mail this page
products | company | support | training | contact us
This is a survival guide to the eye-glazing topic of SSL/TLS and X.509 (SSL) certificates - including self-signed certificates. These are elements in what is loosely called a Public Key Infrastructure (PKI).
What are colloquially known as SSL certificates should be referred to as X.509 certificates. The term SSL certificate became common due to the adoption of the X.509 (one of the ITU X.500 Directory standards) certificate format by Netscape when it designed the original versions of the SSL protocol, eons ago, when the world was still young and the Internet was a friendly place. The term 'SSL certificate' has persisted simply because given the choice of saying SSL certificate or 'X.509 certificate' which would you choose?
The current guide includes SSL, TLS, some detail about X.509 and its usage as well as some explanation about EV certificates and the trust process. Creating self-signed certificates is presented as a worked example of the use of the OpenSSL package.
You can either buy an SSL (X.509) certificate or generate your own (a self-signed certificate) for testing or, depending on the application, even in a production environment. Good news: If you self-sign your certificates you may save a ton of money. Bad news: If you self-sign your certificates nobody but you and your close family (perhaps) may trust them. But before you shell out all that filthy lucre for a bright, shiny new X.509 (SSL) certificate or the even more expensive EV SSL (X.509) certificate you might want to know what they do and how they do it. And if your eyes glaze over when people start talking about SSL, security and certificates - start glazing now. This stuff ain't fun.
The major use of SSL (X.509) certificates is in conjunction with the SSL/TLS protocol. Secure Sockets Layer (SSL) is a Netscape protocol originally created in 1992 to exchange information securely between a web server and a browser where the underlying network was insecure. It has gone through various iterations and is now at version 3 (dating from 1995) and used in a variety of client<->server applications. The IETF standardized Transport Layer Security (TLS) Version 1, a minor variation of SSL, in RFC 2246, Version 1.1 in RFC 4346 and Version 1.2 in RFC 5246. In addition a number of extensions are defined in RFC 3546 when TLS is used in bandwidth constrained systems such as wireless networks. When a secure connection is initially established it will, depending on the implementation, negotiate support of the particular protocol from the set SSLv2, SSLv3, TLSv1, TLSv1.1 or TLSv1.2. Such is the pervasive power of the name SSL that in most cases what is called SSL is most likely using TLS - for instance OpenSSL supports both SSL (v2 and v3) and TLS (TLSv1, TLSv1.1 and TLSv1.2) protocols. While there are detail differences between SSL and TLS the following descriptions apply to both protocols.
SSL/TLS runs on top of TCP but below the end user protocol that it secures such as HTTP or IMAP as shown in Figure 1.
Figure 1 - SSL Layering.
SSL/TLS does not have a well-known port number - instead when used with a higher layer protocol, such as HTTP, that protocol designates a secure variant, HTTPS in the case of HTTP, which does have a well-known (or default) port number. The designation HTTPS simply indicates that normal HTTP is being run on top of an SSL/TLS connection, which runs over TCP. In the case of HTTPS the well-known port number is 443, in the case of IMAPS - port 993, POP3S - port 995 etc..
The next level of description requires some familiarity with the terms MAC (Message Authentication Code), Secure hashes, symmetric and asymmetric cryptographic algorithms. For those not comfortable with these terms they are covered in in this survival guide. You may want to lie down for a while in a darkened room after reading this stuff.
A related protocol, Datagram Transport Layer Security (DTLS), defines a secure service when used with UDP (RFC 6347). While the priciples are similar to TLS this guide does not discuss DTLS further.
The term TLS 1.2 Suite B (defined by RFC 6460) defines a cipher suite (see below) compatible with NSA Suite B Cryptography and is only relevant when TLS is used for US national security applications.
When a secure connection is established using SSL/TLS, for example using HTTPS (default port 443), an exchange of messages occur between the client - which always initiates the connection - and a server. The first set of messages are called the Handshake Protocol after which both client and server enter the Record (or Data) Protocol. The exchange of messages during the Handshake Protocol achieves the following objectives:
Establishes the protocol variant to be used from the supported set (depending on the implementation) of SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 - the latest possible variant will always be used, thus TLSv1 would always be used in preference to SSLv3 assuming both client and server support both. The client offers a list - the server makes the choice from the offered list.
Sending of authentication data. The server sends authentication information most normally in the form of (wrapped in) an X.509 (SSL) certificate but other methods are supported by the protocol.
Establishes a session ID so that the session can be restarted if required.
Negotiation of a Cipher Suite consisting of a key-exchange algorithm, a bulk-data encryption algorithm type and a MAC type for the subsequent data session (Record Protocol). The key-exchange algorithm is normally an asymmetric (public-private key) algorithm such as RSA or DSA. Asymmetric algorithms are very expensive in resources (CPU) and therefore symmetric ciphers are used for subsequent bulk-data encryption (using the Record Protocol). The key-exchange algorithm is used to transfer information from which session key(s) can be independently computed for the symmetric (bulk-data) cipher. The MAC protects the integrity of the transmitted/received data.
This a simplified overview and additional data may be exchanged, for instance, the client can be requested to send an authenticating X.509 (SSL) certificate but the above describes the most common case and is illustrated in Figure 2 below:
Figure 2 - SSL/TLS Protocol Sequences
The Handshake Protocol negotiates and establishes the connection and the Record Protocol transfers (encapsulates) the encrypted data stream such as HTTP, SMTP or IMAP.
In Figure 2 messages in black are sent in clear, messages in blue are sent using the public key supplied by the server (using the key-exchange cipher), messages in green are sent using the negotiated bulk-data cipher and are protected by the negotiated MAC.
SSL/TLS allows for a data compression algorithm to be negotiated. Given the speed of modern networks data compression is rarely, if ever, used and is typically set to the value NULL (not used).
This section provides more detail about the SSL/TLS protocol message exchanges (Figure 2 above) for those who revel in the grisly details. If you prefer the 'stuff happens' level skip this section to retain your sanity.
ClientHello: The ClientHello offers a list of protocol versions/variants supported, the supported cipher suites in preferred order and a list of compression algorithms (typically NULL). The client also sends a 32 octet random value (a nonce), which is used later to compute the symmetric keys, and a session ID which will be 0 if no previous session exists or non-zero if the client thinks a previous session exists.
Each cipher suite is comprised of a key-exchange algorithm, a bulk cipher algorithm and a MAC (Hash) algorithm.
The cipher suite used by both client and server on initial connection is:
TLS_NULL_WITH_NULL_NULL (0x00, 0x00) # the first NULL is the key exchange algorithm # the following WITH_NULL defines the bulk cipher # the final NULL defines the MAC
This value indicates no encryption will occur and thus all messages are sent in clear until the Client Key Exchange (ClientKeyMessage).
A typical cipher suite is:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00, 0x0A) # RSA is the key exchange algorithm # the WITH_3DES_EDE_CBC defines the bulk cipher # (Triple DES with Cyclic Block Chaining) # SHA is the MAC (Hash)
Note: The word EXPORT appears in some valid cipher suite descriptions and refers to export strength ciphers, that is, some ciphers are only permitted in certain countries (see US Dept. of Commerce, Bureau of Industry and Security(BIS) and the Wassenaar Arrangement) and should be borne in mind when configuring systems that may be used internationally.
Extensions, defined in RFC 3546 and primarily used in wireless networks, may be invoked in a backward compatible manner at ClientHello. The server is free to silently ignore any extensions it does not understand.
ServerHello: The ServerHello returns the selected protocol variant/version number, cipher suite and compression algorithm. The server sends a 32 octet random value (a nonce) which is used later to compute the symmetric keys. If the session ID in the ClientHello was 0 the server will create and return a session ID. If the ClientHello offered a previous session ID known to the server then a reduced Handshake is negotiated. If the client offered a session ID that was not recognized by the server, the server returns a new session ID and a full Handshake results.
Certificate: The server sends its X.509 certificate which contains the public key of the server and whose algorithm must be the same as the key exchange algorithm of the selected cipher suite suite. There are other methods offered by the protocol to transfer the public key - it could for example be a DNS KEY RR - but an X.509 certificate is the normal method and universally supported. The objective of this message is that the client will obtain from a trusted source the public key of the server which it can use to send an encrypted message.
While it is normal to only send a single certificate in this message what is called a certificate bundle (more than one certificate in a single file PEM file) can be sent. For example, certificate bundles can be defined using the Apache directive SSLCertificateChainFile whereas a single certificate would be defined using the SSLCertificateFile directive. Bundles are typically used when cross-certificates are present during some form of certificate re-structuring, for example, a corporate takeover of one company by another or a change of key/keysize from the CA.
The DNSSEC DANE protocol (RFC6698) allows a client to obtain a copy of the server X.509 certificate from the DNS. However, a certificate obtained from the DNS using DANE is in additional to that obtained in the normal certificate exchange of SSL/TLS and allows additional verification for the perennially paranoid.
ServerDone: Indicates the end of the server part of this dialogue sequence and invites the Client to continue the protocol sequence. Note: The server may request a client certificate at this point to complete mutual authentication. This client certificate exchange sequence has been omitted from the protocol sequence description since it is not commonly used and unnecessarily complicates the description.
Client Key Exchange: The client computes what is called a pre-master key using the server and client random numbers (or nonces). It encrypts this key using the public key of the server obtained from the supplied X.509 certificate. Only the server can decrypt this message using its private key. Both sides independently compute a master key from the pre-master key using an algorithm defined in the standard. Any required session key is derived from this master key.
ChangeCipherSpec - Client: This message indicates that all subsequent traffic from the client will be encrypted using the selected (negotiated) bulk encryption protocol and will contain the negotiated MAC. Nominally this message is always encrypted with the current cipher which, in the connection's initial state, is NULL and hence the message is shown in the diagram as being sent in clear. While this message is shown in the protocol diagram as a being sent separately it is frequently concatenated with the Client Key Exchange message.
Finished - Client: This message contains all the messages sent and received during the Handshake protocol, but excluding the Finished message, and is encrypted using the negotiated bulk encryption protocol and hashed using the negotiated MAC. If the server can decrypt and verify this message (containing all previous messages), using its independently computed session key, the dialog was successful. If not the session is terminated at this point by the server sending an Alert message with some (perhaps vague) error message.
ChangeCipherSpec - Server: This message indicates that all subsequent traffic from the server will be encrypted using the negotiated bulk encryption protocol and contain the negotiated MAC. Nominally this message is encrypted with the current cipher, which in the connection's initial state is NULL and hence the message is shown in the diagram as being sent in clear. Implicity receipt of this message also tells the client that the server received and was able to process the client's Finished message.
Finished - Server: This message contains all the messages sent and received during the Handshake protocol, but excluding the Finished message, and is encrypted using the negotiated bulk encryption protocol and includes the negotiated MAC. If the client can decrypt this message using its independently computed key the dialog was successful. If not he client would terminate the connection with and Alert message and a suitable (perhaps vague) error code.
Record Protocol: Subsequent messages between the server and client are encrypted using the negotiated bulk encryption protocol and include the negotiated MAC.
The random values sent by the client and server and the subsequent pre-master secret all include a two octet time value (to avoid replay attacks) and consequentially, as in all cryptographic systems, both client and server should be using a synchronized time source such as NTP.
When either the client or the server terminates a connection with an Alert message the error code supplied may not be precise to avoid providing information to the other party which could be used to refine an attack.
The original ITU-T standard, from which the certificate gets its infamous name, is X.509 - one of the X.500 directory standard suite of standards. The use of X.509 certificates on the Internet is standardized by the IETF with RFC 5280 defining the X.509 certificate format (obsoletes RFC 3280, RFC 4325 and RFC 4630) and RFC 4210 which defines the Certificate Management Protocol (CMP) protocol used to access and process X.509 certificate requests. Finally, RFC 3739 defines what it calls a Qualified Certificate which is related to the European Directive on Electronic Signature (Directive 1999/93/EC).
X.509 uses a whole new and wonderful world of terminology. Specifically it uses the term Distinguished Name (DN) to refer to fields within a certificate. DNs are defined by the IETF within the LDAP series of RFCs - particularly RFC 4514. The terms Abstract Syntax Notation 1 (ASN.1) and Object Identifiers (OIDs) are also used which are both described in ITU X.680 series and finally encoding uses Distinguished Encoding Rules (DER) described in ITU X.690.
There are also a significant number of standards relating to certificate handling marked PKCS#X (where X is a number), for instance PKCS#10 defines the format of a Certificate Signing Request (CSR). These refer to standards defined by RSA Laboratories. A number of these standards have been reproduced, essentially unchanged, as RFCs, for example, PKCS#10 referred to above has been published as RFC 2986. In addition to the IETF, RSA and ITU-T, X.509 has been further standardized by a number of countries as well as industry organizations. Observers and implementors have noted that the multiplicity of standards can lead to serious problems in implementation and interpretation. This set of implementation notes from Peter Gutmann is pretty detailed, big and really quite scary.
An X.509 certificate provides two distinct capabilities:
An X.509 certificate (currently X.509v3) acts as a container for the public key that may be used to verify or validate an end entity (EE) such as a web site or an LDAP server. The entity is defined in the subject field of the certificate. The subject is described in the form of a Distinguished Name (DN) - backgrounder about DNs in LDAP - which is comprised of a number Relative Distinguished Names (RDNs) each of which is a data-containing element called an Attribute. Specifically, the CN (commonName) attribute of the Distinguished Name typically contains the end-entity covered by the certificate. An example of a CN may be a web site address such as CN=www.example.com.
The X.509 certificate is digitally signed by a trusted Authority (typically called a Certificate Authority or CA) - identified by a Distinguished Name (DN) in the issuer field of the certificate - both to ensure that the certificate has not been tampered with and to attest (or certify) that the public key for this subject field really, really is the public key for this subject. This trust process is described further. The signing Authority may be a Certification Authority (CA), Registration Authority (RA) or some other intermediate authority (such as a subordinate CA) or it may be a self-signed. Note: The private key associated with the public key of the user's X.509 certificate is always maintained by the user and is never divulged to the signing Authority.
A separate X.509 structure called a Certificate Revocation List (CRL - currently CRLv2) provides information about certificates that have been revoked or invalidated for a variety of reasons.
Most of the information in this section focuses on the use of X.509 for validating server communication, X.509 may also be used for other purposes such as personal identification (including digital signatures) and S/MIME which we may get round to when (if) our heads stop hurting.
X.509 (SSL) certificates use a bewildering range of terminology - sometimes it is even consistently applied, mostly it is not, which further adds to the confusion. Even the RFCs do not rigorously define their terminology though RFC 4210 comes closest. CAs typically offer a number of certificate types. With the exception of EV certficates and Qualified certificates which have precise meanings and defintions, these certificate types are mostly marketing concepts - designed to offer differing price/functionality points - and therefore typically their descriptions offer only a nodding aquaintance - at best - with the technical terminology. Finally, not all CAs are equal. Readers are cautioned that while most CAs are thoroughly professional and undertake periodic audits or are certified by national organizations not all are. Buyer beware (caveat emptor) is the watchword.
The following list attempts to define the most commonly used terms covering both certificate authorities and certificate types given the caveat of the previous paragraph. The explanations offered are culled from technical documents (mostly the source RFCs and especially RFC 4210) and CA web sites.
Certificate Authority (aka root CA): The term Certificate Authority is defined as being an entity which signs certificates in which the following are true: the issuer and subject fields are the same, the KeyUsage field has keyCertSign set and/or the basicConstraints field has the cA attribute set TRUE. Typically, in chained certificates the root CA certificate is the topmost in the chain but RFC 4210 defines a 'root CA' to be any issuer for which the end-entity, for example, the browser has a certificate which was obtained by a trusted out-of-band process. Since final authority for issuing any certificate rest with this CA the terms and conditions of any intermediate certificate may be modified by this entity.
Registration Authority (aka Registration CA): A Registration Authority (RA) may be required in certain environments to handle specific certificate characteristics, for example, an RA may be delegated by a National Certificate Authority (CA) to specialize in personal certificates, while another may specialize in Server certificates. An RA, if present, is essentially an administrative convenience. RAs can sign certificates (as subordinate CAs) but, having carried out appropriate end-entity validation, may also pass the request to a root CA for signature.
Subordinate Authority (aka Subordinate CA): Generic term. Any entity that signs a cerificate but is not a root CA. Some subordinate CAs - especially those that are entirely operated under the control of the root CA owner - may be marked as CAs (the extension BasicContraints will be present and cA will be set True). Thus, an RA, assuming it signs certificates, would do so as a subordinate CA and if operated under the control of a root CA may also be marked as a CA.
Intermediate Authority (aka Intermediate CA): Imprecise term occasionally used to define an entity which creates an intermediate certificate and could thus encompass an RA or a subordinate CA.
Cross certificates (aka Chain or Bridge certificate): A cross-certificate is one in which the subject and the issuer are not the same but in both cases they are CAs (BasicConstraints extension is present and has cA set True). They are typically used where a CA has changed some element of its issuing policy (a new expiry date or new key) or where one CA has been taken over by another CA and certificates issued by the merged CA are chained back to the new owner to allow previously issued root certificates to be retired. The term Chain certificate, when applied in this context, indicates that a new chain has been created and can, occasionally, be referred to as a bridge certificate (it chains or bridges to a new CA). Cross certificates can be installed at the server (as part of a certificate bundle - see note under TLS protocol - Certificate) but when used for backward compatibility, for example, when an EV certificate is processed by a non-EV compliant client the cross certificate is installed at the client. Other than setting the cA field to True (which, frankly, makes little difference) the Cross certificate is a normal Intermediate certificate.
Intermediate certificates (aka Chain certificates): Imprecise term applied to any certificate which is not signed by a root CA. Intermediate certificates form a chain and there may be any number of intermediate certificates from the end-entity certificate to the root certificate. Intermediate certificates may be issued by subordinate CAs, RAs and even CAs directly (though technically these should be called cross-certificates) to assist in transitions, take-overs or even just to differentiate brands. The term chain in this context is meaningless (but sounds complicated and expensive) and simply indicates that the certificate forms part of a chain.
Certificate Bundle: Generic term which indicates that more than one X.509 certificate is concatenated into a single file (normally a PEM format file). Certificate bundles can be sent during a TLS/SSL handshake. Typically, certificate bundles are used for administrative purposes during some CA transition, for example, a take-over, a change of policy, key change, expiry date change etc..
Qualified certificates: Defined in RFC 3739 the term Qualified certificates relates to personal certificates (rather than server certificates) and references the European Directive on Electronic Signature (1999/93/EC) which is focussed on uniformly defining an individual for the purposes of digital signature, authorization or authentication. Specifically, the RFC allows the subject field to contain in priority order commonName (CN=), givenName (GN=) or pseudonym= and the subjectDirectoryAttributes may be present and contain any of dateOfBirth, placeOfBirth, gender, countryOfCitizenship and countryOfResidence. Finally, two new optional extensions biometricInfo and Qualified Certificate statements (qcStatements) are defined in the RFC. The Qualified certificate is recognized by the presence of a qcStatements extension with the value qcStatement-2. Most national governments have included a number of additional fields for inclusion in these certificates. In some cases for genuine reasons in other cases simply to flex national muscles and make implementor lives thoroughly miserable.
non-Qualified certificates: Normally a personal certificate which does not conform to the standard defined for Qualified certificates. Can also be used as a term of abuse by the issuers of Qualified certificates to imply an inferior quality certificate.
Multi-host certificates: A server certificate typically contains a CN=hostname attribute, for example CN=www.example.com, in the subject. The hostname is resolved by the DNS and can yield multiple IP addresses (A or AAAA RRs). In this case any SSL server certificate for the same hostname may be replicated onto all such hosts (clearly the users private key also needs to be replicated to each host which may present problems if hardware crypto devices are used). Where multiple hostnames exist, such as www.example.com and example.com or www1.example.com then these require special treatment and special certificate types and are defined under multi-domain certificates and wildcard certificates below.
Multi-domain certificates: Some CAs sell multi-domain certificates for covering situations such as www.example.com and example.com or even www.example.net. This is achieved by using multiple entries in the subjectAltName field and is described further. Technically there are few limits to this process, for example, www.example.com and www.example.net could be supported by a single SSL certificate but most CAs have some commercial restrictions - which can usually be overcome if you part with more filthy lucre. Wildcard certificates, described below, can sometimes be used for this purpose but are limited to a single domain name.
Wildcard certificates: A number of CAs sell wildcard certificates where the subject field contains CN=*.example.com (the * is the wild card). Such certificates will support any hostname in the domain, thus *.example.com will support www.example.com and mail.example.com but not example.com or (obviously) example.net(see multi-domain certificates above).
EV Certificates (aka Extended Certificates): Extended Validation (EV) certificates are distinguished by the presence of the CertificatePolicies extension containg a registred OID in the policyIdentifier field. EV certificates are described in detail.
DV certificates: What are sometimes called Domain Validation (DV) certificates are issued by some CAs. The term is not universally used but implies that only the ownership of the domain name by the certificate requestor has been verified by the CA. Thus the CN= value, for instance www.example.com, in either the subject or subjectAltName can be treated as valid but organizational information (C=, ST=, L=, OU= or O=) should not be treated as valid and should be either blank or contain appropriate text such as "not valid".
OV certificates: What are sometimes called Organizational Validation (OV) certificates are issued by some CAs. The term is not universally used but implies that ownership of the domain name of the certificate requestor and its organizational details have been verified by the CA. Thus the CN=, C=, ST=, L=, OU= or O= values in either the subject or subjectAltName can be treated as valid. While this looks, on its face, pretty thorough such certificates are not EV certificates which require further qualification.
Domain-Only Certificates: A generic term, generally of abuse, applied to certificates whose end user verification process varies, in the view of the user of the term, from cursory to non-existent.
X.509 Certificates may be chained, that is, they may be signed by one or more intermediate Authorities in a hierarchical manner - or a certificate may simply be signed directly by a CA. The concept of a Registration Authority (RA) as an intermediate signing authority is introduced in the RFCs mentioned above. A Registration Authority (RA), sometimes also referred to as a subordinate CA in the EV standards, appears to describe an organization from which the X.509 certificate is actually purchased, for example, a licensed agent, who signs the certificate with the CA (the final signing authority) providing the ultimate or root authority. Somewhat similar in structure to DNS Registry Operators and Registrars for those familiar with the DNS organization. RFC 4158 contains a useful but indigestible and brain numbing discussion about how certificate chains can be reliably constructed using subject and issuer pairs augmented by, among others, SubjectKeyIdentifier and AuthorityKeyIdentifier.
The topmost certificate of the signing hierarchy is known as a root certificate, or sometimes a CA certificate or even a root CA certificate. Root certificates are obtained by a trusted out-of-band process (in the case of browsers they are distributed with the browser software and updated periodically) and when used to validate a certificate chain are called trust anchors. When a end-entity certificate (or certificate bundle) is obtained from a server during an SSL/TLS handshake it must be verified by the receiving software all the way to the root or CA certificate including, if appropriate, any intermediate certificates (again these are typically distributed with browser software). A root or CA certificate is recognized if the issuer and subject fields are the same, if the KeyUsage field has keyCertSign set and/or the BasicConstraints field has the cA attribute set TRUE. The process of building the certificate chain is described by RFC 4158 and chain validation by RFC 5280. The chaining process is shown in Figure 3 below:
Figure 3 - X.509 Chaining
The issuer of a certificate is identified using a Distinguished Name (DN) format which was originally designed to represent a location within a DAP or LDAP DIT (Data Information Tree). The DN should not be confused with a network address or URL/URI. It will typically have a form such as CN=Type of Certificate, OU=Certificate Division, O=Certificate Company name,C=Country or an OU=, O=, C= form or even a CN=,O=, C= form. An X.509 certificate does not contain a URI to obtain any chained certificates via a network interface - but it may contain (in other fields) a URI to obtain CRLs. Applications that use certificates - such as a browser or client email software - must have previously obtained the root certificate, and if the certificate is chained - all intermediate certificates, by some out of band or off-line process. Most common CA root certificates are distributed with browsers (and made available to their associated client email software). Browsers and email clients also have interfaces to enable addition of new certificates or replacement of existing certificates. In the case of Firefox: Tools->Options->Advanced->Encryption->View Certificates, MSIE: Tools->Internet Options->Content Tab->Certificates button->Trusted Root Certification Authorities.
Note: The root certificates distributed with common browser (and email client) software are added according to criteria defined by the browser supplier and vary from "pay us lots of cash" through to full proof of a CA audit and other requirements.
When an application accesses an SSL/TLS based service the server certificate (or a certificate bundle) is obtained during the initial SSL/TLS Handshake dialog. The application, such as a browser, will extract the CN of the subject DN field (and/or the subjectAltName - see RFC 6125) to verify the entity (say a web server address, for instance, www.example.com). It then uses the issuer field DN of the server's X.509 certificate to find the appropriate root certificate from its local store (and generate an exception - normally involving a highly confusing, and potentially dangerous, user dialog - if one is not found). If a valid root certificate is found this authenticates the server supplied certificate. The net result, assuming all goes well, is that the public key contained in the X.509 certificate is safe (is trusted) and can be used to communicate with the defined entity (the Subject).
Servers typically only require their own certificate(s) and do not require root certificates - they simply send their certificates to the client and do not have to validate certificates. However SSL/TLS does allow mutual validation - both server and client send certificates. If client certificates are required in the application then the server is required to validate the client certificate and must be provisioned with all the required root and intermediate certificates by some out of band process - such as email or obtaining them from CA web sites.
Figure 4 - X.509 Usage
An X.509 certificate is a data structure. Various protocols allow the certificates to be manipulated via a communications network. These X.509 Certificate Operations, such as sending a signing request, returning a signed certificate etc. are defined in, among others, the Certificate Management Protocol (CMP) - RFC 4210 - and further described in this guide.
A number of protocols are defined to manipulate certificates and CRLs (Certificate Revocation Lists). The Certificate Management Protocol (CMP RFC 4210) provides protocol methods to manipulate certificates (the format of the certificate messages is defined in RFC 4211). Online Certificate Status Protocol (OCSP RFC 2560) is a protocol for the on-line verification of certificates (and RFC 5019 defines a simplified version). Server-Based Certificate Validation Protocol (SCVP RFC 5055) allows multiple client functions to be delegated to an untrusted server, specifically certificate path validation and certificate path discovery. In the case where the SCVP server is trusted addition functionality may be provided such as certificate status (also provided by OCSP) and obtain intermediate certificates (also provided by CMP). RFC 4387 defines some limited manipulation of X.509 certificates, keys or CRLs over HTTP using a GET method. RFC 4386 defines use of the DNS SRV RR to discover Certificate repositories, and OCSP services.
To be supplied.
To be supplied.
The Online Certificate Status Protocol (OCSP) is defined in RFC 2560 (minor update in RFC 6277) and a streamlined, high-throughput, message format is defined in RFC 5019 which in essence sensibly reduces OCSP requests to a single certificate and removes most of the OPTIONAL fields in requests and responses as noted below.
OCSP is an on-line alternative to a Certificate Revokation List (CRL). The URI of the service is typically identified in the AuthorityInfoAccess (AIA) field of a certificate if the CA supports an OCSP service. A client will send an optionally signed request identifying the certificate to be verified and receive a signed reply from the OCSP server indicating the status as being good, revoked or unknown. The RFC allows for a number of different transport protocols (and specifically mentions LDAP, SMTP and HTTP as examples) to transmit the request and responses with the specific transport scheme identified in the URI of the AIA field of the certificate being validated. The RFC also defines the format of HTTP messages (using GET and POST) when used for OCSP. The request and response messages are outlined below:
# request format OCSPRequest TBSRequest version 0 = v1 requestorName OPTIONAL requestList (one or more) reqCert hashAlgorithm AlgorithmIdentifier issuerNameHash Hash of Issuer's DN issuerKeyHash Hash of Issuers public key serialNumber CertificateSerialNumber singleRequestExtensions OPTIONAL requestExtensions OPTIONAL optionalSignature OPTIONAL
Signature of the OCSP request is optional and if present the requestorName will indicate the signer. Clearly for the receiver to verify the signature it must have the public key of the signer.
# response format OCSPResponse responseStatus successful 0 --Response has valid confirmations malformedRequest 1 --Illegal confirmation request internalError 2 --Internal error in issuer tryLater 3 --Try again later --(4) is not used sigRequired 5 --Must sign the request unauthorized 6 --Request unauthorized responseBytes OPTIONAL responseType OID (126.96.36.199.188.8.131.52.1.1 =BasicOCSPResponse) BasicOCSPResponse response ResponseData version 0 - Version DEFAULT v1 responderID EITHER OF byName 1 - Name byKey 2 - Hash of Issuers Public Key producedAt GeneralizedTime responses certID hashAlgorithm AlgorithmIdentifier issuerNameHash -- Hash of Issuer's DN issuerKeyHash -- Hash of Issuers public key serialNumber CertificateSerialNumber certStatus CertStatus good 0 revoked 1 unknown 2 thisUpdate GeneralizedTime nextUpdate GeneralizedTime OPTIONAL singleExtensions OPTIONAL responseExtensions OPTIONAL signatureAlgorithm AlgorithmIdentifier, signature Hash of Response data certs OPTIONAL
A certStatus of good is defined in the RFC to mean not revoked but additional information may be available in Extension fields.
The responseStatus of unauthorized indicates that the client is not authorized to make an inquiry about this certificate (RFC 5019 extends this meaning to indicate the responder has no authoritative information about this certificate).
The response is normally signed by the CA that issued the certificate identified in serialNumber but the protocol allows for a delegated authority to sign the response in which case the response must include a certificate (carrying the delegated signers public key) in certs and which must be signed by the issuer of the certificate defined in serialNumber.
RFC 5019 defines a streamlined message format - which is entirely compatible with the full OCSP format - by removing most of the OPTIONAL fields to assist message throughput. PROTOCOL: Supports OCSP over HTTP only using GET and POST methods. REQUESTS: Limits the request to a single certificate (requestList will be 1), dispenses with the OPTIONAL field singleRequestExtensions, and the OPTIONAL structures requestExtensions and optionalSignature (if the request is signed, responders are free to ignore the signature). RESPONSES: By insisting on a single certificate per request RFC 5019 has already reduced complexity (and size) in the response, in addition the OPTIONAL responseExtensions is removed (but singleResponseExtensions may be included). Again if the response is signed by a delegated authority the response must include a certificate (carrying the delegated signers public key) in certs and which must be signed by the issuer of the certificate defined in serialNumber.
This section describes, in gruesome - but incomplete - detail, the format and meaning of the major fields (technically called attributes) within an X.509 certificate. The format is defined in RFC 5280.
Note: Much use is made in X.509 (amd LDAP) of that gruesome pseudo-Hungarian notation nonsense. In general, poor X.509 implementations are case sensitive, good ones are not.
An X.509 certificate printed by Openssl looks like this (the major fields are described below):
Certificate: Data: Version: 3 (0x2) Serial Number: bb:7c:54:9b:75:7b:28:9d Signature Algorithm: sha1WithRSAEncryption Issuer: C=MY, ST=STATE, O=CA COMPANY NAME, L=CITY, OU=X.509, CN=CA ROOT Validity Not Before: Apr 15 22:21:10 2008 GMT Not After : Mar 10 22:21:10 2011 GMT Subject: C=MY, ST=STATE, L=CITY, O=ONE INC, OU=IT, CN=www.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ae:19:86:44:3c:dd:38:df:e2:41:5f:d8:86:19: 69:7e:85:d7:1d:ae:1e:eb:87:b0:5f:fc:f3:db:e3: aa:82:76:d6:42:05:f1:0e:5c:5a:a2:8d:f6:d3:00: 37:04:96:13:06:16:e6:d1:67:14:69:cd:85:df:a7: b3:ac:a2:6c:33:cd:d6:00:3d:24:99:fa:4b:81:07: 0c:b2:5a:fe:06:16:da:34:66:63:78:31:7d:11:5e: 63:de:9e:ee:76:8b:0c:12:af:fb:f2:28:0a:76:5b: 99:20:b8:f7:c0:9c:e8:89:c5:d0:1e:e5:07:c8:bd: 38:c8:52:97:cc:76:c9:c8:2b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: EE:D9:4A:74:03:AC:FB:2C:FD:43:C7:58:6E:2E:6A:88:BA:65:61:CC X509v3 Authority Key Identifier: keyid:54:0D:DE:E3:37:23:FF:2E:E8:03:0A:2C:52:FE:FC:C0:C8:13:72:80 Signature Algorithm: sha1WithRSAEncryption 52:3d:bc:bd:3f:50:92:67:a3:d3:6f:37:a9:3f:89:b5:16:5b: 9c:0d:32:25:32:91:c7:bf:f6:0d:f8:6d:1c:09:45:2f:3f:b9: 18:b7:1c:8d:7c:06:33:ef:ca:e0:92:a3:90:3f:7c:4e:16:87: 67:ae:7c:2c:1a:43:e5:3a:24:d9:c3:7d:cf:bf:eb:01:9d:c1: f0:bb:0f:15:de:d5:9e:42:9d:f8:7f:0d:5b:af:59:80:d1:aa: cc:db:31:1b:d4:7f:f3:f1:71:25:85:c9:8b:78:3e:13:ac:11: 51:35:49:8d:c3:9a:bb:9a:89:2c:ef:7f:90:f9:05:b3:65:98: b8:74
The X.509 certificate consists of the following fields (Attributes):
|Version||In general this should indicate version 3 (X.509v3). Since the numbering starts from zero this will have a value of 2. If omitted version 1 (value 0) is assumed.|
|Serial Number||Positive number up to a maximum of 20 octets. Defines a unique serial number for each certificate issued by a particular Certification Authority (thus is not, of itself, a unique number) and used, among other purposes, in Certificate Revocation Lists (CRLs).|
|Signature||Must be the same OID as that defined in SignatureAlgorithm below.|
|Issuer||The DN (Distinguished Name) of the Authority that signed and therefore issued the certificate. This may or may not be the Certification Authority (CA). The issuer may comprise a subset of domainComponent (DC=), countryName (C=), commonName (CN=), surname (SN=), givenName (GN=), pseudonym=, serialNumber=, title=, initials=, organizationName (O=), organizationalUnitName (OU=), stateOrProvinceName (ST=) and localityName (L=) attributes. Only CN=, C=, ST=, O=, OU= and serialNumber= must be supported the rest are optional (serialNumber= is rarely present - but mandated for EV certificates - and L= is frequently present though widely misunderstood but its use is clarified for EV certificates) RFC 5280 appears to allow either of the globally unique methods (X.500 format O=, C= or the IETF format DC=, DC=) but the X.500 format seems universally preferred. An example issuer DN would look something like:
# shown split across two lines for presentation reasons only C=MY,ST=some state,L=some city,O=Expensive Certs inc, OU=X.509 certs,CN=very expensive certs # various interpretations of the RDN fields exist # the following are presented as generally accepted # values. # C = ISO3166 two character country code # ST = state or province # L = Locality; generally - city # O = Organization - Company Name # OU = Organization Unit - typically certificate type or brand # CN = CommonName - typically product name/brand
|Validity||Provides two sub-fields (Attributes) notBefore and notAfter which define the time period for which the certificate is valid - or if one is of a cynical persuasion the NotAfter value defines the point at which the user has shell out more filthy lucre to the CA or issuer. Dates up to 2049 are encoded as UTCTime (format is YYMMDDHHMMSSZ - yes a 2 digit year) after 2050 as GeneralizedTime (format is YYYYMMDDHHMMSSZ - finally a 4 digit year). Where Z is a literal constant indicating Zulu Time (UCT aka Greenwich Mean Time) - its absence would imply local time.|
|Subject||A DN defining the entity associated with this certificate. If this is a root certificate then issuer and subject will be the same DN (and BasicConstraints CA TRUE will be set). In an end user/server certificate the subject DN identifies in some way the end entity. Typically the CN attribute (RDN) of the DN will identify some unique name of the end entity being certified or authenticated. The subject may comprise a subset of domainComponent (DC=), countryName (C=), commonName (CN=), surname (SN=), givenName (GN=), pseudonym, serialNumber, title, organizationName (O=), organizationalUnitName (OU=), stateOrProvinceName (ST=) and localityName (L=) atributes. An example subject DN that will authenticate access to a web site could look something like:
# shown split across two lines for presentation reasons only C=MY,ST=another state,L=another city,O=my company,OU=certs, CN=www.example.com # various interpretations of the RDN fields exist # the following are presented as generally accepted # values. In the case of personal certificates GN=, SN= or pseudonym= # can appear in the fields # C = ISO3166 two character country code # ST = state or province # L = Locality; generally means city # O = Organization - Company Name # OU = Organization Unit - division or unit # CN = CommonName - end entity name e.g. www.example.com
However some certs use the issuer's DN and replace the CN attribute (RDN) with the name of the entity being authenticated thus the above could, based on the issuer example above, become:
# shown split across line for presentation reasons only C=MY,ST=some state,L=some city,O=Expensive Certs inc, OU=X.509 certs,CN=www.example.com
In the above example CN=www.example.com will work when the web site access URL is http://www.example.com, if the web site access also uses http://example.com the certificate checking process will fail and in this case the subjectAltName can be used to extend the certificate scope to include example.com (or any other domain name that is covered by this certificate).
While the majority of certificates currently (2011) use the CN= RDN of the subject field to describe the entity, RFC 6125 now recommends that the subjectAltName be used (containing the end entity name) and that the subjectAltName field be used in preference to CN= in the subject for validating the entity name. It may be some time before all applications and certificate issuers follow these principles and therefore to handle all possibilities the entity should appear in both a CN= (in the subject field) and in a subjectAltName field.
The subject field can be empty in which case the entity being authenticated is defined in the subjectAltName.
The form CN=www.example.com/emailAddressemail@example.com is frequently seen and generally created by default by OpenSSL tools when generating a Certificate Signing Request (CSR) and defines a second attribute (emailAddress) and which may, or may not, be present. Most CAs request that the email address prompt is left blank during the creation of the CSR when using OpenSSL - perhaps because they can sell you a second SSL certificate to protect your email addresses. Or is that excessively cynical?
|SubjectPublicKeyInfo||Contains two sub-fields (attributes), algorithm (the OID of the public key algorithm from the list defined in RFC 3279) and subjectPublicKey (the entity's public key as a bit string). An example of a the algorithm attribute when using an RSA algorithm (rsaEncryption) OID is shown below:
|IssuerUniqueIdentifier||Optional. Defines a unique value for the issuer. The RFC recommends that this fields is NOT present.|
|SubjectUniqueIdentifier||Optional. Defines a unique value for the entity being authenticated. The RFC recommends that this fields is NOT present.|
|Extensions||Tons of extensions are defined in the various RFCs - the following are only the most, IOHO, significant. Extensions may be marked as CRITICAL. Note: CRITICAL has an interesting and nuanced interpretation. If the software handling the certificate sees the CRITICAL value (which it can always interpret) but does not understand the extension it MUST abandon processing and NOT accept the certificate.|
|SignatureAlgorithm||The algorithm used to sign the certificate identified by its OID and any associated parameters. The following illustrates the RSA with SHA1 digital signature OID (sha1WithRSAEncryption):
1.2.840.1135184.108.40.206This value must be the same as that identified in the signature field of the certificate. The currently valid OIDs for use with X.509 certificates are defined in RFC 3279.
|SignatureValue||Bit string containing the digital signature.|
All fields with the exception of SignatureAlgorithm and SignatureValue are encoded using ASN.1 DER (Distinguished Encoding Rules) defined by ITU-T X.690. The signature covers all DER encoded fields thus, obviously, excluding itself.
Multiple standards bodies (countries, industry organizations or governmental agencies) define specific profiles that refine the meaning of certain fields or attributes or mandate specific fields. All very confusing.
Certificate Revocation Lists (CRLs) are a method by which certificates may be invalidated before their NotAfter date has expired. CRLs are normally issued by the CA that issued the certificate and can be obtained by a variety of methods, for instance, LDAP, HTTP or FTP. CRLs (specifically CRLv2 the current version) are defined in RFC 5280 and updated by RFC 6818.
Theoretically, when a certificate has been received from a server the receiving software should verify that the certificate obtained does not appear in a CRL (has not been revoked). To minimise delay in catching revoked certificates the CRL check should be done by fetching the latest CRL whenever a certificate is received from a server. Since a CRL contains a list of all revoked certificates from any given CA it can be of considerable size thus creating, perhaps, an unacceptable overhead to an SSL/TLS initial connection. Further, depending on the CA's policy, the CRL may be updated every hour or 12 hours or daily etc.. The bottom line being that fetching a CRL file(s), even if it is done for every received certificate, may still yield an out-of-date result.
In practice a per certificate CRL fetch is rarely, if ever, performed and many systems rely on CRL caches that are periodically updated. RFC 5280 uses the weasely term suitably-recent to describe the CRL update frequency. An on-line version of the revocation list, known as Online Certificate Status Protocol (OCSP) is defined in RFC 2560, streamlined by RFC 5019 and updated by RFC 6277. A CRL has the following format:
|Version||Optional. In general this should indicate version 2 (CRLv2). Since the numbering starts from zero this will have a value of 1. If omitted version 2 (value 1) is assumed.|
|Signature||Must be the same OID as that defined in SignatureAlgorithm below.|
|Issuer||A DN of the Authority that signed and therefore issued the CRL. This may or may not be the Certification Authority. See also notes on issuer DN|
|ThisUpdate||The time and date at which the CRL was created. Date format may be UTCTime UTCTime (format is YYMMDDHHMMSSZ) or GeneralizedTime (format is YYYYMMDDHHMMSSZ). Where Z is a literal constant indicating Zulu Time (Greenwich Mean Time) - its absence would imply local time.|
|NextUpdate||The time and date at which the next CRL will be created. Date format may be UTCTime UTCTime (format is YYMMDDHHMMSSZ) or GeneralizedTime (format is YYYYMMDDHHMMSSZ). Where Z is a literal constant indicating Zulu Time (Greenwich Mean Time) - its absence would imply local time.|
|RevokedCerticates||The CRL identifies the revoked certificate by its serial number. Serial numbers are not globally unique but are defined to unique within CA therefore any client must use the a combination of the issuer to obtain a unique match.
userCertificate CertificateSerialNumber revocationDate Time crlEntryExtensions Extensions OPTIONAL
|Extensions||Multiple CRL extensions are defined in RFC 3280 none of which are marked as being CRITICAL and many are only relevant if the CRL is indirect, that is the CRL was issued by a party (an issuer) which was not the issuer of the certificates being revoked.|
|SignatureAlgorithm||The algorithm used to sign the CRL identified by its OID and any associated parameters. The following illustrates the RSA with SHA1 digital signature OID (sha1WithRSAEncryption):
1.2.840.1135220.127.116.11This value must be the same as that identified in the signature field of the certificate. The currently valid OIDs for use with X.509 certificates are defined in RFC 3279.
|SignatureValue||Bit string containing the digital signature for the CRL.|
As described previously an X.509 certificate is trusted to contain the public key of the entity defined (normally specifically the CN of the subject or subjectAltName). Trust is created during the certificate creation process. The process of obtaining an X.509 certificate will vary in detail from CA to CA but generally consists of the following steps:
The first, or topmost, link in the chain of trust is the Certification Authority (CA). CAs are deemed to be trusted organizations either because they say so or because they have passed some standard. In North America WebTrust is the most widely recognized CA standards organization and most CAs carry their seal indicating they have undergone an audit by a WebTrust accredited auditor (increasingly the major International auditing firms are also performing such audits). The very existence of the CA marks the first step in the establishment of the line of trust. The CA has, at some point in time, generated one or more asymmetric keys and, using the private key, has self-signed a certificate (the issuer and subject attributes of the X.509 certificate are the same and BasicConstraints cA is TRUE). This certificate is the root or CA certificate and the private key, whose public key is contained in the root certificate, is used to sign user certificates. Root (or CA) certificates are distributed to end user clients by a trusted out-of-band process, most frequently with browser installations.
A user who desires a certificate will review the products from the various Certificate Authorities (CAs) and select a preferred CA. An application is made to the selected CA - or one of its agents or Registration Authorities (RA) - for a particular type of SSL (X.509) certificate. Depending on the certificate type various information is required and (usually) verified such as name of business, business registration number or other identifying information. Again depending on the type of certificate further proof of identity may be required. This is essentially a clerical process (which may be automated to a greater or lesser extent) that establishes the next trust link.
The CA, which is trusted, is trusted to have established that the user is who they say they are. More or less.
Having selected the SSL product, supplied the required identification information and had it verified by the CA the user is then requested to generate a set of asymmetric keys and use the private key to sign a Certificate Signing Request (CSR) which will contain the public key of the generated public-private pair among other information. The CSR format is defined by RFC 2986 (a re-publication of the RSA standard PKCS#10 - updated by 5967) and consists of the following data:
|Subject||A DN defining the entity to be associated with this certificate. In general, depending on the CA policies, this will be the subject that will appear in the returned X.509 certificate.|
|SubjectPublicKeyInfo||Contains two sub-fields (attributes), algorithm (the OID of the public key algorithm from the list defined in RFC 3279) and subjectPublicKey (the entity's public key as a bit string). An example of a RSA algorithm (rsaEncryption) OID is shown below:
|Attributes||Optional. Attributes may contain a number of sub-fields (attributes) of which the following are noted, challengePassword (a password to further secure the CSR - most CAs insist this attribute is NOT present) and unstrcuturedName (any suitable text - again normally not required by CAs or ignored if present).|
|SignatureAlgorithm||The algorithm used to sign the CSR identified by its OID and any associated parameters. The following illustrates the RSA with SHA1 digital signature OID (sha1WithRSAEncryption):
1.2.840.113518.104.22.168Note: The CSR is signed using the private key of the private-public key pair whose public key appears in the SubjectPublicKeyInfo of this CSR.
|SignatureValue||Bit string containing the digital signature.|
A CSR is created using this procedure.
The CSR is uploaded to the CA (typically using FTP or HTTP) which uses the data in the CSR and perhaps other information obtained during the SSL certificate application to create the user's X.509 certificate which typically has a validity period ranging from 1 to 3 years. The CA finally signs the user's certificate (the SignatureAlgorithm and SignatureValue) using the private key of the public-private key pair whose public key is contained in the CA's root certificate. The X.509 certificate is sent to the user using a variety of processes (FTP/HTTP/EMAIL).
The trust loop is therefore completed by the CA's digital signature. The digital signature of the user's certificate can only be verified by using the public key of the issuer which is contained in the CA's root certificate obtained by a (trusted) off-line process (normally via a browser installation).
When a certificate is received by a browser from a web site (during the Handshake Protocol of TLS/SSL) it must be verified all the way to the root or CA certificate (there may be one or more levels of certificates depending on the certifcate vendor). The root/CA (and any required intermediate) certificates are typically distributed with major browser software. Root/CA certificates distributed in this way are generically called trust anchors - a widely used term used to describe any base structure or information obtained by a trusted distribution route that may be used to validate/authenticate received information. RFC 5914 (with some support from RFC 5937) defines how such trust anchors may be organized, used and processed in the specific case of X.509/SSL certificates.
Extended Validation (EV) Certificates are defined by the CA/Browser Forum and include a mixture of improved clerical validation as well as technical processes. The objective behind EV certificates is to provide increased confidence to end users though the standard explicitly states that it does not guarantee the business practices of the certificate owner - merely that the owner does exist.
When using a supporting browser the user sees a normal padlock icon but the status bar shows up in GREEN when an EV certificate is encountered. Currently EV supporting browsers are: MSIE 7 only and the latest versions of Konqueror, Firefox (v3+) and Opera(9.5+). In general EV certificates are significantly more expensive than other types of certificates. The EV issuing standard has the following characteristics:
The CA has to be audited for EV compliance and undergo a yearly audit renewal.
CAs follow the practices defined in RFC 3647 which has INFORMATIONAL status for the rest of us.
Standardizes the use and meaning of certain fields in the subject DN and adds some new ones. Specifically it defines the following to be REQUIRED (the EV standard's version of the RFC MUST)
Mandates that EV certificates may only be issued for server authentication at this time.
EV certificates are recognised definitively by the use of a registered OID (unique for each CA) in the CertificatePolicies field.
This section illustrates the use of OpenSSL commands to perform tasks associated with X.509 certificates. To illustrate the certificate process in its entirety it covers generation of what are loosely called self-signed certificates. Self-signing is one of those terms that needs a little explanation since it has two potential meanings.
At a strict level it means that the issuer and subject fields in the certificate are the same. In this sense every root certificate is a self-signed certificate. In the second sense it means that the user becomes their own Certification Authority (CA) and is an alternative to purchasing an X.509 certificate from a recognized CA such as Verisign or Thawte (and others) which are already trusted (their root/CA certificates are pre-installed on the user's computer) by most tools, for example, browsers. A user (end-entity) certificate obtained by a browser from a web site during the SSL/TLS Handshake Protocol phase and issued by one of the recognized CAs can be tracked back (and therefore authenticated) by the browser to the signing authority (the CA) by use of the issuer field in the certificate. The browser must have the trusted CA's root certificate installed (as well as any intermediate certificates) to avoid any browser error messages. The term trust anchor is used to defined such installed certificates. Trusted CA root certificates for most of the commercial CAs and many National CAs are distributed and installed with browsers such as MSIE, Firefox, Opera etc.
The rest of this section deals with the second definition of self-signing - the user becomes their own CA. This form of self-signing can be used either during testing or operationally where, for instance, a user wishes to control access within a private network, a closed user group or some other community of interest. Here the trust relationship, normally associated with an external CA, may be regarded as being implicit due to the nature of the organization signing the certificates.
The first time a self-signed certificate is presented to a user's SSL/TLS enabled software, such as a browser, and assuming the browser does not have a copy of the relevant root certificate, it will generate a message asking if the user wishes to accept the certificate. Alternatively, the self-signed root certificate can be pre-installed or imported to a user's computer in which case no browser error message will be generated.
Note about Certificate Validity Periods and Key Sizes: Many of the certificates in the following sections are valid for 1 to 3 years. However most of the commercial root certificates installed in browsers have validity periods of 10 to 20 years! Don't be afraid to use quite lengthy time periods to avoid the pain of renewing certificates. The current RSA key length recommendation (2011) is 2048 bits for lifetimes until 2030 (consequentially many of the current root certificates have expiry dates around 2028 giving them a couple of years to phase in extended bit sizes in time for the 2030 expiry of 2048 bits). RSA Key Strength Note and recommendations over required lifetime. The same keysize (2048 bits) and lifetime recommendation (until 2030) is also contained in US NIST (National Institute or Standards and Technology) Special Publication 800-57 Part 1 Rev2 Table 4.
The following sequences use OpenSSL commands (tested with OpenSSL 0.9.8n and 1.0.0e) to generate a self-signed X.509 certificate that may be installed and used by SSL/TLS server systems such as Web, FTP, LDAP or mail (SMTP Agent). OpenSSL commands use a bucket load of parameters - including reply defaults, certificate duration and certificate fields - from the openssl.cnf file (/etc/ssl/openssl.cnf - FreeBSD) and if you are going to do serious work with certificates it is well worth looking though this file and editing as appropriate to save some typing.
Note: There are dire text/comment warnings that editing either openssl.cnf or messing around with CA.pl (a useful scripy file) may cause the sun to fall out of the sky. Make a copy of both files before you do anything so you can always restore your system to a pristine state in the event anything goes wrong. The bottom line: mess with stuff at your own peril.
The files created when working with certificates will be a mixture of those containing public keys which are generally innocuous and those containing private keys which need to be rigorously protected. Whether both these types of files can be maintained in a single directory structure or not will be a matter of local security policy. The actual process depends significantly on the requirement. As with all sophisticated software there are usually about 6,000 ways of doing anything - we think there are just three Really Useful Methods (RUM)™.
FreeBSD Operational Note: When running tests on a new FreeBSD 8.1 install during which openssl is installed by default (0.9.8n) CA.pl was not installed. If you have requested installation of source then it may be found in /usr/src/crypto/openssl/apps/CA.pl. Alternatively, use the ports system (/usr/ports/security/openssl) and then make patch (just downloads and untars the latest version of openssl but does not install it) and then use find ./ -name "CA.pl". Since PERL is no longer installed by default with FreeBSD you may also need to install it.
Create a CA, a root certificate that can be imported into a browser for testing purposes and a single server certificate that can be used by a server such as Apache. The standard OpenSSL CA.pl script (which has been moved to /etc/ssl for convenience in the examples - choose an appropriate location) is used to simplify the process:
Note: If a certificate suitable for multiple server name use, for instance, example.com and www.example.com or www.example.net is required follow this procedure.
# by default the RSA algorithm is used with 1024 bit keys (2011) # to change defaults see Method 3: Bullet 1 # create directories and self-signed CA root certificate cd /etc/ssl ./CA.pl -newca # the DN sequence requested here will be for the CA # by default this creates a root certificate in # demoCA/cacert.pem # and the CA's private key in # demoCA/private/cakey.pem # cacert.pem is valid for 3 years ./CA.pl -newreq # creates a Certificate Signing Request (CSR) # the requested DN sequence will be for the # server name the only important value is # CN (CommonName) which should be the web or other server name # such as www.example.com, ldap.example.com or mail.example.com ./CA.pl -sign # signs the CSR # and leaves the certificate in # /usr/local/openssl/newcert.pem # newcert.pem is valid for 1 year # private key in # /usr/local/openssl/newkey.pem # remove the pass phrase from newkey.pem # to stop server requesting password on load openssl rsa -in newkey.pem -out keyout.pem # CAUTION: this file contains a private key and should be # given read only permissions for the user # move and rename as required for the server # both files newcert.pem and keyout.pem are required # for example for apache SSLCertificateFile /path/to/newcert.pem SSLCertificateKeyFile /path/to/keyout.pem # examples for OpenLDAP TLSCACertificateFile /path/to/cacert.pem TLSCertificateFile /path/to/newcert.pem TLSCertificateKeyFile /path/to/keyout.pem
This is the simplest (one command) way to create a single X.509 certificate that may be used as both as a server and a root (CA) certificate. This certificate, because it is self-signed (and the CA:True field is present), can be imported into browsers and other client software as a root (CA) certificate. The DN requested in this sequence references the server that this certificate is being generated for. In particular the CN should define the host service, such as, www.example.com and not the host name of the computer. Thus, if a web service is addressed externally as https://www.example.com but runs on a host called webserver.example.com, www.example.com should be used for the CN. The following shows the standard OpenSSL dialog, values in #description# should be replaced with the required value, for example, #server-name# should be replaced with the valid server name being authenticated, say, www.exmple.com or ldap.example.com.
Note: If a certificate suitable for multiple server name use, for example example.com and www.example.com or www.example.net is required follow this procedure.
cd /etc/ssl openssl req -x509 -nodes -days 1059 -newkey rsa:2048 \ -keyout testkey.pem -out testcert.pem Generating a 2048 bit RSA private key .....++++++ ..................++++++ writing new private key to 'testkey.pem' You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:#your-country-code# State or Province Name (full name) [Some-State]:#your-state-county-province# Locality Name (eg, city) :#your-city# Organization Name (eg, company) [Internet Widgets Pty Ltd]:#your-organization-name# Organizational Unit Name (eg, section) :#optional# Common Name (eg, YOUR name) :#server-name# Email Address :. # creates testcert.pem as certificate # and testkey.pem as unencrypted private key # which should immediately be given # read only access to user # chown user:group testkey.pem # chmod 0400 testkey.pem # move and rename as required for the server # both files testcert.pem and testkey.pem are required # e.g. for apache SSLCertificateFile /path/to/testcert.pem SSLCertificateKeyFile /path/to/testkey.pem # for OpenLDAP TLS Server (slapd.conf) TLSCertificateFile /path/to/testcert.pem TLSCertificateKeyFile /path/to/testkey.pem # for OpenLDAP TLS Client (ldap.conf) TLS_CACERT /path/to/testcert.pem
Notes: -x509 causes it to self sign as a root CA. -nodes suppresses the pass phrase dialog. -days 1059 provides a 2 year 329 day certificate.
<ouch> Readers may wonder why any sane person would want to create a certificate valid for 2 years and 329 days. There are two reasons. First, it's possible, so why not. Second, observant readers will have noted that 3 years is 1095 days not the 1059 used in the tests. In short, when running the intial tests we incorrectly transposed the 5 and 9 (put it down to age, eyesight or stupidity as you choose) and rather than rerun the tests with 1095 we let the 1059 stand and have come up with this crummy justification instead. Finally, since the current recommendation for 2048 bit keys suggest they will remain valid until 2030 you could sensibly push the value to (currently, in 2013) -days 6205 (17 years, minus leap year adjustments).</ouch>
If you are going to generate multiple certificates for use, say, with an internal system then it is worth investing some time and effort. Having tried this using multiple methods this is, IOHO, the simplest. It uses the standard CA.pl script to establish the CA which initialises a bunch of directories and files that are otherwise a serious pain to set up but then uses openssl commands to generate CSRs and sign certificates since this provides greater control over variables and is, relatively, painless.
Location and Preparation Optional to save some typing. Decide where you are going to build your certificate repository. For the sake of illustration we will create it in /etc/ssl and that location will be used throughout. Change as required to suit your circumstances. Move the CA.pl script (use locate CA.pl if you can't find it) to /etc/ssl/CA.pl or wherever you are going to create the certificate repository since we will edit this file. We also rename the script to ca.pl due to a perverse loathing of the shift key but assuming you don't share our pathological characteristics you can substitute CA.pl in the examples.
The files ca.pl (or CA.pl) and /etc/ssl/openssl.cnf have significant impact on the running of both the script and the openssl commands. We made the following edits for convenience to CA.pl (ca.pl) only the changed lines are shown:
# WARNING: You should make and keep a clean copy of both # CA.pl and openssl.cnf before messing with either # root certificate valid for 10 years - matter of choice # but most public CAs provide a root certificate valid until 2028 $CADAYS="-days 3650"; # 10 years # default is $CADAYS="-days 1059"; # 3 years # changes ca directory name $CATOP="./ca"; # default is $CATOP="./demoCA"; # if changed needs corresponding change in openssl.cnf
We also made the following changes in /etc/ssl/openssl.cnf to make life easier. Again, only the changed lines are shown:
# WARNING: You should make and keep a clean copy of both # CA.pl and openssl.cnf before messing with either [ CA_default ] # mirrors directory change in ca.pl dir = ./ca # Where everything is kept # dir = ./demoCA # Where everything is kept (default) # Extension copying option: use with caution copy_extensions = copy # uncomment above directive if multiple DNS name certificates # are required, else leave commented (default) # default certificate validity changed to 3 years # means you can omit the -days option default_days = 1059 # 3 years # default is default_days = 365 # 1 year [ policy_match ] # add this line in the above section # adds L= to issuer and subject DN # otherwise it is omitted - matter of taste localityName = optional [req] default_bits = 2048 # current 2011 - 2030 recommendation # default_bits = 1024 # original file value [ req_distinguished_name ] # change _default values to save typing # edit or add in appropriate place countryName_default = MY stateOrProvinceName_default = STATE localityName_default = CITY 0.organizationName_default = ONE INC organizationalUnitName_default = IT
It is worthwhile checking this file for any other values that you might want to change.
Create Certificate Authority The first command creates a Certification Authority (CA) root certificate and some other files used for maintenance. A public-private key pair is created. The public key is written into the root certificate - /etc/ssl/ca/cacert.pem - the private key into /etc/ssl/ca/private/cakey.pem. The default file format is PEM. The DN details requested will be used to populate the issuer and subject fields of the root certificate and into the issuer field of all subsequent signed certificates and should be customized to suit user requirements. The pass phrase is required and used to protect access to the private key - it will be used on all subsequent certificate signings so it might be useful to remember it:
cd /etc/ssl ./ca.pl -newca CA certificate filename (or enter to create) #ENTER Making CA certificate ... Generating a 2048 bit RSA private key .....++++++ ..................++++++ writing new private key to './ca/private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [MY]: State or Province Name (full name) [STATE]: Locality Name (eg, city) [CITY]: Organization Name (eg, company) [ONE INC]:CA COMPANY NAME Organizational Unit Name (eg, section) [IT]:X.509 Common Name (eg, YOUR name) :CA ROOT Email Address :. Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for ./ca/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: bb:7c:54:9b:75:7b:28:9c Validity Not Before: Apr 15 21:07:36 2008 GMT Not After : Apr 13 21:07:36 2018 GMT Subject: countryName = MY stateOrProvinceName = STATE organizationName = CA COMPANY NAME localityName = CITY organizationalUnitName = X.509 commonName = CA ROOT X509v3 extensions: X509v3 Subject Key Identifier: 54:0D:DE:E3:37:23:FF:2E:E8:03:0A:2C:52:FE:FC:C0:C8:13:72:80 X509v3 Authority Key Identifier: keyid:54:0D:DE:E3:37:23:FF:2E:E8:03:0A:2C:52:FE:FC:C0:C8:13:72:80 DirName:/C=MY/ST=STATE/O=CA COMPANY NAME/L=CITY/OU=X.509/CN=CA ROOT serial:BB:7C:54:9B:75:7B:28:9C X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Apr 13 21:07:36 2018 GMT (3650 days) Write out database with 1 new entries Data Base Updated
A standard directory structure has been created:
ca # cacert.pem (root certificate) # serial (tracks serial numbers) # crlnumber (serial number for CRLs) # index.txt ca/private/cakey.pem # private ca key ca/newcerts # copy of all certs created ca/crl # optional location for CRLs created ca/certs # optional location for certs created
The root certificate created (ca/cacert.pem) is valid for 10 years (3650 days) based on the ca.pl file edit. The root private key (ca/private/cakey.pem is protected by its PEM pass phrase but should still be protected by the lowest permissions possible (defaulted to 0644 which is unnecessarily high). The Challenge Password is a simple password that may be used to guard access to Certificates, CSRs and the subsequent X.509 certificate. Most, if not all public CAs do not want one or the accompanying Optional Company Name and indeed all the examples leave the field blank. If you want to permanently disable the prompts edit /etc/ssl/openssl.cnf:
[ req_attributes ] # comment out all following lines #challengePassword = A challenge password #challengePassword_min = 4 #challengePassword_max = 20 #unstructuredName = An optional company name
Create a certificate signing request (CSR). The requested DN in this sequence will appear in the subject field of the final certificate.
This command may also be used to generate a CSR (Certificate Signing Request) for a public CA and since most CAs do not want a password just hit ENTER at the A challenge password prompt (see notes above about permanently removing the prompts). The optional emailAddress value is also left blank. Mostly because it achieves no purpose in a server certificate and indeed most public CAs request it is left blank.
openssl req -nodes -new -newkey rsa:2048 \ -keyout ca/private/cert1key.pem -out ca/certs/cert1csr.pem Generating a 2048 bit RSA private key ...................++++++ ............++++++ writing new private key to 'ca/private/cert1key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [MY]: State or Province Name (full name) [STATE]: Locality Name (eg, city) [CITY]: Organization Name (eg, company) [ONE INC]: Organizational Unit Name (eg, section) [IT]: Common Name (eg, YOUR name) :www.example.com Email Address :. Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
This creates a new CSR (in /etc/ssl/ca/certs/cert1csr.pem) which must then be signed using the CA's private key and a private key (not secured by a pass phrase - -nodes option - suitable for use in a server application) in /etc/ssl/ca/private/cert1key.pem. The CN value (www.example.com in the example above) is the service name used by the application. It could have been ldap.example.com or any other similar name. Note also that if the normal server access is https://www.example.com this certificate will work - however if the access will also use https://example.com then you need to add a subjectAltName field by using this procedure before creating the CSR (and use ServerAlias directive in the VirtualHost section for Apache). The service name should not be confused with the server's host name. Thus, if a web service is addressed externally as https://www.example.com but runs on a host called webserver.example.com, www.example.com should be used for the CN.
To view the certificate request:
openssl req -in ca/certs/cert1csr.pem - noout -text Certificate Request: Data: Version: 0 (0x0) Subject: C=MY, ST=STATE, L=CITY, O=ONE INC, OU=IT, CN=www.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ae:19:86:44:3c:dd:38:df:e2:41:5f:d8:86:19: 69:7e:85:d7:1d:ae:1e:eb:87:b0:5f:fc:f3:db:e3: aa:82:76:d6:42:05:f1:0e:5c:5a:a2:8d:f6:d3:00: 37:04:96:13:06:16:e6:d1:67:14:69:cd:85:df:a7: b3:ac:a2:6c:33:cd:d6:00:3d:24:99:fa:4b:81:07: 0c:b2:5a:fe:06:16:da:34:66:63:78:31:7d:11:5e: 63:de:9e:ee:76:8b:0c:12:af:fb:f2:28:0a:76:5b: 99:20:b8:f7:c0:9c:e8:89:c5:d0:1e:e5:07:c8:bd: 38:c8:52:97:cc:76:c9:c8:2b Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha1WithRSAEncryption 79:f5:20:45:6c:ec:8e:ae:3a:75:70:67:6d:cb:a9:a6:df:80: f1:8f:43:1b:c5:ce:dd:41:19:e9:8e:72:06:d3:05:b8:23:e6: 98:88:3d:a4:96:62:27:e6:6f:af:fd:7a:b9:20:ec:c6:8d:de: 2b:26:5c:a3:b5:0f:20:09:d3:e8:90:71:0f:dd:81:82:83:94: bb:ac:fa:09:42:5c:7a:91:19:9a:4a:98:7c:92:7d:3d:42:d0: 66:2a:87:ff:b5:58:bd:41:08:1f:4f:02:04:4d:ca:75:6c:5b: bd:61:cd:c5:89:7c:e0:0d:dd:50:1f:90:42:5f:d6:a6:31:71: 40:7d
Create and Sign the end-user certificate This takes the input CSR (ca/certs/cert1csr.pem) and creates the end user certificate (ca/certs/cert1.pem):
openssl ca -policy policy_anything \ -in ca/certs/cert1csr.pem -out ca/certs/cert1.pem Using configuration from /usr/local/openssl/openssl.cnf Enter pass phrase for ./ca/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: bb:7c:54:9b:75:7b:28:9d Validity Not Before: Apr 15 22:21:10 2008 GMT Not After : Mar 10 22:21:10 2011 GMT Subject: countryName = MY stateOrProvinceName = STATE localityName = CITY organizationName = ONE INC organizationalUnitName = IT commonName = www.example.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: EE:D9:4A:74:03:AC:FB:2C:FD:43:C7:58:6E:2E:6A:88:BA:65:61:CC X509v3 Authority Key Identifier: keyid:54:0D:DE:E3:37:23:FF:2E:E8:03:0A:2C:52:FE:FC:C0:C8:13:72:80 Certificate is to be certified until Mar 10 22:21:10 2011 GMT (1059 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
The resulting certificate issuer field is from the root certificate (ca/cacert.pem) and the subject field from the CSR. The command line defaults many values from openssl.cnf: the validity period (default_days =), the signing key (private_key =) and the issuer from the root certificate (certificate =). The -policy policy_anything option may be necessary depending on your requirements. It references the policy_anything section defined in the openssl.cnf file which allows any fields in the subject DN certificate to have different values from those in the issuer DN field. If not present it defaults to -policy policy_match which places restrictions on C=, ST= and O= RDN values.
To view the resulting certificate:
openssl x509 -in ca/certs/cert1.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: bb:7c:54:9b:75:7b:28:9d Signature Algorithm: sha1WithRSAEncryption Issuer: C=MY, ST=STATE, O=CA COMPANY NAME, L=CITY, OU=X.509, CN=CA ROOT Validity Not Before: Apr 15 22:21:10 2008 GMT Not After : Mar 10 22:21:10 2011 GMT Subject: C=MY, ST=STATE, L=CITY, O=ONE INC, OU=IT, CN=www.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ae:19:86:44:3c:dd:38:df:e2:41:5f:d8:86:19: 69:7e:85:d7:1d:ae:1e:eb:87:b0:5f:fc:f3:db:e3: aa:82:76:d6:42:05:f1:0e:5c:5a:a2:8d:f6:d3:00: 37:04:96:13:06:16:e6:d1:67:14:69:cd:85:df:a7: b3:ac:a2:6c:33:cd:d6:00:3d:24:99:fa:4b:81:07: 0c:b2:5a:fe:06:16:da:34:66:63:78:31:7d:11:5e: 63:de:9e:ee:76:8b:0c:12:af:fb:f2:28:0a:76:5b: 99:20:b8:f7:c0:9c:e8:89:c5:d0:1e:e5:07:c8:bd: 38:c8:52:97:cc:76:c9:c8:2b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: EE:D9:4A:74:03:AC:FB:2C:FD:43:C7:58:6E:2E:6A:88:BA:65:61:CC X509v3 Authority Key Identifier: keyid:54:0D:DE:E3:37:23:FF:2E:E8:03:0A:2C:52:FE:FC:C0:C8:13:72:80 Signature Algorithm: sha1WithRSAEncryption 52:3d:bc:bd:3f:50:92:67:a3:d3:6f:37:a9:3f:89:b5:16:5b: 9c:0d:32:25:32:91:c7:bf:f6:0d:f8:6d:1c:09:45:2f:3f:b9: 18:b7:1c:8d:7c:06:33:ef:ca:e0:92:a3:90:3f:7c:4e:16:87: 67:ae:7c:2c:1a:43:e5:3a:24:d9:c3:7d:cf:bf:eb:01:9d:c1: f0:bb:0f:15:de:d5:9e:42:9d:f8:7f:0d:5b:af:59:80:d1:aa: cc:db:31:1b:d4:7f:f3:f1:71:25:85:c9:8b:78:3e:13:ac:11: 51:35:49:8d:c3:9a:bb:9a:89:2c:ef:7f:90:f9:05:b3:65:98: b8:74
Checking or viewing Certificates Corruption can occur so the certificate can be verified using the following commands:
openssl x509 -in certificate-name.pem -noout -text # display whole certificate openssl x509 -in certificate-name.pem -noout -dates # validity dates only openssl x509 -in certificate-name.pem -noout -purpose # list of all purposes certificate may be used for openssl x509 -in certificate-name.pem -noout -purpose - dates # list validity period and purpose
Importing a self-signed root certificate The PEM format file created in step 2 above (ca/cacert.pem) may be directly imported into MSIE and Firefox to inhibit them from prompting for untrusted certificates.
MSIE: MSIE prefers its certificates to have a suffix of .cer but happily accepts PEM format so a simple rename will solve the problem ca/cacert.pem -> ca/cacert.cer. Copy to some portable media and use MSIE->Tools->Internet Options->Content Tab->click view certificates button->click Import and follow wizard prompts.
In an AD environment the certificate can also be propagated to all users via Group Policy Object (GPO). Load Administrative Tools->Group Policy Manager->Expand domains->Right click on Default Domain Policy and select Edit->Expand Computer configuration-> Expand Windows Settings->Expand Security Settings->Expand Public Key Settings->Right click Trusted Root Certificate Authorities->select Import and follow wizard Prompts.
Firefox Firefox will accept either a .pem or .cer suffix. Tools->Options->Advanced->Encryption Tab->View Certificates->Authorities tab->click import button and select file.
Method 3 creates a simple two certificate chain comprising an end-entity (server) certificate and a root CA certificate. Method 3A explores how we can add to this structure, for reasons best known to ourselves, to create a subordinate CA, perhaps a second root CA and create a whole variety of Cross and Intermediate certificates based on this structure:
Base Setup: Run steps 1 and 2 of Method 3. This simply creates a directory structure and our first root CA. If you have already run the whole of Method 3, none of the file names created in the next steps will clash - so nothing will be lost and your system will not self-destruct. At the end of this process the following directories will have been created:
ca # cacert.pem (root certificate) # serial (tracks serial numbers) # crlnumber (serial number for CRLs) # index.txt ca/private/cakey.pem # private ca key ca/newcerts # copy of all certs created ca/crl # optional location for CRLs created ca/certs # optional location for certs created
Strategy Note: Openssl commands take many of their advanced parameters from the configuration file (openssl.cnf). Up to this point we have suggested that changes should be made to this standard file since they are typically used consistently accross all commands. From this point on this is not the case. Instead, we recommend that you copy and rename the standard configuration file (openssl.cnf) to a new configuration file with an appropriate name (that you can remember) and use the -config filename argument to pick up the appropriate config file based on usage. It's quicker (eventually), less confusing (eventually) and re-useable (always).
Create a subordinate CA:
Create a new directory called, say, subca and subca/private (giving this directory the same permissions as ca/private). This step simply keeps things organized (kinda):
cd /etc/ssl mkdir ca/subca mkdir ca/subca/private # create necessary empty database file for subca signer touch ca/subca/index.txt
Edit openssl.cnf and create a section called [ sub_ca] - it can be anywhere in the file but for convenience we have shown it located above the [ user_certs ] section. The various entries in this section will be used to override the normal options used when a certificate is signed.
# new section [ sub_ca ] basicConstraints=CA:TRUE # alternatively # basicConstraints=CA:TRUE,pathlen:0 # pathlen:0 constrains the subCA to # only sign end-entity certificates # optional entry and string could be # nsComment="Most Trusted Certificate in the World" nsComment="OpenSSL Generated Certificate" # next two are normal for all non-root certificates subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer # next line just shows where sub_ca section is positioned in file [ user_cert ]
Create the subordinate CA certificate:
Create a CSR for the subordinate CA and sign it with the root CA certificate:
# NOTE: These steps will use the root CA created in Method 3 step 1 and 2 # create the CSR for the subordinate CA openssl req -new -keyout ca/subca/private/subca1key.pem \ -out ca/subca/subca1csr.pem Generating a 2048 bit RSA private key ...................++++++ ............++++++ writing new private key to 'ca/subca/private/subca1key.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [MY]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) [Some City]: Organization Name (eg, company) [My Company Name]: Organizational Unit Name (eg, section) :Certs Common Name (eg, YOUR name) :subCA1 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : # Notes: # 1. Organizational Unit Name is not important simply descriptive # 2. Common Name is the name to be given to the subordinate CA # now sign this request using the root CA and force the defined extensions # using -extensions sub_ca openssl ca -policy policy_anything -in ca/subca/subca1csr.pem \ -out ca/subca/subca1cert.pem -extensions sub_ca # display the resulting certificate openssl x509 -in ca/subca/subca1cert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: c6:bd:b2:ce:22:bc:4d:57 Signature Algorithm: sha1WithRSAEncryption Issuer: C=MY, ST=Some-State, O=My company name, OU=Certs, CN=Root CA1 Validity Not Before: Dec 9 20:40:18 2011 GMT Not After : Dec 6 20:40:18 2021 GMT Subject: C=MY, ST=Some-State, L=Some City, O=My company name, OU=Certs, CN=subCA1 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:a9:f3:02:01:c9:e3:76:e6:dd:cc:ad:d0:2d:6d: 01:b6:27:c8:a0:9c:f3:a0:85:b8:c7:30:56:18:cb: 34:7d:db:b5:e1:9c:8a:72:6a:91:26:52:f9:71:b7: a1:47:ab:68:a0:ae:96:db:f5:e5:5a:fd:a8:4f:2b: 94:57:ab:a3:ea:c7:b9:ab:fd:16:86:36:3e:43:27: ae:9a:c8:3f:92:ad:ec:a4:3b:9d:6d:3b:87:9d:62: b5:bf:75:40:46:5b:69:80:02:db:fe:0d:f7:49:c0: 40:b9:cf:b4:3e:7e:0f:52:c5:12:58:9d:4b:77:41: a0:f8:9d:36:74:e4:f9:47:c1:04:b1:5e:aa:6b:f6: cd:32:ec:91:a3:e6:51:36:9e:b8:9b:fc:00:80:41: c7:2d:4d:8a:e4:b9:46:a9:1c:d4:5c:97:14:57:21: e2:ff:e8:ff:28:53:5e:bb:13:93:43:86:4d:2a:a6: a0:93:8d:2a:61:c0:b6:e8:4e:87:64:de:09:97:66: c8:f7:ae:66:00:e8:47:76:00:80:12:51:f5:da:f0: 82:f0:6c:b3:b1:00:2d:1a:20:5c:32:ea:d3:72:bc: 0c:a6:82:b8:44:f5:96:0b:68:65:a8:d4:31:81:5e: f0:37:71:5d:e3:c7:3d:59:ff:32:32:49:6b:b6:e5: 55:87 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:TRUE X509v3 Key Usage: Certificate Sign, CRL Sign Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 58:47:30:77:3F:EF:AC:3D:5A:A3:BB:F6:7F:D2:CE:95:08:77:23:A0 X509v3 Authority Key Identifier: keyid:FB:7B:FB:7B:23:87:8B:FC:3D:97:33:11:6B:0D:37:A0:21:8D:E6:CD Signature Algorithm: sha1WithRSAEncryption 43:b5:e2:8d:4d:07:56:45:20:b3:0b:ac:fd:cc:36:c0:3b:df: 86:19:eb:96:9b:4a:e0:b5:e7:41:73:54:84:8f:ea:15:48:35: 69:15:2f:29:0f:90:79:e3:68:e6:08:4d:98:7b:1c:f3:34:14: 1d:4d:21:dc:0a:2c:1b:90:7b:b8:23:1b:9c:48:1a:b5:ba:91: 44:8e:18:05:1c:ee:48:d8:ef:ab:b7:e5:f6:86:98:bf:17:cd: 4b:40:d3:51:d2:cf:c2:43:14:a3:38:9a:72:30:c7:94:64:e3: 93:80:5c:42:31:79:ba:10:34:d0:96:45:7c:59:67:f5:f0:dd: a9:aa:3d:22:97:d2:d2:05:4d:7b:aa:06:27:8a:69:9d:3c:94: 85:95:b6:7d:49:a5:bd:42:90:57:87:af:44:0f:b2:db:98:d0: d6:fd:9f:65:90:70:a2:af:9d:14:34:5d:2a:7b:28:12:37:e7: 76:0c:b0:58:a1:b7:45:6f:d7:26:dc:cb:f2:39:76:7d:08:5c: 22:f9:99:fc:84:89:b5:7c:e0:75:eb:db:2d:18:8d:d9:da:c8: 4d:f5:cd:47:ad:f3:49:7e:fc:96:4c:2e:e3:92:bd:a3:d8:83: 12:2c:a2:7c:eb:dc:45:e0:61:a0:e1:31:b1:03:4b:55:e8:cf: e0:f3:2b:72
The 4 X509v3 extensions are the direct consequence of the -extensions sub_ca argument and override the normal certificate features. If the root CA is required to sign a normal end-entity certificate just omit this argument. Technically, the resulting certificate (ca/subca/subca1cert.pem) is a cross-certificate because both the signer and the certificate being signed have basicConstraints with cA True.
Sign an end-entity certificate with the subordinate CA:
To sign an end-entity certificate using the subordinate CA we first need to copy and save openssl.cnf to another name, say, subca1.cnf. Now make the following edits to subca1.cnf (these changes simply tell openssl where to obtain various files relating to the subCA whereas the standard openssl.cnf will continue to refer to the root CA information):
[ CA_default ] # only values to be changed are shown database = $dir/subca/index.txt # database index file. certificate = $dir/subca/subca1cert.pem # The subCA certificate # the parameter below will cause all certicates from both the root # and the sub CA to use the same numbering sequence # to change copy ca/serial to ca/subca/serial and modify parameter serial = $dir/serial # The current serial number # if you need to keep CRLs separate or leave unchanged crl_dir = $dir/subca/crl # Where the issued crl are kept crlnumber = $dir/subca/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/subca/crl.pem # The current CRL private_key = $dir/subca/private/subca1key.pem # The subCA private key RANDFILE = $dir/subca/private/.rand # private random number file
Now create an end-entity CSR and sign it with the subCA keys:
# create CSR openssl req -new -nodes -keyout ca/private/user1key.pem \ -out ca/certs/user1csr.pem # sign it with the subCA key by using -config subca1.cnf openssl ca -policy policy_anything -in ca/certs/user1csr.pem \ -out ca/certs/user1cert.pem -config subca1.cnf # print the resulting certificate openssl x509 -in ca/certs/user1cert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: c6:bd:b2:ce:22:bc:4d:58 Signature Algorithm: sha1WithRSAEncryption Issuer: C=MY, ST=Some-State, L=Some City, O=My company name, OU=Certs, CN=subCA1 Validity Not Before: Dec 9 21:06:43 2011 GMT Not After : Dec 6 21:06:43 2021 GMT Subject: C=MY, ST=Some-State, L=Some City, O=My company name, OU=Server, CN=www.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c3:f4:dc:07:08:30:3a:3d:72:3e:71:e2:8f:c8: 42:a4:00:6c:9a:e4:5d:fd:3e:28:e0:90:84:1f:10: 3d:c1:f5:22:88:82:52:2b:c3:b5:68:a7:cc:6a:04: 60:77:cc:ac:e1:03:36:53:25:1e:d2:5b:c1:74:1f: ec:87:6a:a3:d7:9b:a7:11:6b:c0:ac:0d:9d:5c:a0: 4d:17:a1:98:c5:c6:1e:3f:b6:17:ab:a3:9c:10:df: bf:cb:82:31:ab:c0:30:5f:58:95:c3:43:72:3a:51: 3d:e0:f4:a1:df:df:64:98:f4:ef:d7:a6:ac:21:20: 0d:2b:21:6e:54:98:c5:2b:d3:46:94:48:03:85:61: a1:bf:27:2d:3c:be:fc:5f:21:d6:82:47:4d:59:48: 3f:f2:7c:c8:6f:04:d5:4f:64:1a:f0:e7:e7:dc:77: 10:7f:1d:82:68:3a:ba:c9:29:79:a9:44:5b:c7:02: c1:59:79:4a:25:c0:e8:f1:89:89:6a:fb:81:6c:2c: 23:b1:2c:cf:ba:e4:ac:ec:dc:f7:92:bd:aa:b1:03: 8a:20:26:06:87:5a:d8:91:7e:4e:88:11:a8:93:b0: d8:e0:81:9e:86:06:94:2e:f6:fd:14:b0:91:28:59: a8:45:fd:c5:d7:a4:04:82:b5:80:a9:28:2b:1e:f2: af:dd Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: B1:5A:23:4E:C8:2B:FD:98:AD:01:7A:CA:73:D3:26:84:75:13:6C:78 X509v3 Authority Key Identifier: keyid:58:47:30:77:3F:EF:AC:3D:5A:A3:BB:F6:7F:D2:CE:95:08:77:23:A0 Signature Algorithm: sha1WithRSAEncryption 50:4b:8e:50:8f:fa:f4:98:ee:37:9e:90:f0:18:af:f4:a4:21: 57:a7:ee:d3:5e:8d:f5:f6:25:d3:84:58:33:cd:b7:ce:88:e4: 9d:5c:f3:6f:3e:b9:b5:eb:8b:4a:48:25:e6:56:5f:da:83:63: d8:a8:8e:9a:dc:6e:d1:ca:d2:69:dc:31:85:3b:93:8e:41:6a: 38:f9:e3:87:47:81:2a:eb:24:c4:03:57:43:1c:5e:2b:07:e2: a4:cb:f1:1d:c0:de:52:8b:f8:a2:59:d7:59:6c:8b:6e:a6:f6: 85:6a:e4:43:05:1c:ad:07:81:db:d7:c7:fe:02:c5:42:b5:89: 76:47:b5:6c:6e:09:d1:82:20:5d:40:93:5b:85:fb:92:c5:92: b6:09:57:0e:b9:36:fa:86:3a:23:89:a6:af:16:b5:0a:15:a7: b1:73:27:38:10:49:f3:ae:83:7f:26:65:51:1f:9f:32:7a:49: 26:cf:d4:ef:9b:18:6f:e1:35:04:30:02:b5:ef:a6:29:0f:1e: b9:d4:82:d1:25:d3:ce:c2:f5:cb:80:5e:bb:7c:95:fc:fc:88: 84:da:0e:36:3a:2b:e7:9e:65:41:f2:7e:b9:fa:a7:4e:04:4d: 3d:97:52:28:1f:a6:9d:2e:54:e5:b8:45:98:33:46:0f:2c:93: ac:58:be:eb
The certificate issuer in this case is subCA1 not root CA1 as when signing the subordinate CA certificate request. To allow chain validation of the end-entity certificate BOTH the root CA certificate (ca/cacert.pem) and the subordinate CA certificate (ca/subca/subca1cert.pem) must be imported into the browser.
Using variations of this technique, a second root CA (root CA2) could be created (another copy of openssl.cnf would be needed clearly), or a second subordinate CA (subCA2 - again with a unique .cnf file). In short, all sorts of ghastly permutations are possible.
If a certificate may be used by a host which has more than one DNS name, say, https://www.example.com and https://example.com or even www.example.net then you need to force the Certificate Signing Request (CSR) to use the subjectAltName field. To do this edit the openssl.cnf file as shown below (only changed lines shown):
# first find the [CA_Default] section [CA_Default] .... # uncomment or add copy_extensions = copy # this causes the ca function to copy the extension fields # from the CSR and should be done on the host which handles # the CSRs to create the certificates # now find [v3_req] section [v3_req] ... # add the following line with host names modified as required subjectAltName = "DNS:www.example.com,DNS:example.com,DNS:example.net" # this should be done on the host that generates the CSR
When you run any CSR request add -reqexts "v3_req" to the arguments only when you need to include the additional subjectAltName fields. While the example above shows 3 names being added in practice it can be any number. Each entry has the format DNS:hostname.domain.name, multiple entries are comma separated and the whole lot are enclosed in quotes. The line following shows the CSR request in Step 3 of Method 3 with the additional argument:
openssl req -nodes -new -newkey rsa:2048 \ -keyout ca/private/cert1key.pem -out ca/certs/cert1csr.pem -reqexts "v3_req"
If the -reqexts argument is not added to the CSR a normal single server name certificate is created. This process only works with method 3 above and provides the most flexible approach.
Note: If you are going to produce a number of certificates each of which has different multiple server names then a better strategy may be to simply copy and rename the standard configuration file (openssl.cnf) to something sensible and then use the -config filename argument to pick up each file when required. You can have any number of such config files - as long as you remember their names and functionality.
If you want to create multi-server certificates with Method 1 or 2 then in addition to the above edits, make a further edit to openssl.cnf:
# find the [req] section [req] .... # add or uncomment req_extensions = v3_req
This modification has the effect of adding the subjectAltName fields unconditionally to every CSR.
OpenSSL supports Privacy Enhanced Mail (PEM) as the default format. An X.509 certificate's native format is ASN.1 DER (a binary format). PEM encodes the binary DER in base 64 (RFC 3548) creating a text (ASCII/IA5) version that may be sent by, among other things, mail systems. The format also includes header lines and trailer lines each starting and finishing with precisely 5 dashes to encapsulate the base64 material and provide a human readable indication of its content. PEM files look something like that shown below:
-----BEGIN CERTIFICATE----- MIIDHDCCAoWgAwIBAgIJALt8VJt1eyicMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNV BAYTAk1ZMQ4wDAYDVQQIEwVTVEFURTEYMBYGA1UEChMPQ0EgQ09NUEFOWSBOQU1F MQ0wCwYDVQQHEwRDSVRZMQ4wDAYDVQQLEwVYLjUwOTEQMA4GA1UEAxMHQ0EgUk9P VDAeFw0wODA0MTUyMTA3MzZaFw0xODA0MTMyMTA3MzZaMGgxCzAJBgNVBAYTAk1Z MQ4wDAYDVQQIEwVTVEFURTEYMBYGA1UEChMPQ0EgQ09NUEFOWSBOQU1FMQ0wCwYD VQQHEwRDSVRZMQ4wDAYDVQQLEwVYLjUwOTEQMA4GA1UEAxMHQ0EgUk9PVDCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0YMzbKpykO+O2R9OE0BAMwGSl8M5QAum e8zdgmXklF/AazWqyY9YZSMYV3CF6l3HLoSpvLkjLz4E+78Y15btg0P/54gdSNWz T6YkDd4Te22bt5HZSA4UH4GTBn1M7TCXQBMB+XNtj7PM1ehuazyiHWFYoEbN5ywJ 7M2STtAdOWUCAwEAAaOBzTCByjAdBgNVHQ4EFgQUVA3e4zcj/y7oAwosUv78wMgT coAwgZoGA1UdIwSBkjCBj4AUVA3e4zcj/y7oAwosUv78wMgTcoChbKRqMGgxCzAJ BgNVBAYTAk1ZMQ4wDAYDVQQIEwVTVEFURTEYMBYGA1UEChMPQ0EgQ09NUEFOWSBO QU1FMQ0wCwYDVQQHEwRDSVRZMQ4wDAYDVQQLEwVYLjUwOTEQMA4GA1UEAxMHQ0Eg Uk9PVIIJALt8VJt1eyicMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA S41UTHVbVdu7Vv1Cg4OoeU+bRghsSTJuZRG+M4T+sG8CEV0uDzxYYGkwDgC9a7Yb Cfh/ea7F1El1Ym1Zj2v3wLhRl1CIRrJSdLFxPNKKoLG5FmVjY4xSGr63PFHqOrtZ NH5lEmZybl+m2frlkjUv9KAvxclZnIFgovdU8YPMDds= -----END CERTIFICATE----- BLAH BLAH BLAH -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,6EF6203EF1A9533A r7LMq15wr1OOmMsD84KyNo+5yY2SfY5DFXhQU+lqVzjLBhHsP3Fa9xpsSgcfPxVz El3/msvQ98BkaMihajEn5f2UxOZcjLCk5lnBHbmXTvOSQhwIBF0/8fUyb1CAyr7c njh4XpwzGBjuIBKhj8uW98tVO2kk/LrFf2rhL97UYNvOj9neFFVt3ODTJw1RiulN nAZCrTmhlfkVEVZDqEEKCVGPnAiWTU8ACMUXj4eJog3eelotFuyZ1JagBpTlzFEX f6uoSk8HBZLItWTxqRuBRVb8jqE2Bhdp9hvvdja9XIrAPGQJ0u2QVw== -----END RSA PRIVATE KEY-----
The text BEGIN CERTIFICATE and END CERTIFICATE in the above may take different values that describe the functionality and format of the material contained within. There may be more than one item in any PEM file (each de-limited by the -----BEGIN -----END sequence) and the file may have other information before, after and between but not within the de-limiters. PEM is defined in RFC 1421 for use by S/MIME (RFC 3850).
# keys key.pem # RSA or DSA key in PEM format key.der # RSA or DSA key in DER format # certificates: # may contain text + private key + cert # in single file or keys may be in separate files # typically if key unencrypted it must be in a separate file cert.pem # PEM format cert.der # DER format cert.p12 # PKCS12 format
PKCS12 (RSA Labs Standard) format are typically used by browsers:
# conversion PKCS12 > PEM openssl pkcs12 -clcerts -nokeys -in cert.p12 -out usercert.pem # extracts certificate only openssl pkcs12 -nocerts -in cert.p12 -out userkey.pem # extracts key only # conversion PEM > PKCS12 openssl pkcs12 -export -out cert.p12 -inkey ./userkey.pem -in ./usercert.pem
Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.
Dec > Hex > Bin
data rate stuff
If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Mozilla