Configuring OpenSSL
Create OpenSSL configuration file
This sample was created on Ubuntu and Debian servers; for Red Hat and CentOS the path to Apache files is not the same.
On Ubuntu and Debian the Apache path is /etc/apache2; on Red Hat and CentOS it is /etc/httpd.
Edit file /etc/ssl/openssl.cnf
$ vim /etc/ssl/openssl.cnf
RANDFILE = $ENV::SSLDIR/.rnd
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /opt/ca
certs = $dir/certs
new_certs_dir = $dir/newcerts
crl_dir = $dir/crl
database = $dir/index.txt
private_key = $dir/private/ca.key
certificate = $dir/ca.crt
serial = $dir/serial
crl = $dir/crl.pem
RANDFILE = $dir/private/.rand
default_days = 365
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_anything
name_opt = ca_default
cert_opt = ca_default
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_md = sha1
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ usr_cert ]
basicConstraints = CA:FALSE
# nsCaRevocationUrl = https://url-to-exposed-clr-list/crl.pem
[ ssl_server ]
basicConstraints = CA:FALSE
nsCertType = server
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, nsSGC, msSGC
nsComment = "OpenSSL Certificate for SSL Web Server"
[ ssl_client ]
basicConstraints = CA:FALSE
nsCertType = client
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
nsComment = "OpenSSL Certificate for SSL Client"
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
basicConstraints = critical, CA:true, pathlen:0
nsCertType = sslCA
keyUsage = cRLSign, keyCertSign
extendedKeyUsage = serverAuth, clientAuth
nsComment = "OpenSSL CA Certificate"
[ crl_ext ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
nsComment = "OpenSSL generated CRL"
Create Certification Authority (CA)
Create folder structure to hold certificates:
$ mkdir /opt/met-ca
$ mkdir /opt/met-ca/certs
$ mkdir /opt/met-ca/crl
$ mkdir /opt/met-ca/newcerts
$ mkdir /opt/met-ca/private
$ mkdir /opt/met-ca/requests
$ touch /opt/met-ca/index.txt
$ echo “01” > /opt/ca/serial
$ echo “01” > /opt/ca/crlnumber
$ chmod 700 /opt/ca
Create public and private self-signed keys for our own Certification Authority (in the example they are valid for 10 years). You will need to specify certificate data and a password to encrypt, and the process will generate two files:
$ openssl req -config /etc/ssl/openssl.cnf -new -x509 -days 3650 -sha1 -newkey rsa:2048 -keyout /opt/ca/private/ca.key -out /opt/ca/ca.crt
Change key permissions:
$ chmod 600 /opt/met-ca/private/ca.key
Create Apache Certificate
Create a pair of keys. You will need to specify a password and certificate data. This will create the key file (server.key) and the certificate request (server.pem).
$ openssl req -new -sha1 -newkey rsa:2048 -nodes -keyout server.key -out server.pem
The CA should sign the certificate request. Copy server.pem to the requests directory and sign it.
$ openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -extensions ssl_server -out requests/server-signed.pem -infiles requests/server.pem
Apache expects PEM format; it is mandatory to convert to this format:
$ openssl x509 -in requests/server-signed.pem -out requests/server.crt
Apache configuration
Copy server.crt and server.key into /etc/apache2/ssl (if the SSL folder does not exist, create it). Change file permissions (server.key should only be readable by the root user; server.crt should be readable by everybody):
$ chmod 400 server.key
$ chmod 444 server.crt
If Apache is not listening on the SSL port, enable it by configuring /etc/apache2/ports.conf:
Listen 80
Listen 443
Enable Apache SSL support:
$ apt-get install libapache-mod-ssl
Tell Apache to load SSL modules:
$ a2enmod ssl
Configure website:
Link the default-ssl file to enable SSL:
$ ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/default-ssl
Edit /etc/apache2/sites-available/default-ssl (enable the SSL engine and set SSLCertificateFile and SSLCertificateKeyFile)
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
Create user certificate:
To create certificates and sign them with the CA, first create the pair of keys. You will need to specify a password and certificate data. This will create a key (user.key) and a certificate request (user.pem):
$ openssl req -new -sha1 -newkey rsa:2048 -nodes -keyout user.key -out user.pem
With the CA, you need to sign the certificates:
$ cp /tmp/usuario.pem /opt/ca/requests
$ openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -extensions [b]ssl_client[/b] -out requests/user-signed.pem -infiles requests/user.pem
Convert the certificate to PKCS#12 to be recognized by the browser.
$ openssl pkcs12 -export -clcerts -in user-signed.pem -inkey usuario.key -out user.p12
The files user-signed.pem, user.pem, and user.key can be deleted.
$ wipe user-signed.pem user.key user.pem
The user.p12 should be installed to allow the user's browser to use it.
Certification revocation
If the server has been compromised, the CA should revoke certificates. To revoke a certificate, check the serial number in /opt/ca/index.txt.
$ openssl ca -config /etc/ssl/openssl.cnf -revoke newcerts/<serial-number>.pem
Create a list of revoked certificates (CRL).
$ openssl ca -config /etc/ssl/openssl.cnf -gencrl -crlexts crl_ext -md sha1 -out crl.pem
To send the list to the browser, it should be converted to DER format:
$ openssl crl -in crl.pem -out ca.crl -outform DER
Now it can be sent to the browser.
Add CRL to Apache
Copy the CRL file to the Apache SSL folder:
$ cp /tmp/crl.pem /etc/apache2/ssl/ca.crl
Modify /etc/apache2/sites-available/default-ssl and add SSLCARevocationFile:
SSLCARevocationFile /etc/apache2/ssl/ca.crl
Restart Apache service.