Feb 19, 2015

OpenSSL - Generate SSL certificates in Linux VPS

Openssl introduction

Openssl is a set of C libraries and utilities written in C for the Linux, *BSD, Solaris, AIX, Windows (and others) operating systems that implements the SSL and TLS protocols, provides cryptographic functions and utilities for PKI administration. Any Linux VPS administrator day-to-day job implies working with OpenSSL to generate certificates, verify certificates and troubleshoot SSL/TLS issues and HTTPS websites.

SSL certificates – the concept

As the name suggests, Openssl certificates are digital certificates that allow two parties, usually an HTTPS webserver and client (browser) or two IPSEC endpoints, to authenticate to each other and encrypt and sign data that they exchange. HTTPS is the mechanism of encrypting clear text HTTP protocol using SSL or TLS, it is secure (in theory), hence the S. HTTPS is intended to be secure because it uses a pair of private and public key each encoded in separate certificates: Private certificate (usually referred to as the key) and public certificate (usually referred to as the CRT or PEM certificate). PEM is actually an encoding mechanism of SSL certificates. SSL public certificates can be self signed (they are their own issuer) or they can be signed by a recognized Certificate Authority (CA) – free or commercially. In the case of the vast majority of HTTPS website, they obtain the public / private key pair (an SSL private certificate/key actually holds a public public [modulus] key and a private [exponent] key) via internally generated mechanisms such as Openssl or via 3rd party security devices. From the private part, OpenSSL will extract the public key (modulus) and create a Certificate Signing Request (CSR). The CSR is sent to a public or private Certificate Authority to sign the CSR that results in a public certificate. The public certificate Subject and Issure sections, after it has been signed, will look like:

    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
            Not Before: Feb  5 02:45:55 2015 GMT
            Not After : Feb  5 15:43:21 2016 GMT
        Subject: C=NL, CN=www.domain.com/[email protected]
This tells the browser that the certificate it receives from the HTTPS website is valid for www.domain.com, it is valid between Feb 5 2015 and Feb 5 2016 and that it is signed by Issuer which the browser already trusts. Thus, the browser will not display a warning when it accesses the website at https://www.domain.com in the time interval when the certificate is valid. The security of HTTPS websites is founded on the basic principle (and more complex SSL handshake) that the public certificate provided by an HTTPS server to its clients is signed by a 3rd party – the Certificate Authority – that is trusted by these clients, as in the example above.

Using Openssl to generate certificates for your HTTPS webserver in a Linux VPS

As a VPSie customer, when a Linux VPS server is deployed, after the VPS has been customized and secured to match your requirements, it is time to deploy Linux packages that will allow to transform your VPS server into services server. If the VPS scope is to become an HTTPS website, you will need the private/public key pair (private key) and a CSR.

OpenSSL SSL certificates generation

All our Linux VPS packages are shipped with OpenSSL by default so there are no direct prerequisites to generating the SSL private key and the certificate signing request (CSR). About Openssl genrsa You can use the /etc/ssl/ folder to keep your certificates. The openssl module the is responsible with private rsa key generation is genrsa. A private key can be encrypted using DES/3DES/AES/Camelia algorithms or not. If you choose to encrypt it it will require a passphrase.
[email protected]:~# cd /etc/ssl/private/
[email protected]:/etc/ssl/private# openssl genrsa -h
usage: genrsa [args] [numbits]
 -des            encrypt the generated key with DES in cbc mode
 -des3           encrypt the generated key with DES in ede cbc mode (168 bit key)
                 encrypt PEM output with cbc seed
 -aes128, -aes192, -aes256
                 encrypt PEM output with cbc aes
 -camellia128, -camellia192, -camellia256
                 encrypt PEM output with cbc camellia
 -out file       output the key to 'file
 -passout arg    output file pass phrase source
 -f4             use F4 (0x10001) for the E value
 -3              use 3 for the E value
 -engine e       use engine e, possibly a hardware device.
 -rand file:file:...
                 load the file (or the files in the directory) into
                 the random number generator
Generate encrypted private key / certificate
[email protected]:/etc/ssl/private# openssl genrsa -aes128 -out private.key 2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for private.key:
Verifying - Enter pass phrase for private.key:
Now that we have the private key, the next step is to generate a certificate signing request which will need to be sent to a Certificate Authority for signing:

[email protected]:/etc/ssl/private# openssl req -new -key private.key -out certificate.csr
Enter pass phrase for private.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]My Linux VPS
Organizational Unit Name (eg, section) []:VPS
Common Name (e.g. server FQDN or YOUR name) []:www.mydomain.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
[email protected]:/etc/ssl/private# cat certificate.csr
In a next article, we will discuss how to enroll for a free ssl certificate with a trusted Certificate Authority.  

You can actually try these SSL settings on our platform in few minutes utilizing our PCS (Private Cloud Solution) which allows you to have VPSie(s) on a private network – NAT – Port forward – traffic control for inbound and outbound – multiple gateway IPs which you could use for the load-balancing and failover.