Pages

Welcome to My Blog

This is to share my IT experience with friends all around the world.
I have been working in Linux Fedora Systems for more than 8 years. Its fun to share knowledge and learn..
As everyone knows when a problem arises in your systems "googling" is the way that many depend on..

All the posts here are my working experiences during my working life.. So you can count on it..

I have added the references where I got help in solving IT issues


Tuesday, March 29, 2011

SSL Certificate Generation in Fedora

If you are using TLS for your web/mail server you need to generate a certificate for the server. SSL certificates can be generation using openssl command;
Following given a sequence of command that I have executed to generate a .key, a .csr and a self signed certificate .crt.
  1. Generate the private key
  2. openssl genrsa -des3 -out server.key 4096 When generating the private key it will prompt for a pass phase; Enter a pass phase for security purposes. This pass phase is required in many situations including service restart. If you feel this is too much.. You can disable the pass phase later (As given below)
  3. Generate the certificate request (i.e. .csr)
    openssl req -new -key server.key -out server.csr
    This request can be forwarded to the CA to generate a certificate


  4. Generate the self signed certificate using above generated csr and .key
    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
  5. If you want to remove the pass phase of the .key file use following command
    openssl rsa -in server.key -out server.key.insecure
    This is done because if the .key file needs a phase phase to use, whenever the service is started the pass phase will be prompted. In some services, there is a configuration parameter to hard code the pass phase. If it is set, it will be used by the service whenever required (I have noticed this scenario in dovecot 

If you want to view the contents of a pem format file use the following command
  1. openssl x509 -text -noout -in server.pem

Verifying the certificates and private keys

Certificate (.crt):
openssl x509 -noout -modulus -in server_certificate.crt | openssl md5

Certificate Request (.csr):
openssl req -noout -modulus -in server_certificate_request.csr | openssl md5

Private Key (.key)
openssl rsa -noout -modulus -in server.key | openssl md5
You need to compare the outputs (MD5 Hash) of the above commands and check the validity.

PKCS12 file (.p12)
openssl pkcs12 -info -in keyStore.p12




Worth read:
http://goodsarves.blogspot.com/2011/03/creating-certificate-authorities-and.html
http://www.sslshopper.com/article-most-common-openssl-commands.html

2 comments:

  1. Thanks for the guide. I think it's working now. I'm attempting to run an e-commerce website and i've been having problems with ssl certificates for quite a while now, keep up the blog =)

    ReplyDelete