Generating Self Signed SSL Certificates
Problem
One problem that I found when creating self signed SSL certificates was trying to remembering all the qualifiers that OpenSSL supports and requires. When generating a self signed SSL certification you usually have to refer to the OpenSSL man page(s) or usage help, however, it can be simpler.
Solution
The solution to this problem is very simple, the Apache daemon that is packaged with SUSE contains a shell script called: “gensslcert“. This shell script generates SSL certificates and moves them into the appropriate directories. The “gensslcert” command by default will generate a certificate based on some system details such as your hostname, once the certificate has been generated the files are copied to the appropriate directories for the Apache web server as shown in Figure 1.
fmv-s8230-sk:~ # gensslcert comment mod_ssl server certificate name C XY ST unknown L unknown U web server O SuSE Linux Web Server CN linux-m899.site email webmaster@linux-m899.site srvdays 730 CAdays 2190 creating CA key ... 203370 semi-random bytes loaded Generating RSA private key, 2048 bit long modulus ....................................................................................................................+++ ...................................................................................+++ e is 65537 (0x10001) creating CA request/certificate ... `/etc/apache2/ssl.crt/ca.crt' -> `/srv/www/htdocs/CA.crt' creating server key ... 203370 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ....++++++ ......++++++ e is 65537 (0x10001) creating server request ... creating server certificate ... Signature ok subject=/C=XY/ST=unknown/L=unknown/O=SuSE Linux Web Server/OU=web server/CN=linux-m899.site/emailAddress=webmaster@linux-m899.site Getting CA Private Key Verify: matching certificate & key modulus Verify: matching certificate signature /etc/apache2/ssl.crt/server.crt: OK
Figure 1: Generating a default SSL certificate.
As you can see from Figure 1 miscellaneous data was used to generate the SSL certificate. The “gensslcert” command has a qualifiers for each field that is require to generate a SSL certificate, Table 1 list the qualifiers that are available. Figure 1.2 shows the command used to generate a SSL certificate with our appropriate data.
Qualifier | Description |
-C | Common name. |
-N | Comment. |
-c | Country (two letters, e.g. GB). |
-s | State. |
-l | City. |
-O | Organisation. |
-u | Organisational Unit. Organisational Unit. |
-n | Fully Qualified Domain Name. |
-e | Email Address of Webmaster. |
-y | Days Server Cert is valid for. |
-Y | Days CA Cert is valid for. |
Table 1: “gensslcert” Qualifiers.
fmv-s8230-sk:~ # gensslcert -C "exaple.com" -N "This is an example certificate" -c GB -o "Example Inc" -u "Web Development" -n "www.example.com" -e "root@example.com" comment This is an example certificate name exaple.com- C GB ST unknown L unknown U Web Development O Example Inc CN www.example.com email root@example.com srvdays 730 CAdays 2190 creating CA key ... 203370 semi-random bytes loaded Generating RSA private key, 2048 bit long modulus .......................................................+++ ............................................................................+++ e is 65537 (0x10001) creating CA request/certificate ... `/etc/apache2/ssl.crt/exaple.com-ca.crt' -> `/srv/www/htdocs/EXAPLE.COM-CA.crt' creating server key ... 203370 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ................................++++++ ..............++++++ e is 65537 (0x10001) creating server request ... creating server certificate ... Signature ok subject=/C=GB/ST=unknown/L=unknown/O=Example Inc/OU=Web Development/CN=www.example.com/emailAddress=root@example.com Getting CA Private Key Verify: matching certificate & key modulus Verify: matching certificate signature /etc/apache2/ssl.crt/exaple.com-server.crt: OK
Figure 1.2: Customized SSL certificate.
As you can see from Figure 1.2 the defaults have been replaced with the appropriate data, if you now start your Apache web server with SSL you should be able to see your newly created certificate.
No comments yet