TLS/SSL Certificate creation

Goal

    This article is about SSL server certificates to be used for virtual hosts and back-ends in Airlock Gateway in production systems.

    • The following instructions describe how to
    • generate an OpenSSL config file,
    • create a pair of keys,
    • request a certificate with a Certificate Signing Request (CSR) OR create a self-signed certificate.

    You should have basic knowledge of the Public Key Infrastructure (PKI) and SSL certificates in specific.

You do not need an official server certificate to test your server with SSL enabled. Airlock Gateway contains a self-signed test-certificate which is available for virtual hosts and back-ends.

Note that browsers will display a warning when using our test certificates.

Instruction step 1 – Create own OpenSSL config file

  • 1.
    Create an openssl config file openssl.conf with the following command:
  • copy
    # ssh root@airlock 
    # cat > /opt/airlock/custom-settings/openssl.conf << EOF  
    [ req ] 
    default_bits                    = 2048 
    distinguished_name              = req_distinguished_name 
     
    [ req_distinguished_name ] 
    countryName                     = Country Name (eg, CH) 
    countryName_default             = Country 
    countryName_min                 = 2 
    countryName_max                 = 2 
    stateOrProvinceName             = State or Province Name 
    stateOrProvinceName_default     = State 
    localityName                    = Locality Name (eg, city) 
    0.organizationName              = Organization Name 
    0.organizationName_default      = Internet Widgits Pty Ltd 
    organizationalUnitName          = Organizational Unit Name 
    commonName                      = Common Name (eg, FQDN) 
    commonName_max                  = 64 
    emailAddress                    = Email Address 
    emailAddress_max                = 64 
    EOF
  • A new openssl.conf has been created.

To customize your openssl.conf, use the -config option e.g:

# openssl req -config /opt/airlock/custom-settings/openssl.conf -new -days 365 -key host.key -out host.csrk

Instruction step 2 – Create a pair of keys

A key pair consists of a private and a public key. The private key is security-sensitive and must be kept secret. It should always be encrypted with a strong passphrase or password.

  • 1.
    Choose a key-length of at least 2048 bit (better 4096 bit) and a strong passphrase or password. Encrypt the private key using the -des3 option for triple-DES encryption:
  • copy
    # ssh root@airlock 
    # cd /tmp 
    # openssl genrsa -des3 -out host.key 2048 
    Generating RSA private key, 2048 bit long modulus 
    .......+++ 
    ...................................................................+++ 
    e is 65537 (0x10001) 
    Enter passphrase: ******** 
    Verifying - Enter passphrase: ********
  • A passphrase-protected private key in the file host.key has been created. This key is PEM-encoded and can be copied as text from the command line to your PC.
  • 2.
    Make a security-backup of your host.key file.

Instruction step 3 – Request or self-sign a certificate

You can either request a certificate with a Certificate Signing Request (CSR) from a Certificate Authority (CA) or sign your own certificate.

  • Certificates that are signed by CAs that are widely trusted (e.g. Verisign, Entrust or Thawte) are recommended for most use cases.
  • Most browsers and operating systems can authenticate certificates of those CAs by their set of standard root certificates.
  • Browsers will display a warning when using self-signed certificates such as our test certificates, which cannot be verified by any of the installed root certificates.

When creating a CSR, you must follow some conventions. The following characters must not be used: < > ~ ! @ # $ % ^ * / \ ( ) ? . , & (the '@' and '.' characters are allowed for the email address).

  • Request a certificate
  • To request (and buy) a certificate from a CA, you have to create a CSR file first.

  • 1.
    Call the CSR command and provide the details for your certificate. Do not enter extra attributes at the prompt:
  • copy
    # openssl req -new -key host.key -out host.csr 
    Enter pass phrase for host.key: ******** 
    You are about to be asked to enter information that will be incorporated 
    into your certificate request. 
    What you are about to enter is what is called a Distinguished Name or a DN. 
    There are quite a few fields but you can leave some blank 
    For some fields there will be a default value, 
    If you enter '.', the field will be left blank. 
    ----- 
    Country Name (2 letter code) [Country]:CH 
    State or Province Name (full name) [Some-State]:ZH 
    Locality Name (eg, city) []:Zuerich 
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:myCompany AG 
    Organizational Unit Name (eg, section) []:Internet 
    Common Name (FQDN) []:www.mycompany.ch 
    Email Address []:admin@mycompany.ch
  • A valid CSR file has been created.
  • 2.
    Use your host.csr file to request a certificate from your chosen CA:
    • -
      Follow your CAs instructions on how to request a certificate in detail.
    • -
      If asked, inform the CA that the webserver type is Apache with mod_ssl.
  • Self-sign a certificate
  • 1.
    To create a self-signed certificate, use the following command:
  • copy
    # openssl req -new -key host.key -out host.cert -x509 -days 365 
    Enter pass phrase for host.key: ******** 
    You are about to be asked to enter information that will be incorporated 
    into your certificate request. 
    What you are about to enter is what is called a Distinguished Name or a DN. 
    There are quite a few fields but you can leave some blank 
    For some fields there will be a default value, 
    If you enter '.', the field will be left blank. 
    ----- 
    Country Name (2 letter code) [Country]:CH 
    State or Province Name (full name) [Some-State]:ZH 
    Locality Name (eg, city) []:Zuerich 
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:myCompany AG 
    Organizational Unit Name (eg, section) []:Internet 
    Common Name (FQDN) []:www.mycompany.ch 
    Email Address []:admin@mycompany.ch

Instruction step 4 – Install the server certificate and its CA chain

Import and configure your virtual host and your back-end host as required. See Submenu – Certificates on how to do this.

Additional information (optional)