How to use OpenSSL

OpenSSL is an open source library that can be used to implement Transport Layer Security.

Check the presence of openssl binary,

$ which openssl
/usr/bin/openssl

OpenSSl command can be used to generate key,csr and self signed certificate.

1. Generating RSA key for a domain.

RSA private key can be generated for a domain by entering the following command.

# openssl genrsa -out domainname.key 1024

An option "-des3" can be included in this command if we want to impose password protection for the key. It is always treated as a bad idea to password protect a key.

2. How to generate a CSR from the key.

For this purpose issue the following command.

 # openssl req -new -key   domainname.key -out domainname.csr

Here we need to provide information like, Country name, State etc..

When prompted for a comman name please be sure that you give the fully qualified name of the domain for which you need to install a certificate.

The email address given will commanly be used to contact back from the CA.

Fields like, A challenge password []: and An optional company name []: are recommended to left blank.

The CSR generated can be checked by the command,

# openssl req -noout -text -in domainname.csr

If no problem found it can be forwarded to a CA for certificate generation.

3. Creating self signed certificate.

A temporary self signed certificate can be generated from the above created key and csr.

# openssl x509 -req -days 30 -in domainname.csr -signkey domainname.key -out domainame.cert

The -days argument specifies how long the certificate will be valid for.

OR

We can directly create certificate from a key itself,

# openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert

Here all the information like, Country name, State etc will be asked.

4. Verification of RSA key and Certificate.

The RSA key and Certificate can be checked whether they match for each other. Save the key as key.txt and certificate as cert.txt. Now execute the following commands.

 # openssl rsa -modulus -noout -in key.txt | openssl md5 > key.out
 # openssl x509 -modulus -noout -in crt.txt | openssl md5 > crt.out

The first command checks the key and the second command checks the cert and stores results in the files, key.out and crt.out. If the contents of key.out and crt.out mathes RSA key and certificate match each other.

 # diff key.out crt.out

5. View details from RSA key, CSR and Certificate.

The following commands can be used to view details from key,csr and cert.

 	Key
	
    # openssl rsa -noout -text -in domainname.key

 
	CSR
	
    # openssl req -noout -text -in domainname.csr

	Cert
	

    # openssl x509 -noout -text -in domainname.crt

6. Installing the Certificate on non control panel machines.

If there isn't any control panel available in a server we can install SSL for a domain by following steps.

a) Copy the RSA key to /usr/share/ssl/private and certification to /usr/share/ssl/certs. b) Add the following line to httpd.conf

          
 <IfDefine SSL>
  <VirtualHost IPaddress:443>
    ServerAdmin webmaster@domainname.net
    DocumentRoot /home/<username>/public_html
    ServerName domainname.net
    ServerAlias www.domainname.net
    UseCanonicalName off
    UserDir public_html
    SSLEnable
    SSLCertificateFile /usr/share/ssl/certs/www.domainname.net.crt
    SSLCertificateKeyFile /usr/share/ssl/private/www.domainname.net.key
    SSLCACertificateFile /usr/share/ssl/certs/www.domainname.cabundle
    SSLLogFile /usr/local/apache/domlogs/domainname.net-ssl_data_log
    CustomLog /usr/local/apache/domlogs/domainname.net-ssl_log combined
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
  </VirtualHost>
 </IfDefine>