Blog about things

blogging experiment about hacking

Getting an SSL Certificate

Getting a certificate to add SSL capability to a public web server

We need to serve pages on a public web server via the https protocol, in addition to http. In order to do that, we need a certificate signed by a known, generally trusted, Certificate Authority (CA).

This documents the process we went through for a particular web server

Generate a private key and Certificate Signing Request (CSR)

I’m using openssl at an OS X command line; linux would be the same. Not sure about Windows without cygwin or such.

Handy list of oft-used openssl commands

Generate new 2048 bit RSA private key and CSR in one step.

1
2
3
4

openssl req -new -newkey rsa:2048 -nodes \
-out api.okcra.org.csr \
-keyout api.ockra.org.key.pem \
-subj "/C=US/ST=Virginia/L=Charlottesville/O=OK Collaborative/CN=api.okcra.org"

The out parameters (-out and -keyout) are file names that will be created. Give them meaningful names and put them in some directory dedicated to the purpose. Set restrictive permissions on the key so that only the owner can read it and no one can write it (r——–).

The -nodes parameter means the private key file is not encrypted, for non-interactive use. I used the -subj parameter to specify the certificate subject (aka Distinguished Name or DN). If not specified openssl will prompt for the values. This is a host certificate, for a single host name. The Common Name (CN) portion of the Distinguished Name is the DNS hostname of the server - it must match the name used by clients to connect to the server.

Verify DN of CSR is what you intended (optional, see man req for more options)
1

openssl req -noout -verify -in api.okcra.org.csr -subject

Submit CSR to Certificate Authority and download new signed certificate

The Certificate Authority (CA) will generate and sign a new x.509 SSL certificate based on the values in your CSR.

Typically, from the CA web page, you select the type of certificate (server SSL in this case) and duration, then paste the content of your CSR file generated in step 1 into a text input control. PEM format is Base64 encoded so it’s text.

The new certificate is generated and made available for download at some time in the near future.

Download the new certificate to a file. I usually name it the same as the key file, replacing ‘key’ with ‘crt’. e.g. api.ockra.org.crt.pem The certificate is publicly readable so file permissions can allow world-read access (e.g. r–r–r–)