Reputation: 2160
"an introduction to openssl programming." article. expired certificates
I am newbie in openSSL library and PKI . I have simple question for openSSL experts.
Does anybody know how to create certificates for code samples in this article "An Introduction to OpenSSL programming (Part I/II)" by Eric Rescorla
www.rtfm.com/openssl-examples/part1.pdf
www.rtfm.com/openssl-examples/part2.pdf
I have downloaded source code from http://www.rtfm.com/openssl-examples The problem is that certificates are expired and I don't know how to create new root certificate.
How to create root certificate? How to create certificates for client and server app? Wich ciphering algorithm should I use? As far as i understand i shuld do the following:
- Create key pair. Secret and public keys.
- Create certificate request (p10 format).
- Create selfsigned root sertificate (x509 format).
Details is not clear from the article.
This is how I am trying to create certificates:
1) Creating CA private key and certificate request: openssl req -newkey rsa -keyout ./ca_key.pem out.pem -out ./ca_req.pem -days 1095 -passin pass:"password" -subj "some information about CA" -extensions v3_ca
2) Create self signed CA certificate openssl ca -create_serial -in ca_req.pem -out root.pem -days 1095 -passin pass:"password" -selfsign -extension v3_ca
3)generate server private key and request for certificate openssl req -newkey rsa -keyout server_key.pem out server_req.pem -days 1095 -passin pass:"password" -subj "some information about server"
4)create server certifiate (this certificate is not self signed. This certificate signed by CA private key) openssl ca -in server_req.pem -out server.pem -passin pass:"password"
5)generate user private key and request for certificate openssl req -newkey rsa -keyout user_key.pem out user_req.pem -days 1095 -passin pass:"password" -subj "some information about client"
6)create user certifiate (this certificate is not self signed. This certificate signed by CA private key) openssl ca -in user_req.pem -out client.pem -passin pass:"password"
I am not sure about "rsa" algorithm here. May be I shuold use other algorthm.
So i have root.pem, server.pem, client.pem I put client key and certificate to client.pem And the same thing for server.pem. ( The same way as in the articles sample certificates.)
But when i try to start server with these new generated certificates i have an error: "Couldn't open DH file."
When I put old DH file to current folder and server starts. (dh1024.pem What is it?)
The next step. I start client and I got another error message: "Cetrificate doesn't verify."
The error code is 20. Desciption for code 20 in x509_vfy.h is "unable to get issuer certificate locally"
All of this means that I have created certificates incorrectly. I don't know how to do it correctly.
Does anybody have an idea?
Upvotes: 4
Views: 1922
Answers (2)
Reputation: 2160
This is the solution. May be it is not optimal but it works. The only difference with question solution is option: "-des3 1024"
#!/bin/sh
alg="rsa"
ossl="openssl"
passwd="password"
#certificate autority folder
caFolder="./demoCA"
#delete old certificates, CA folder and keys
rm -rf *.pem
rm -rf $caFolder
#create folder structure
mkdir $caFolder
mkdir "$caFolder/private"
mkdir "$caFolder/newcerts"
#generate RSA private key for CA
$ossl genrsa -out ca_key.pem 1024
#Creating certificate request:
$ossl req -new -key ca_key.pem -out ./ca_req.pem -days 1095 -passin pass:$passwd -passout pass:$passwd \
-subj /C=RU/ST=Moscow/L=Moscow/O=company/OU=TestCAs/CN=TestCA/[email protected] -extensions v3_ca
cp ca_key.pem "$caFolder/private/cakey.pem"
touch "$caFolder/index.txt"
#Create self signed CA certificate
$ossl ca -create_serial -in ca_req.pem -out ca_cert.pem -days 1095 -passin pass:$passwd -selfsign -extensions v3_ca -notext
cp ca_cert.pem "$caFolder/cacert.pem"
#generate SERVER private key and request for certificate
$ossl genrsa -out server_key.pem -passout pass:$passwd -des3 1024
$ossl req -new -key server_key.pem -passin pass:$passwd \
-passout pass:$passwd -out server_req.pem -days 1095 \
-subj /C=RU/ST=Moscow/L=Moscow/O=company/OU=SSLServers/CN=localhost/[email protected]
#create SERVER certifiate (this certificate is not self signed. This certificate signed by CA private key)
$ossl ca -in server_req.pem -out server_cert.pem -passin pass:$passwd -notext
#generate RSA private key for client
$ossl genrsa -out user_key.pem -passout pass:$passwd -des3 1024
#generate request certificate for client
$ossl req -new -key user_key.pem -out user_req.pem -days 1095 \
-passin pass:$passwd -passout pass:$passwd \
-subj /C=RU/ST=Moscow/L=Moscow/O=company/OU=Clients/CN=Client/[email protected]
#create user certifiate (this certificate is not self signed. This certificate signed by CA private key)
$ossl ca -in user_req.pem -out user_cert.pem -passin pass:$passwd -notext
#generate DH param
$ossl dhparam -out dh1024.pem 1024
cat ./user_key.pem ./user_cert.pem > client.pem
cat ./server_key.pem ./server_cert.pem > server.pem
cp ./ca_cert.pem root.pem
Upvotes: 3
Reputation: 2359
The error code is 20 "unable to get issuer certificate locally" is caused because there is no CA certificate Present . Both client and server certificate need to be signed by a common CA .
Upvotes: 1
Related Questions
- Make OpenSSL accept expired certificates
- SSL certificate problem: certificate has expire in macOS
- OpenSSL extensions to CA certificate
- Openssl telling certificate has expired when it has not
- Expired SSL Certificate and Encryption
- Is an expired X509 certificate on a website a security issue?
- SSL CRL Expired Issue
- OpenSSL version 0.96d or later
- x509 certificate Information
- Bad OpenSSL certificate