Tuesday, October 28, 2008

OpenSSL on WINDOWS

This post explains all the steps you need to create your own CA.

Let me summarize what we intend to do here.

First we will create a public cert and a private key for CA.

Then we'll create a public/private key pair for the server [say WSAS].

Next step is to generate CSR [Certificate Signing Request] for the server and submit it to the CA.

CA signs the certificate.

Then we need to convert both CAs public cert as well as the server's signed cert from PEM to DER.

After the conversion, the server will import the CA's public cert and server's signed certificate to it's key store.

That's it and we are done.

Let's get started.

First you need to download Visual C++ 2008 Redistributables from here and install it locally.

Then download and install OpensSSL from here.

Also make sure you have added [JAVA_HOME]\bin to the PATH env variable.

Let's create the folder structure for our example.

Make sure you have the following folder structure.

[SAMPLE]\ca
[SAMPLE]\ca\certs
[SAMPLE]\ca\crl
[SAMPLE]\ca\newcerts
[SAMPLE]\ca\private
[SAMPLE]\ca\index.txt
[SAMPLE]\wsas

Copy [OPENSSL_HOME]\bin\openssl.cfg to [SAMPLE]\.

Copy [OPENSSL_HOME]\bin\PEM\demoCA\serial to [SAMPLE]\ca.

Lets edit [SAMPLE]\ca\openssl.cfg - add the following section to the end of the file - make sure you do not violate the existing file structure.

####################################################################
[ WSO2WSAS_CA ]

dir = ./ca
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts

certificate = $dir/cacert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber

crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand

x509_extensions = usr_cert


default_days = 365
default_crl_days = 30
default_md = sha1
preserve = no

policy = policy_anything

[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
Find the following section in [SAMPLE]\ca\openssl.cfg - and edit as below.

####################################################################
[ ca ]
#default_ca = CA_default
default_ca = WSO2WSAS_CA

####################################################################
Lets create public/private key pair for CA first. Once you are asked to input, do it approriately.

[SAMPLE]\>openssl req -x509 -newkey rsa:1024 -keyout ca\private\cakey.pem -out ca\cacert.pem -config openssl.cfg
Now we can create the public/private key pair for server and generate the CSR.

[SAMPLE]\>keytool -genkey -alias wso2wsas -keyalg RSA -keystore wsas\wso2wsas.jks

[SAMPLE]\>keytool -certreq -keystore wsas\wso2wsas.jks -alias wso2wsas -file wsas\wso2wsas.cert.req
Next, CA can sign the server cert.

[SAMPLE]\>openssl ca -config openssl.cfg -out wsas\wso2wsas.pem -infiles wsas\wso2wsas.cert.req
Now we need to convert both CAs public cert as well as the server's signed cert from PEM to DER.

[SAMPLE]\>openssl x509 -outform DER -in wsas\wso2wsas.pem -out wsas\wso2wsas.cert

[SAMPLE]\>openssl x509 -outform DER -in ca\cacert.pem -out wsas\wso2wsasca.cert
After the conversion, the server can import the CA's public cert and server's signed certificate to it's key store.

[SAMPLE]\>keytool -import -file wsas\wso2wsasca.cert -alias wso2wsasca -keystore wsas\wso2wsas.jks

[SAMPLE]\>keytool -import -file wsas\wso2wsas.cert -alias wso2wsas -keystore wsas\wso2wsas.jks
That's it and we are done.

10 comments:

Anonymous said...

Thanks for your valuable explanation - it's of great help if trying to set up that kind of 'security environment' !

Now i have another question: Imagine you want to create another public / private key pair for a possible client and therefore want to extend the certificate chain (that is, your client certificate now should be signed by the server certificate instead of the CA certificate)

Could you be so kind and give a short explanation on how to accomplish this task using OpenSSL ?

Many thanks in advance!

Greetings

Marc

Prabath said...

Hi Marc,

In this case the server acts as an intermediate CA - the procedure is almost the same - where your new client will produce a CSR for the intermediate CA now.

Anyway, at the time new client importing the signed cert to his keystore, he should import both the CA and intermediate CA's certs before.

Thanks.

- Prabath

Charitha said...

excellent guide.. Thanks Prabath

Anonymous said...

Hi,
I would like to implement this solution to Apache/Tomcat but I had little bit confuse about file names.

As you know, if we use Tomcat native library which is name tcnative-1.dll ( APR protocol ) we must use different SSL setting parameters inside the Tomcat server.xml instead of keystoreFile parameter.

So, could you please tell me, when I do your implementation, which file going to be equals to following parameters ( I mean wso2wsas.pem, wso2wsas.cert etc)?

SSLCertificateFile
SSLCertificateKeyFile
SSLCACertificateFile


Thanks,
Oguz Celikdemir

crystal said...

Thank you so much!!polo shirt men'ssweate,Burberry Polo Shirts lacoste sweater, ralph lauren Columbia Jackets,ski clothing. Free Shipping, PayPal Payment. Enjoy your shopping experience on mensclothingus.com.You can find the father who desire fashionable, intellectual mens clothing simultaneously.

crystal said...

Awesome!!!Best wishes for you !!cheap polo shirts is the father of the summer should be prepared to most commonly used item, it has both style and shape of Ralph Lauren Polo, and vest with a random function polo ralph lauren, so that in the short-sleeved apply to both on many occasions, the pink and black color men's polo shirts brought into effect, lightweight cotton, linen texture to demonstrate masculine temperament and sense of fashion exhaustively.

venus said...

God bless you!I really agree with your opinions.Also,there are some new fashion things here,gillette razor blades.gillette mach3 razor bladesfor men.As for ladies,gillette venus razor blades must the best gift for you in summer,gillette fusion blades are all the best choice for you.

lj said...

Perfect!!You are a outstanding person!Have you ever wore chaussures puma,Here are the most popular puma CAT,Puma shoes store gives some preview of puma speed cat,and casual but no sweat puma basket.

venus said...

Do not mean bad.Thank you so much!I just want to show some fashion things to all of you.I like puma speed, puma femmes and other puma shoes. These puma sport items are at store recently and available for anyone.

lj said...

Fantastic!God bless you!Meanwhile,you can visit my China Wholesale,we have the highest quality but the lowest price fashion products wholesale from China.Here are the most popular China Wholesale productsfor all of you.You can visit http://chinaclothes.net.Also the polo clothing is a great choice for you.