Notes on OpenSSL, PKI, CAs, and TLS

$Date: 2009/11/10 16:33:58 $

Introduction

These are my notes in trying to figure out OpenSSL Public Key Infrastructure (PKI).

Unsorted notes

On the examples in Network Security with OpenSSL:

Arguments for RSA key generation: -newkey rsa:n_bits
The certificate-generation examples do two things in one step, viz. generation of the private key, and generation of the certificate. This makes the examples a bit brittle.

Common procedures

Generating a private key

No matter if you are setting up a Certificate Authority (CA), or just setting up SSL for a web server, a private key is needed. This is the fundamental cryptographic requirement.

To generate an RSA key of 4096-bits length,

openssl genrsa -des3 -out my_private_key.pem 4096

This private key file is then stored in an appropriate directory for the application you need. N.B. this key must never be exposed, so it should have permissions which allow only root to read it, and all write permissions removed, i.e. mode 0400.

Generating a Certificate Request

openssl req -new -key /etc/pki/tls/private/my_private_key.pem \ -out my_request.pem -outform PEM

Using a Request to generate a certificate

openssl ca -in somebodys_request.pem

Location for the private key in Fedora

The locations below are the defaults. These may be changed by modifying the configuration files for the individual services.

Certificate Authority (CA)

In Fedora, all CA-related files are located in

/etc/pki/CA/

The private key file should be in

/etc/pki/CA/private/

Transport Layer Security (TLS/SSL)

Similarly, the TLS files are located in

/etc/pki/tls/

and the private key should be in

/etc/pki/tls/private/

The private key for the CA and for TLS should be different as they are conceptually different entities in the PKI.

Services which use OpenSSL

The configuration files for httpd and slapd both have lines which define where the certificate for SSL is kept. Both httpd and slapd may use the same certificate, although this is not the default configuration.

LDAP

The config file

/etc/openldap/slapd.conf

contains lines which determine where the certificate file, the private key, and the CA bundle are located.

To start the LDAP server (slapd) with TLS enabled, edit the /etc/init.d/ldap script to include the line:

SLAPD_LDAPS="yes"

HTTPD

In order that not to have to enter the private key passphrase every time the httpd server starts up, you have to remove the passphrase from the private key. To do so:

cd /etc/pki/tls/private openssl rsa -in my_private_key.pem -out my_private_key_nopass.pem mv my_private_key_nopass.pem my_private_key.pem

The config file

/etc/httpd/conf.d/ssl.conf

contains lines which determine where the certificate file, the private key, and the CA bundle are located. You may also do this on a per-virtual host basis.