TLS/SSL certificate creation
Goal
This article is about SSL server certificates to be used for virtual hosts and back-ends in Airlock Gateway in production systems.
The following instructions describe how to
- generate an OpenSSL config file,
- create a pair of keys,
- request a certificate with a Certificate Signing Request (CSR) OR create a self-signed certificate.
You should have basic knowledge of the Public Key Infrastructure (PKI) and SSL certificates in specific.
You do not need an official server certificate to test your server with SSL enabled. Airlock Gateway contains a self-signed test-certificate which is available for virtual hosts and back-ends.
Note that browsers will display a warning when using our test certificates.
Instruction step 1 – Create own OpenSSL config file
- Create an openssl config file openssl.conf with the following command:
- Terminal box
# ssh root@airlock # cat > /opt/airlock/custom-settings/openssl.conf << EOF [ req ] default_bits = 2048 distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = Country Name (eg, CH) countryName_default = Country countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name stateOrProvinceName_default = State localityName = Locality Name (eg, city) 0.organizationName = Organization Name 0.organizationName_default = Internet Widgits Pty Ltd organizationalUnitName = Organizational Unit Name commonName = Common Name (eg, FQDN) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 EOF
- A new openssl.conf has been created.
To customize your openssl.conf, use the -config option e.g:
# openssl req -config /opt/airlock/custom-settings/openssl.conf -new -days 365 -key host.key -out host.csrk
Instruction step 2 – Create a pair of keys
A key pair consists of a private and a public key. The private key is security-sensitive and must be kept secret. It should always be encrypted with a strong passphrase or password.
- Choose a key-length of at least 2048 bit (better 4096 bit) and a strong passphrase or password. Encrypt the private key using the -des3 option for triple-DES encryption:
- Terminal box
# ssh root@airlock # cd /tmp # openssl genrsa -des3 -out host.key 2048 Generating RSA private key, 2048 bit long modulus .......+++ ...................................................................+++ e is 65537 (0x10001) Enter passphrase: ******** Verifying - Enter passphrase: ********
- A passphrase-protected private key in the file
host.keyhas been created. This key is PEM-encoded and can be copied as text from the command line to your PC. - Make a security-backup of your
host.keyfile.
Instruction step 3 – Request or self-sign a certificate
You can either request a certificate with a Certificate Signing Request (CSR) from a Certificate Authority (CA) or sign your own certificate.
- Certificates that are signed by CAs that are widely trusted (e.g. Verisign, Entrust or Thawte) are recommended for most use cases.
- Most browsers and operating systems can authenticate certificates of those CAs by their set of standard root certificates.
- Browsers will display a warning when using self-signed certificates such as our test certificates, which cannot be verified by any of the installed root certificates.
When creating a CSR, you must follow some conventions. The following characters must not be used: < > ~ ! @ # $ % ^ * / \ ( ) ? . , & (the '@' and '.' characters are allowed for the email address).
Request a certificate
To request (and buy) a certificate from a CA, you have to create a CSR file first.
- Call the CSR command and provide the details for your certificate. Do not enter extra attributes at the prompt:
- Terminal box
# openssl req -new -key host.key -out host.csr Enter pass phrase for host.key: ******** You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [Country]:CH State or Province Name (full name) [Some-State]:ZH Locality Name (eg, city) []:Zuerich Organization Name (eg, company) [Internet Widgits Pty Ltd]:myCompany AG Organizational Unit Name (eg, section) []:Internet Common Name (FQDN) []:www.mycompany.ch Email Address []:admin@mycompany.ch
- A valid CSR file has been created.
- Use your host.csr file to request a certificate from your chosen CA:
- -Follow your CAs instructions on how to request a certificate in detail.
- -If asked, inform the CA that the webserver type is Apache with mod_ssl.
Self-sign a certificate
- To create a self-signed certificate, use the following command:
- Terminal box
# openssl req -new -key host.key -out host.cert -x509 -days 365 Enter pass phrase for host.key: ******** You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [Country]:CH State or Province Name (full name) [Some-State]:ZH Locality Name (eg, city) []:Zuerich Organization Name (eg, company) [Internet Widgits Pty Ltd]:myCompany AG Organizational Unit Name (eg, section) []:Internet Common Name (FQDN) []:www.mycompany.ch Email Address []:admin@mycompany.ch
Instruction step 4 – Install the server certificate and its CA chain
Import and configure your virtual host and your back-end host as required. See Submenu – Certificates on how to do this.
Further information and links
Internal links:
- External knowledge source: Roots and Intermediates – Exploring the certificate chain...
- External comparison source: List of free trial SSL certificate providers