You are here: Home » Howtos » X509-Cert-Generation
Print This Page

Intro

This page gives a simple overview of how to create X509 certificates that can be used for authentication and encryption with IPSEC systems aka freeswan,openswan, strongswan,win2k,winXP and various VPN hardware. There is a lot of info here but just follow it step by step its not that bad really!.

There are a number of steps to follow to generate a complete system and these are :-

    * Creation of a certificate Authority (CA)
    * Generate a Certificate Revocation List (CRL)
    * Generate a client certificate
    * Sign the client certificate with CA
    * (optional)Packing up the files so windows understands them

Creation of a Certificate Authority (CA)

Before you create the CA you may wish to adjust some of the default creation parameters. Find your ssl config file called openssl.cnf :-
Debian /etc/ssl/openssl.cnf
Mandrake 10.1 /usr/lib/ssl/openssl.cnf

You may wish to change how long the CA (and any other certificates) are valid for, The default is 365 days so if you wish to change this then look for the
default_days = 365
and change it to how many days you desire. You may also wish to adjust some other defaults. If you are going to generate more that a couple of certificates then set some of the defaults in this file so that you don't have to remember every line and it saves a bit of typing. Look for the following lines to change

countryName_default		= AU
stateOrProvinceName_default	= Some-State
0.organizationName_default	= Internet Widgits Pty Ltd

I changed these to suit myself and added in one extra default :-

countryName_default		= UK
stateOrProvinceName_default	= Cornwall
0.organizationName_default	= mycompany
localityName_default		= Falmouth

Create a secure directory to house the CA, as the process will generate private keys that MUST be kept secure or anybody with access to the keys can sign client certificates with YOUR CA. In this example I am creating a creating a CA for "mycompany" which is just a name I have picked for the example. So first create the directory :-

[root@localhost /]# mkdir /root/mycompanyCA
[root@localhost /]#chmod 700 /root/mycompanyCA
[root@localhost /]# cd /root/mycompanyCA

Now you are ready to create the Certificate Authority. Note the CA will be generates as a subdirectory called demoCA in the current folder, if you don't like demoCA change it in openssl.cfn. Next run the following command (adjusted for your exact distribution) to create a CA, answer each question. On the first prompt just press enter, when asked for your password this is the password that is REQUIRED to SIGN all client certificates later so don't forget it. If you have added in the defaults to openssl.cnf then you can press enter for most fields and just type in a name and a email address. Use a sensible name/email that relates to a computer network admin (e.g you) so that is clear who's CA this is.

[root@localhost mycompanyCA]# /usr/lib/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
..++++++
................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: mypassword
Verifying - Enter PEM pass phrase: mypassword
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [UK]:
State or Province Name (full name) [Cornwall]:
Locality Name (eg, city) [Falmouth]:
Organization Name (eg, company) [mycompany]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:mycompany Certificat Authority
Email Address []:CA@cornelius.demon.co.uk

This has now created a CA in /root/mycompanyCA/demoCA.

Generating a CRL

This is very simple just run the command

[root@localhost mycompanyCA]# openssl ca -gencrl -out crl.pem

This will ask you for your CA password then generate a crl.pem file in the current directory

Generating a client certificate

Once the CA has been created you can generate client certificates as and wen you require. The process is to enter the CA directory /root/mycomapnyCA and run the CA.sh script with the -newreq option, this example assumes you have been follwing the examples and have adjusted the defaults in openssl.cnf

[root@localhost mycompanyCA]# /usr/lib/ssl/misc/CA.sh -newreq
Generating a 1024 bit RSA private key
...............++++++
...............................++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase: mypassword
Verifying - Enter PEM pass phrase: mypassword
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [UK]:
State or Province Name (full name) [Cornwall]:
Locality Name (eg, city) [Falmouth]:
Organization Name (eg, company) [mycompany]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Robin Cornelius
Email Address []:robin@cornelius.demon.co.uk

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request (and private key) is in newreq.pem

Here i have created a certificate for my self Robin Cornelius. The common Name and Email are only for reference and but it makes a lot of sense to use real peoples names or may be refere to individual laptop computers for example if they are shared.

Signing the client certificate

Now to complete the procedure the client certificate needs to be signed by the CA.

[root@localhost mycompanyCA]# /usr/lib/ssl/misc/CA.sh -sign

you will be asked for the CA password. After this you will get a load of information about the certificate then you will be asked

Sign the certificate? [y/n]:y

and

1 out of 1 certificate requests certified, commit? [y/n]y

followed by a load more information. Take a look back at the information and make a careful note of the issuer: eg

Issuer: C=UK, ST=Cornwall, L=Falmouth, O=mycompany, CN=Certificate Authority/emailAddress=ca@cornelius.demon.co.uk

this will be needed for windows clients (this is related to the CA not the client cert so you only need one note of this not each time)

Before we are finished we should change the names of the files just generated to something sensible. The newcert.pem is the public key and the newreq.pem is the private key. So a good idea for this example might be :-

[root@localhost mycompanyCA]# mv newcert.pem robin.cornelius.demon.co.uk.pem
[root@localhost mycompanyCA]# mv newreq.pem robin.cornelius.demon.co.uk.key

The .key and .pem can be directly used by "the swans" as demonstrated here

Packing up the files so Windows understands them

Windows expects the certificates in a particular format and the p12 is the most convenient. To generate a p12 file with both the private and public key run the following command

[root@localhost mycompanyCA]# openssl pkcs12 -export -in robin.cornelius.demon.co.uk.pem -inkey robin.cornelius.demon.co.uk.key 
-certfile demoCA/cacert.pem -out robin.cornelius.demon.co.uk.p12

You will be asked for the password for the client certificate, and for an export password which you can leave blank if you like.


^ Top

Previous page: lirc-sky-rflink-howto
Next page: mail-relay