How to generate certificates

In this section we will look at how to generate a private / public key pair and how the public digital signature is created for the public key. EMu provides support for three public certificates. Each of these is examined and appropriate commands provided for OpenSSL (via the openssl command):

Self signed

A self signed certificate is one where the certificate Issuer is the same as the certificate Subject. In other words the certificate is used to verify itself. In order for the certificate to be trusted the certificate must be included with the client CA certificates. Self signed certificates are used when you only need one certificate (for example if you only have one EMu server and all clients connect to that server). As the certificate is self signed it has not been verified by an external agency and so should be used for internal use only. The steps required to generate the required files are:

Step 2: Generate public digital certificate

Using the private key generated in the first step the public digital certificate is generated. A number of questions will be asked as part of the creation process. It is important that the Common Name (CN) is set to the full host name of your EMu server machine (e.g. emu.institution.org). Support for wild card host names is provided by replacing any leading component of the name with an asterisk (e.g *.institution.org, or *.org):

 openssl req -new -x509 -key server.key -out server.crt -days 1095

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:AU

State or Province Name (full name) [Some-State]:Victoria

Locality Name (eg, city) []:Melbourne

Organization Name (eg, company) [Internet Widgits Pty Ltd]:KE Software Pty Ltd

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:*.mel.kesoftware.com

Email Address []:info@mel.kesoftware.com

The resulting public digital certificate will be stored in PEM format in server.crt.

You can view the contents of the public certificate using:

 openssl x509 -text -in server.crt

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            f5:02:b4:7d:c3:5b:ad:a7

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=AU, ST=Victoria, L=Melbourne, O=KE Software Pty Ltd, CN=*.mel.kesoftware.com/emailAddress=info@mel.kesoftware.com

        Validity

            Not Before: Nov 19 11:47:46 2010 GMT

            Not After : Nov 18 11:47:46 2013 GMT

        Subject: C=AU, ST=Victoria, L=Melbourne, O=KE Software Pty Ltd, CN=*.mel.kesoftware.com/emailAddress=info@mel.kesoftware.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (2048 bit)

                Modulus (2048 bit):

                    00:c4:c9:0f:04:8f:cd:98:5f:d9:c6:3b:00:54:b2:

                    88:07:9b:06:4c:ea:f2:41:74:a3:68:7d:16:2a:de:

                    cf:bb:cf:73:d5:97:f2:d8:4e:38:b1:7d:a8:94:48:

                    5b:4a:fd:92:3b:45:8c:1b:ce:85:e5:18:2e:c1:60:

                    db:4d:09:32:46:72:b4:a3:f1:f8:ab:96:4a:db:a5:

                    4c:32:6d:83:ee:f9:02:4e:8f:f1:8b:ba:b4:62:b6:

                    29:00:97:fb:3b:06:73:a2:56:5f:04:2c:79:3e:2e:

                    f8:1b:eb:f5:8b:a6:cf:6b:56:bd:74:16:cb:53:a6:

                    91:dd:ec:af:7a:77:40:b0:e5

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Subject Key Identifier:

                F6:72:9C:A4:91:C2:E2:51:70:26:05:FE:06:C3:E4:E9:4F:AF:A0:D5

            X509v3 Authority Key Identifier:

                keyid:F6:72:9C:A4:91:C2:E2:51:70:26:05:FE:06:C3:E4:E9:4F:AF:A0:D5

                DirName:/C=AU/ST=Victoria/L=Melbourne/O=KE Software Pty Ltd/CN=*.mel.kesoftware.com/emailAddress=info@mel.kesoftware.com

                serial:F5:02:B4:7D:C3:5B:AD:A7

            X509v3 Basic Constraints:

                CA:TRUE

    Signature Algorithm: sha1WithRSAEncryption

        4c:89:a2:57:d2:3b:3a:11:70:63:41:56:4e:b6:36:8e:28:c5:

        29:d7:7d:22:86:c4:43:90:4f:74:d1:31:32:7f:39:d8:f3:20:

        80:05:53:99:cd:17:28:b8:16:3b:a3:9a:84:ae:2c:08:f5:b0:

        11:6a:d5:ba:42:81:9d:e7:36:8f:39:9d:b4:15:13:52:23:fc:

        37:f6:5c:88:39:f9:9b:d1:e0:06:82:3f:e2:56:a3:f3:83:55:

        4d:8b:7c:69:a3:bc:fb:3a:66:18:f2:07:67:bc:39:54:28:c3:

        eb:3e:5c:d9:89:d8:ea:c7:d2:c4:fe:87:ee:24:e0:ce:c0:4f:

        d1:e7

-----BEGIN CERTIFICATE-----

MIIDtTCCAx6gAwIBAgIJAPUCtH3DW62nMA0GCSqGSIb3DQEBBQUAMIGZMQswCQYD

VQQGEwJBVTERMA8GA1UECBMIVmljdG9yaWExEjAQBgNVBAcTCU1lbGJvdXJuZTEc

MBoGA1UEChMTS0UgU29mdHdhcmUgUHR5IEx0ZDEdMBsGA1UEAxQUKi5tZWwua2Vz

b2Z0d2FyZS5jb20xJjAkBgkqhkiG9w0BCQEWF2luZm9AbWVsLmtlc29mdHdhcmUu

Y29tMB4XDTEwMTExOTExNDc0NloXDTEzMTExODExNDc0NlowgZkxCzAJBgNVBAYT

AkFVMREwDwYDVQQIEwhWaWN0b3JpYTESMBAGA1UEBxMJTWVsYm91cm5lMRwwGgYD

VQQKExNLRSBTb2Z0d2FyZSBQdHkgTHRkMR0wGwYDVQQDFBQqLm1lbC5rZXNvZnR3

YXJlLmNvbTEmMCQGCSqGSIb3DQEJARYXaW5mb0BtZWwua2Vzb2Z0d2FyZS5jb20w

gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMTJDwSPzZhf2cY7AFSyiAebBkzq

8kF0o2h9Firez7vPc9WX8thOOLF9qJRIW0r9kjtFjBvOheUYLsFg200JMkZytKPx

+KuWStulTDJtg+75Ak6P8Yu6tGK2KQCX+zsGc6JWXwQseT4u+Bvr9Yumz2tWvXQW

y1Omkd3sr3p3QLDlAgMBAAGjggEBMIH+MB0GA1UdDgQWBBT2cpykkcLiUXAmBf4G

w+TpT6+g1TCBzgYDVR0jBIHGMIHDgBT2cpykkcLiUXAmBf4Gw+TpT6+g1aGBn6SB

nDCBmTELMAkGA1UEBhMCQVUxETAPBgNVBAgTCFZpY3RvcmlhMRIwEAYDVQQHEwlN

ZWxib3VybmUxHDAaBgNVBAoTE0tFIFNvZnR3YXJlIFB0eSBMdGQxHTAbBgNVBAMU

FCoubWVsLmtlc29mdHdhcmUuY29tMSYwJAYJKoZIhvcNAQkBFhdpbmZvQG1lbC5r

ZXNvZnR3YXJlLmNvbYIJAPUCtH3DW62nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN

AQEFBQADgYEATImiV9I7OhFwY0FWTrY2jijFKdd9IobEQ5BPdNExMn852PMggAVT

mc0XKLgWO6OahK4sCPWwEWrVukKBnec2jzmdtBUTUiP8N/ZciDn5m9HgBoI/4laj

84NVTYt8aaO8+zpmGPIHZ7w5VCjD6z5c2YnY6sfSxP6H7iTgzsBP0ec=

-----END CERTIFICATE-----

Root signed

A root signed certificate is a public digital certificate created and verified by an external entity. You forward a certificate request to the external entity and they return the signed public digital certificate. Root entities distribute their CA certificates (really just a special form of self signed certificate) for all to use, allowing any certificate signed by them to be verified. Root signed certificates are used when you need a verifiable certificate for external use.

The steps required to generate the required files are:

Step 2: Generate a certificate signing request

We use the private key generated in the first step to create a certificate signing request (CSR). The file generated will contain the Subject information without an Issuer being assigned, that is a certificate that has not yet been signed. The resulting file, server.csr is then sent to an external entity for signing (e.g. Verisign).

 openssl req -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:AU

State or Province Name (full name) [Some-State]:Victoria

Locality Name (eg, city) []:Melbourne

Organization Name (eg, company) [Internet Widgits Pty Ltd]:KE Software Pty Ltd

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:*.mel.kesoftware.com

Email Address []:info@mel.kesoftware.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Once the external entity has verified the Subject information in the request they will generate a public digital certificate and return it to you. You should save the certificate in a file called server.crt.

You can view the contents of the certificate signing request using:

 openssl req -in server.csr -noout -text

Certificate Request:

    Data:

        Version: 0 (0x0)

        Subject: C=AU, ST=Victoria, L=Melbourne, O=KE Software Pty Ltd, CN=*.mel.kesoftware.com/emailAddress=info@mel.kesoftware.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (2048 bit)

                Modulus (2048 bit):

                    00:c4:c9:0f:04:8f:cd:98:5f:d9:c6:3b:00:54:b2:

                    88:07:9b:06:4c:ea:f2:41:74:a3:68:7d:16:2a:de:

                    cf:bb:cf:73:d5:97:f2:d8:4e:38:b1:7d:a8:94:48:

                    5b:4a:fd:92:3b:45:8c:1b:ce:85:e5:18:2e:c1:60:

                    db:4d:09:32:46:72:b4:a3:f1:f8:ab:96:4a:db:a5:

                    4c:32:6d:83:ee:f9:02:4e:8f:f1:8b:ba:b4:62:b6:

                    29:00:97:fb:3b:06:73:a2:56:5f:04:2c:79:3e:2e:

                    f8:1b:eb:f5:8b:a6:cf:6b:56:bd:74:16:cb:53:a6:

                    91:dd:ec:af:7a:77:40:b0:e5

                Exponent: 65537 (0x10001)

        Attributes:

            a0:00

    Signature Algorithm: sha1WithRSAEncryption

        ae:e0:68:b8:fe:56:53:5e:f4:f4:e0:8d:19:2c:62:ee:ee:83:

        01:d2:8d:55:d0:2d:18:b8:18:0a:f2:5b:c4:a5:da:75:fd:ca:

        87:69:cd:3f:2e:7c:9e:a2:c2:b7:b1:4a:bd:85:2e:24:84:8d:

        cc:81:64:9d:0c:a4:ad:c4:c5:54:4d:cf:22:dc:08:51:3f:ed:

        6d:45:d6:91:e3:a6:c0:7e:2e:f0:0f:9e:be:70:ef:6a:f8:2c:

        93:59:8d:90:ca:23:c4:07:f9:ae:2c:09:03:fd:cf:43:d6:b7:

        8c:2e:48:96:28:98:5c:c3:e8:66:55:b3:4a:8d:bb:c8:d0:bb:

        c8:41

Chain signed

A chain signed certificate is a certificate that is not self signed and is not root signed. In order for the certificate to be verified, the Issuer of the certificate is verified, then the Issuer of the Issuer certificate is verified and so on until either a self signed or root signed certificate is encountered. If the top certificate is root signed, then the chain signed certificate has the same level of verification as if the certificate had been root signed directly. If the top certificate is self signed, then the level of verification is the same as for any other self signed certificate. Chain signed certificates are used where you will be generating multiple certificates and you only want to distribute one CA certificate to verify them all. The only CA required is the top level self signed or root signed certificate.

The steps below outline how to produce a self signed CA certificate that can then be used to sign all other certificates generated. If you require a root signed CA certificate, you need to generate a certificate signing request (as per the previous section) and have the external entity generate the CA certificate.