SUSE Conversations


Generating Self Signed SSL Certificates



By: DamianMyerscough

February 19, 2008 9:02 am

Reads:2274

Comments:0

Rating:0

Problem

One problem that I found when creating self signed SSL certificates was trying to remembering all the qualifiers that OpenSSL supports and requires. When generating a self signed SSL certification you usually have to refer to the OpenSSL man page(s) or usage help, however, it can be simpler.

Solution

The solution to this problem is very simple, the Apache daemon that is packaged with SUSE contains a shell script called: “gensslcert“. This shell script generates SSL certificates and moves them into the appropriate directories. The “gensslcert” command by default will generate a certificate based on some system details such as your hostname, once the certificate has been generated the files are copied to the appropriate directories for the Apache web server as shown in Figure 1.

fmv-s8230-sk:~ # gensslcert 
comment         mod_ssl server certificate 
name 
C               XY 
ST              unknown 
L               unknown 
U               web server 
O               SuSE Linux Web Server 
CN              linux-m899.site 
email           webmaster@linux-m899.site 
srvdays         730 
CAdays          2190 

creating CA key ... 
203370 semi-random bytes loaded 
Generating RSA private key, 2048 bit long modulus 
....................................................................................................................+++ 
...................................................................................+++ 
e is 65537 (0x10001) 

creating CA request/certificate ... 
`/etc/apache2/ssl.crt/ca.crt' -> `/srv/www/htdocs/CA.crt' 

creating server key ... 
203370 semi-random bytes loaded 
Generating RSA private key, 1024 bit long modulus 
....++++++ 
......++++++ 
e is 65537 (0x10001) 

creating server request ... 
creating server certificate ... 
Signature ok 
subject=/C=XY/ST=unknown/L=unknown/O=SuSE Linux Web Server/OU=web server/CN=linux-m899.site/emailAddress=webmaster@linux-m899.site 
Getting CA Private Key 

Verify: matching certificate & key modulus 

Verify: matching certificate signature 
/etc/apache2/ssl.crt/server.crt: OK

Figure 1: Generating a default SSL certificate.

As you can see from Figure 1 miscellaneous data was used to generate the SSL certificate. The “gensslcert” command has a qualifiers for each field that is require to generate a SSL certificate, Table 1 list the qualifiers that are available. Figure 1.2 shows the command used to generate a SSL certificate with our appropriate data.

Qualifier Description
-C Common name.
-N Comment.
-c Country (two letters, e.g. GB).
-s State.
-l City.
-O Organisation.
-u Organisational Unit. Organisational Unit.
-n Fully Qualified Domain Name.
-e Email Address of Webmaster.
-y Days Server Cert is valid for.
-Y Days CA Cert is valid for.

Table 1: “gensslcert” Qualifiers.

fmv-s8230-sk:~ # gensslcert -C "exaple.com" -N "This is an example certificate" -c GB -o "Example Inc" -u "Web Development" -n "www.example.com" -e "root@example.com"
comment         This is an example certificate 
name            exaple.com- 
C               GB 
ST              unknown 
L               unknown 
U               Web Development 
O               Example Inc 
CN              www.example.com 
email           root@example.com 
srvdays         730 
CAdays          2190 

creating CA key ... 
203370 semi-random bytes loaded 
Generating RSA private key, 2048 bit long modulus 
.......................................................+++ 
............................................................................+++ 
e is 65537 (0x10001) 

creating CA request/certificate ... 
`/etc/apache2/ssl.crt/exaple.com-ca.crt' -> `/srv/www/htdocs/EXAPLE.COM-CA.crt' 

creating server key ... 
203370 semi-random bytes loaded 
Generating RSA private key, 1024 bit long modulus 
................................++++++ 
..............++++++ 
e is 65537 (0x10001) 

creating server request ... 
creating server certificate ... 
Signature ok 
subject=/C=GB/ST=unknown/L=unknown/O=Example Inc/OU=Web Development/CN=www.example.com/emailAddress=root@example.com 
Getting CA Private Key 

Verify: matching certificate & key modulus 

Verify: matching certificate signature 
/etc/apache2/ssl.crt/exaple.com-server.crt: OK

Figure 1.2: Customized SSL certificate.

As you can see from Figure 1.2 the defaults have been replaced with the appropriate data, if you now start your Apache web server with SSL you should be able to see your newly created certificate.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: ,
Categories: SUSE Linux Enterprise Server, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

Comment

RSS