Introduction ============ This document will briefly explain how to set up your own CA and generate server certificates using openssl. First you need to have the following three files. There is a zip package that includes statically linked openssl.exe along with the other two files on Orenosp homepage. openssl.exe openssl utility program. This is built statically from OpenSSL 0.9.7d distribution. openssl.cnf An openssl configuration file needed when generating certificates et al. This is from Openssl 0.9.7d distribution. (OPENSSL_HOME/apps/openssl.cnf) CA.pl A perl script to facilitate CA creation. Calls openssl.exe internally. This is from Openssl 0.9.7d distribution. (OPENSSL_HOME/apps/CA.pl) You will also need a Perl runtime to execute CA.pl. Install either: - ActivePerl (for full-fledged Perl development) http://www.activestate.com/Products/ActivePerl/ - IndigoPerl http://www.indigostar.com/indigoperl.htm The latter can be used with minimum impact on your Windows installation. You can download the zip file available from: ftp://ftp.indigostar.com/pub/indigoperl-5.6.zip Extract the following 2 files from the zip file and place them in the same directory as the openssl files: PERL56.DLL The perl dynamic link libriary needed for PERL.EXE PERL.EXE The executable file needed to run the perl script to create the CA. Preparation ============ - Decide which directory to put these files. Hereafter we assume it's c:\progs\openssl. unzip openssl.zip to c:\progs\openssl - set location of openssl.cnf file via an envionment variable >cd c:\progs\openssl >set OPENSSL_CONF=c:\progs\openssl\openssl.cnf When you follow the procedures below, be sure to work in this environment with OPENSSL_CONF correctly set. Creating your own CA and server's certificate ============================================== 1) make a new CA > perl CA.pl -newca It will ask you: - CA certificate filename (or enter to create) : just press Enter - PEM pass phrase(password) for private key for new CA - values to many attributes in the CA certificate: some values are required for test CA to give you just an example: Country Name (C) = JP,US, whatever Organization Name (O) = home-servers-org Organizational Unit Name (OU) = me-here Common Name (CN) = Test-CA Other fields are optional and you can leave them blank. Note: Write down the values entered! You will need to enter most of them again later! This will do: - create a CA database named 'demoCA' and set up a directory tree for it under the current directory. - make a new CA certificate and private key. Internally it runs: openssl req -new -x509 -days 3650 -newkey rsa:2048 \ -keyout ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem and stores them in the demoCA database. 2) make a private key for server > openssl genrsa -des3 -out newkey.pem 1024 It will ask you: - pass phrase for private key for new server certificate This will do: - create a file named "newkey.pem" in current directory Info: When running the above command it says: warning, not much extra random data, consider using the -rand option however, openssl random number generator is correctly initialized, so you shouldn't have to worry about it. 3) make a CSR (certificate signing request) for our server > openssl req -new -days 3650 -key newkey.pem -out newreq.pem It will ask you: - pass phrase for private key for "newkey.pem" that you typed in step 2) - values to many attributes in the new certificate input same values as step 1, except that you put you server's DNS name in Common Name. Common Name (CN) = mybox.dydns.org - 'extra' attributes such as a challenge password and optional company name should be left blank. This will do: - create a file named "newreq.pem" in current directory 4) have the CA to sign the server's request > openssl ca -in newreq.pem -keyfile ./demoCA/private/cakey.pem -cert ./demoCA/cacert.pem -out svcert.pem -days 3650 It will ask you: - pass phrase for private key for "cakey.pem" (private key for CA) which you just typed in step 1) If this step is sucessful, you will be asked: - Sign the certificate? [y/n]:y - 1 out of 1 certificate requests certified, commit? [y/n] You will then see: - Write out database with 1 new entries - Data Base Updated In c:\progs\openssl directory, you'll find : svcert.pem : server certificate for your server newkey.pem : private key for server certificate newreq.pem : CSR (no longer necessary, but you can keep it for easier renewal) Rename svcert.pem to server.crt and newkey.pem to server.key and install them according to readme_en.txt. It is also important that you keep the CA database (demoCA) intact. Obtaining a commercially signed certificate for your server =========================================================== If you plan to buy a commercial server certificate, follow this section to create a CSR. Basically you will follow the same steps for 2) and 3) in the above. Your vendor will do the steps 1) and 4). So instead of step 4) you will send the CSR to your vendor to sign it. - make a private key for server (step 2) - make a CSR for server (step 3) - send it to your CA - receive CA-signed certificate for server Renewing your server certificate ================================ Note: make sure you have 0.9.7b or later versions of openssl.exe. (do "openssl version" to find out). to determine validity duration of the current server sertificate, do: > openssl x509 -in svcert.pem -text (print everything in cert) > openssl x509 -in svcert.pem -dates -noout (just start/end dates) You first have to revoke the existing certificate. This is necessary even if the certificate already expired because we need to update CA's internal database. > openssl ca -revoke svcert.pem or you can specify the copy of the certificate stored in CA database: > openssl ca -revoke demoCA/newcerts/01.pem This will do: simply update demoCA/index.txt state file. Now three cases (a) you just want to renew the certificate, no change in any information or private key. (b) you want the same information but use a new private key. (c) you want to change some of the information in the certificate Steps for (a) You or CA (that's you also) must have the old CSR (request). Since CSRs are not automatically stored in CA's database, you had to save it somewhere (you may want to save it along with your private key). If not, go to steps for (b). In this case you just regenerate a new certificate with new expiry date: > openssl ca -in newreq.pem -keyfile ./demoCA/private/cakey.pem -cert ./demoCA/cacert.pem -out renewed_svcert.pem -days 3650 This will do: - generate a renewed certificate and store it as renewed_svcert.pem as well as storing it in the CA database. Steps for (b) You need: - existing or new private key - existing server certificate You will create a new CSR (certificate signing request) based on the existing server certificate and private key, and have it signed by CA (i.e., generate a renewed certificate). Assume that you still have your existing private key and server certificate as newkey.pem - private key svcert.pem - existing server certificate Create a new CSR from your existing certificate and private key > openssl x509 -in svcert.pem -x509toreq -signkey newkey.pem -out renewreq.pem This will generate: renewreq.pem : a new CSR for renewed certificate Then, have it signed by CA: > openssl ca -in renewreq.pem -keyfile ./demoCA/private/cakey.pem -cert ./demoCA/cacert.pem -out renewed_svcert.pem -days 3650 This will do: - generate a renewed certificate and store it as renewed_svcert.pem as well as storing it in the CA database. Steps for (c) In this case you have to follow the same instructions for creating a new server certificate, after revoking the existing one. Generating client certificates from your own CA =============================================== Basically you follow steps 2,3,4, of course assuming that you already have built your own CA (step 1). This time, the private key and certificate are for one of your client, not your server. To improve end-user usability many browsers support PKCS#12 format where you can put both private key and personal certificate in a single file, often named '*.p12'. It often includes the issuer's certificate also. This file is also encrypted by password of your choice. -- convert private key & certificate (PEM) -> pkcs#12 -- Assuming you have client's certificate in "new_cli_cert.pem" and the corresponding private key in "new_cli_key.pem". > openssl pkcs12 -export -in new_cli_cert.pem -inkey new_cli_key.pem -out new_cli.p12 -name "Client cert 001" -> creates a single PKCS#12 file from client certificate and key. "Client cert 001" is just a "friendly" name for PKCS#12 apps to use for display. > openssl pkcs12 -export -in new_cli_cert.pem -inkey new_cli_key.pem -certfile ./demoCA/cacert.pem -out new_cli.p12 -name "Client cert 001" -caname "Demo CA" -> creates a single PKCS#12 file from client certificate, its key and issuer's (CA's) certificate. -name and -caname specify PKCS#12 friendly names for client's cert and CA's cert respectively. -- convert pkcs#12 -> private key & certificate (PEM) -- > openssl pkcs12 -in client.p12 -out client.pem -> from a single pkcs12 file, extract CA cert, client cert and private key to a single PEM file > openssl pkcs12 -in client.p12 -out client.crt -clcerts -nokeys -> from a single pkcs12 file, extract client cert to client.cer. (no private key or CA cert) > openssl pkcs12 -in client.p12 -out client.key -nocerts -> from a single pkcs12 file, extract client private key to client.key (no certs) -- print PKCS12 structures > openssl pkcs12 -in pfx002.p12 -nodes -- convert PEM certificate to DER certificate > openssl x509 -in client.pem -inform PEM -out client.cer -outform PEM Windows Certificate Store for Service Programs ============================================== Orenosp/Orenosv can utilize Windows Certificate Store (OS-managed certificate store) as well as its own certificate store. In this section I will briefly explain how to run windows certificate manager to manage Windows Certificate Store. Starting Certificate Manager on Windows 2000/XP/2003 - Run "mmc" - Select "Add or remove snap-in" - Select "add" "certificates" - Select type of certificate stores to open a) user account : certificate stores that current user can access b) service account : certificate stores a service program can access c) computer account : VPN use? - Select a machine on which the service resides. Usually select local machine - Select a service account on that machine whose certificate stores to be managed. Select "orenosv" or "orenosp" service. - Open certificate folder under orenosv\trusted root CA (or orenosp\trusted root CA). The certificates listed in this folder are trusted by orenosv(or orenosp). - Right-click on the certificate folder and choose "import" from all tasks to add trusted CA certificates. Links ===== EOF