TLS/SSL Certificate creation

This article is about SSL server certificates to be used for virtual hosts and back-ends in Airlock Gateway in production systems.

• The following instructions describe how to
• generate an OpenSSL config file,
• create a pair of keys,
• request a certificate with a Certificate Signing Request (CSR) OR create a self-signed certificate.

You should have basic knowledge of the Public Key Infrastructure (PKI) and SSL certificates in specific.

You do not need an official server certificate to test your server with SSL enabled. Airlock Gateway contains a self-signed test-certificate which is available for virtual hosts and back-ends.

Note that browsers will display a warning when using our test certificates.

1. Create an openssl config file openssl.conf with the following command:
copy



# ssh root@airlock 
# cat > /opt/airlock/custom-settings/openssl.conf << EOF  
[ req ] 
default_bits                    = 2048 
distinguished_name              = req_distinguished_name 
 
[ req_distinguished_name ] 
countryName                     = Country Name (eg, CH) 
countryName_default             = Country 
countryName_min                 = 2 
countryName_max                 = 2 
stateOrProvinceName             = State or Province Name 
stateOrProvinceName_default     = State 
localityName                    = Locality Name (eg, city) 
0.organizationName              = Organization Name 
0.organizationName_default      = Internet Widgits Pty Ltd 
organizationalUnitName          = Organizational Unit Name 
commonName                      = Common Name (eg, FQDN) 
commonName_max                  = 64 
emailAddress                    = Email Address 
emailAddress_max                = 64 
EOF

2. A new openssl.conf has been created.

To customize your openssl.conf, use the -config option e.g:

# openssl req -config /opt/airlock/custom-settings/openssl.conf -new -days 365 -key host.key -out host.csrk

A key pair consists of a private and a public key. The private key is security-sensitive and must be kept secret. It should always be encrypted with a strong passphrase or password.

1. Choose a key-length of at least 2048 bit (better 4096 bit) and a strong passphrase or password. Encrypt the private key using the -des3 option for triple-DES encryption:
copy



# ssh root@airlock 
# cd /tmp 
# openssl genrsa -des3 -out host.key 2048 
Generating RSA private key, 2048 bit long modulus 
.......+++ 
...................................................................+++ 
e is 65537 (0x10001) 
Enter passphrase: ******** 
Verifying - Enter passphrase: ********

2. A passphrase-protected private key in the file host.key has been created. This key is PEM-encoded and can be copied as text from the command line to your PC.
3. Make a security-backup of your host.key file.

You can either request a certificate with a Certificate Signing Request (CSR) from a Certificate Authority (CA) or sign your own certificate.

• Certificates that are signed by CAs that are widely trusted (e.g. Verisign, Entrust or Thawte) are recommended for most use cases.
• Most browsers and operating systems can authenticate certificates of those CAs by their set of standard root certificates.
• Browsers will display a warning when using self-signed certificates such as our test certificates, which cannot be verified by any of the installed root certificates.

When creating a CSR, you must follow some conventions. The following characters must not be used: < > ~ ! @ # $ % ^ * / \ ( ) ? . , & (the '@' and '.' characters are allowed for the email address).

0. Request a certificate

To request (and buy) a certificate from a CA, you have to create a CSR file first.

1. Call the CSR command and provide the details for your certificate. Do not enter extra attributes at the prompt:
copy



# openssl req -new -key host.key -out host.csr 
Enter pass phrase for host.key: ******** 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [Country]:CH 
State or Province Name (full name) [Some-State]:ZH 
Locality Name (eg, city) []:Zuerich 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:myCompany AG 
Organizational Unit Name (eg, section) []:Internet 
Common Name (FQDN) []:www.mycompany.ch 
Email Address []:admin@mycompany.ch

2. A valid CSR file has been created.
3. Use your host.csr file to request a certificate from your chosen CA:
• -Follow your CAs instructions on how to request a certificate in detail.
• -If asked, inform the CA that the webserver type is Apache with mod_ssl.

0. Self-sign a certificate
1. To create a self-signed certificate, use the following command:
copy



# openssl req -new -key host.key -out host.cert -x509 -days 365 
Enter pass phrase for host.key: ******** 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [Country]:CH 
State or Province Name (full name) [Some-State]:ZH 
Locality Name (eg, city) []:Zuerich 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:myCompany AG 
Organizational Unit Name (eg, section) []:Internet 
Common Name (FQDN) []:www.mycompany.ch 
Email Address []:admin@mycompany.ch

Import and configure your virtual host and your back-end host as required. See Submenu – Certificates on how to do this.

• Internal links:
• External knowledge source: Roots and Intermediates – Exploring the certificate chain...
• External comparison source: List of free trial SSL certificate providers