Monday, March 26, 2007

A Simple Step-By-Step Guide of SSL Key Management With OpenSSL

This is a simplified step by step guide to manage SSL key using OpenSSL. For further information do man openssl.

1. Become a root certificate authority(CA)

  • $openssl req -new -x509 -keyout ca.key -out ca.crt -days 3650
  • This will request for (-)new self-signed(-x509) root certificate with private key(-keyout) named "ca.key") and certificate file(-out) named "ca.crt" which is certified for 10 years(-days 3650).

2. View the contents of the certificate
  • $openssl x509 -in ca.crt -noout -text
  • $openssl x509 -in ca.crt -noout -dates
  • $openssl x509 -in ca.crt -noout -purpose

3. Create the certificate signing request
  • This request is actually generated by those who want their certificate to be signed by root CA
  • $openssl req -new -nodes -keyout my.key -out my.csr -days 365
  • If paranoid, remove -nodes option to make the private key encrypted and password protected.

4. Signing a certificate
  • $openssl ca -out my.crt -in my.csr
  • Optionally, remove the human-readable portions of the certificate :
    • $openssl x509 -in my.crt -out my-nohuman-readable.crt

5. Deployment of certificates
  • The following certificates my.key, my.crt and ca.crt are needed by application using SSL.
  • Some applications require both the key and certificate in one file, which can be achived by running:
    • $cat server.key server.crt > key-cert.pem
  • For applications using SSL/TLS, the Diffie Hellman parameters may be required on the server side. Create the DH (using 2048 bits) by issuing:
    • $openssl dhparam -out dh2048.pem 2048

6. Certification Revocation List (CRL)
  • $openssl ca -gencrl -crldays 30 -out rootca.crl

7. Renewing and revoking certificates
  • Both root certificate and other signed certificates are subjected to expiry.
  • If root certificate expires, a new root CA certificate must be created and distributed. All other certificate that it signed must also be re-created and signed.
  • For other certificates, those certificates can be renewed by first revoking the old certificate, then re-signed the original request or do another round of request and sign procedure. To revoke a certificate, issue the following command:
    • $openssl ca -revoke expire.crt
  • Regenerate CRL again if necessary.

Posted by E A Faisal at 14:54

Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)