage help, however, it can be simpler.

Solution

The solution to this problem is very simple, the Apache daemon that is packaged with SUSE contains a shell script called: “gensslcert“. This shell script generates SSL certificates and moves them into the appropriate directories. The “gensslcert” command by default will generate a certificate based on some system details such as your hostname, once the certificate has been generated the files are copied to the appropriate directories for the Apache web server as shown in Figure 1.

fmv-s8230-sk:~ # gensslcert
comment         mod_ssl server certificate
name
C               XY
ST              unknown
L               unknown
U               web server
O               SuSE Linux Web Server
CN              linux-m899.site
email           webmaster@linux-m899.site
srvdays         730
CAdays          2190

creating CA key ...
203370 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
....................................................................................................................+++
...................................................................................+++
e is 65537 (0x10001)

creating CA request/certificate ...
`/etc/apache2/ssl.crt/ca.crt' -> `/srv/www/htdocs/CA.crt'

creating server key ...
203370 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
....++++++
......++++++
e is 65537 (0x10001)

creating server request ...
creating server certificate ...
Signature ok
subject=/C=XY/ST=unknown/L=unknown/O=SuSE Linux Web Server/OU=web server/CN=linux-m899.site/emailAddress=webmaster@linux-m899.site
Getting CA Private Key

Verify: matching certificate & key modulus

Verify: matching certificate signature
/etc/apache2/ssl.crt/server.crt: OK

Figure 1: Generating a default SSL certificate.

As you can see from Figure 1 miscellaneous data was used to generate the SSL certificate. The “gensslcert” command has a qualifiers for each field that is require to generate a SSL certificate, Table 1 list the qualifiers that are available. Figure 1.2 shows the command used to generate a SSL certificate with our appropriate data.

Qualifier Description
-C Common name.
-N Comment.
-c Country (two letters, e.g. GB).
-s State.
-l City.
-O Organisation.
-u Organisational Unit. Organisational Unit.
-n Fully Qualified Domain Name.
-e Email Address of Webmaster.
-y Days Server Cert is valid for.
-Y Days CA Cert is valid for.

Table 1: “gensslcert” Qualifiers.

fmv-s8230-sk:~ # gensslcert -C "exaple.com" -N "This is an example certificate" -c GB -o "Example Inc" -u "Web Development" -n "www.example.com" -e "root@example.com"
comment         This is an example certificate
name            exaple.com-
C               GB
ST              unknown
L               unknown
U               Web Development
O               Example Inc
CN              www.example.com
email           root@example.com
srvdays         730
CAdays          2190

creating CA key ...
203370 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
.......................................................+++
............................................................................+++
e is 65537 (0x10001)

creating CA request/certificate ...
`/etc/apache2/ssl.crt/exaple.com-ca.crt' -> `/srv/www/htdocs/EXAPLE.COM-CA.crt'

creating server key ...
203370 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
................................++++++
..............++++++
e is 65537 (0x10001)

creating server request ...
creating server certificate ...
Signature ok
subject=/C=GB/ST=unknown/L=unknown/O=Example Inc/OU=Web Development/CN=www.example.com/emailAddress=root@example.com
Getting CA Private Key

Verify: matching certificate & key modulus

Verify: matching certificate signature
/etc/apache2/ssl.crt/exaple.com-server.crt: OK

Figure 1.2: Customized SSL certificate.

As you can see from Figure 1.2 the defaults have been replaced with the appropriate data, if you now start your Apache web server with SSL you should be able to see your newly created certificate.

(Visited 1 times, 1 visits today)
Tags: ,
Category: SUSE Linux Enterprise Server, Technical Solutions
This entry was posted Tuesday, 19 February, 2008 at 9:02 am
You can follow any responses to this entry via RSS.

Leave a Reply

Your email address will not be published. Required fields are marked *

No comments yet