Openssl is a set of C libraries and utilities written in C for the Linux, *BSD, Solaris, AIX, Windows (and others) operating systems that implements the SSL and TLS protocols, provides cryptographic functions and utilities for PKI administration. Any Linux VPS administrator day-to-day job implies working with OpenSSL to generate certificates, verify certificates and troubleshoot SSL/TLS issues and HTTPS websites.
SSL certificates – the concept
As the name suggests, Openssl certificates are digital certificates that allow two parties, usually an HTTPS webserver and client (browser) or two IPSEC endpoints, to authenticate to each other and encrypt and sign data that they exchange. HTTPS is the mechanism of encrypting clear text HTTP protocol using SSL or TLS, it is secure (in theory), hence the S. HTTPS is intended to be secure because it uses a pair of private and public key each encoded in separate certificates: Private certificate (usually referred to as the key) and public certificate (usually referred to as the CRT or PEM certificate). PEM is actually an encoding mechanism of SSL certificates.
SSL public certificates can be self signed (they are their own issuer) or they can be signed by a recognized Certificate Authority (CA) – free or commercially. In the case of the vast majority of HTTPS website, they obtain the public / private key pair (an SSL private certificate/key actually holds a public public [modulus] key and a private [exponent] key) via internally generated mechanisms such as Openssl or via 3rd party security devices. From the private part, OpenSSL will extract the public key (modulus) and create a Certificate Signing Request (CSR). The CSR is sent to a public or private Certificate Authority to sign the CSR that results in a public certificate. The public certificate Subject and Issure sections, after it has been signed, will look like:
Signature Algorithm: sha256WithRSAEncryption Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA Validity Not Before: Feb 5 02:45:55 2015 GMT Not After : Feb 5 15:43:21 2016 GMT Subject: C=NL, CN=www.domain.com/emailAddressfirstname.lastname@example.org
This tells the browser that the certificate it receives from the HTTPS website is valid for www.domain.com, it is valid between Feb 5 2015 and Feb 5 2016 and that it is signed by Issuer which the browser already trusts. Thus, the browser will not display a warning when it accesses the website at https://www.domain.com in the time interval when the certificate is valid.
The security of HTTPS websites is founded on the basic principle (and more complex SSL handshake) that the public certificate provided by an HTTPS server to its clients is signed by a 3rd party – the Certificate Authority – that is trusted by these clients, as in the example above.
Using Openssl to generate certificates for your HTTPS webserver in a Linux VPS
As a VPSie customer, when a Linux VPS server is deployed, after the VPS has been customized and secured to match your requirements, it is time to deploy Linux packages that will allow to transform your VPS server into services server.
If the VPS scope is to become an HTTPS website, you will need the private/public key pair (private key) and a CSR.
OpenSSL SSL certificates generation
All our Linux VPS packages are shipped with OpenSSL by default so there are no direct prerequisites to generating the SSL private key and the certificate signing request (CSR).
About Openssl genrsa
You can use the /etc/ssl/ folder to keep your certificates. The openssl module the is responsible with private rsa key generation is genrsa.
A private key can be encrypted using DES/3DES/AES/Camelia algorithms or not. If you choose to encrypt it it will require a passphrase.
root@vpsie:~# cd /etc/ssl/private/ root@vpsie:/etc/ssl/private# openssl genrsa -h usage: genrsa [args] [numbits] -des encrypt the generated key with DES in cbc mode -des3 encrypt the generated key with DES in ede cbc mode (168 bit key) -seed encrypt PEM output with cbc seed -aes128, -aes192, -aes256 encrypt PEM output with cbc aes -camellia128, -camellia192, -camellia256 encrypt PEM output with cbc camellia -out file output the key to 'file -passout arg output file pass phrase source -f4 use F4 (0x10001) for the E value -3 use 3 for the E value -engine e use engine e, possibly a hardware device. -rand file:file:... load the file (or the files in the directory) into the random number generator
Generate encrypted private key / certificate
root@vpsie:/etc/ssl/private# openssl genrsa -aes128 -out private.key 2048 Generating RSA private key, 2048 bit long modulus ..................................................+++ ...................................................+++ e is 65537 (0x10001) Enter pass phrase for private.key: Verifying - Enter pass phrase for private.key:
Now that we have the private key, the next step is to generate a certificate signing request which will need to be sent to a Certificate Authority for signing:
root@vpsie:/etc/ssl/private# openssl req -new -key private.key -out certificate.csr Enter pass phrase for private.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) :New York Organization Name (eg, company) [Internet Widgits Pty Ltd]My Linux VPS Organizational Unit Name (eg, section) :VPS Common Name (e.g. server FQDN or YOUR name) :www.mydomain.com Email Address :email@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : root@vpsie:/etc/ssl/private# cat certificate.csr -----BEGIN CERTIFICATE REQUEST----- MIIC3jCCAcYCAQAwgZgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazER MA8GA1UEBwwITmV3IFlvcmsxFjAUBgNVBAoMDVZNeSBMaW51eCBWUFMxDDAKBgNV BAsMA1ZQUzEZMBcGA1UEAwwQd3d3Lm15ZG9tYWluLmNvbTEiMCAGCSqGSIb3DQEJ ARYTYW5kcmVpQG15ZG9tYWluLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBALOjKtbuRemm88No93EfoGeVZU+7IGr6AIaqX0esKDxq5Vtlm+71gc2z msRL6G7xJU4DvbBdOKBkSKaSdEhPt4uCtgHJpNSA1ez0s2FFXASbN3LPR9oxmyxl W8oCmAkZNP9B+H0i9kpRs3FtVQzb3fWVMw9slB7bh2p1ZZg/PJm7fE2uAg7vcMAg 9FL+MNKKq7WDSafGqvCV+kVYmguAmgGbsfq2wB0X6I9v0i7sx0Fxmc+B8ZwDj1us heq5Lt9kF4c63DEjfGhIG8wT8aCIgir7PdCHttppfJz4uXK092EI37ImwDl2lKsX +Rg2ojqhXzKbxtX4mZoZS0dUlOhladcCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IB AQA/zOGxiGx8JW4SCnY99bsaiA4zr/a0g33A7E/tSx4gNP9C5CKUk3TUNrZL0h4h dEwr5yNcp90UWo0zZ6TXid+XaaAcGaF63uX+GrE5lIBSmCX3BohHAaKlYIZG9Pr/ I0pSMfqU6dQQy4CbMiFy0hrBBgcdQIs1xeFVHtU8uG1nFAAsHM+7kaGIjD8yYiOo 4Hf+bEzN+PUEmOwRNsxs4tT4MpeR1U7BBRevtzh3sZ3pRNlJ2lPX/z2+P3rQUARc 9Fq92ORt5TrJHUnTO4tsYxBf8W5P9qckXbmMM9jkMfIDx5RQ0QaTxyaI1uO70Srg gMZSPb8FRdqtgc1Xha/FIAhK -----END CERTIFICATE REQUEST-----
In a next article, we will discuss how to enroll for a free ssl certificate with a trusted Certificate Authority.
You can actually try these SSL settings on our platform in few minutes utilizing our PCS (Private Cloud Solution) which allows you to have VPSie(s) on a private network – NAT – Port forward – traffic control for inbound and outbound – multiple gateway IPs which you could use for the load-balancing and failover.