Openssl introduction
Openssl is a set of C libraries and utilities written in C for the Linux, *BSD, Solaris, AIX, Windows (and others) operating systems that implements the SSL and TLS protocols, provides cryptographic functions and utilities for PKI administration. Any Linux VPS administrator day-to-day job implies working with OpenSSL to generate certificates, verify certificates and troubleshoot SSL/TLS issues and HTTPS websites.SSL certificates – the concept
As the name suggests, Openssl certificates are digital certificates that allow two parties, usually an HTTPS webserver and client (browser) or two IPSEC endpoints, to authenticate to each other and encrypt and sign data that they exchange. HTTPS is the mechanism of encrypting clear text HTTP protocol using SSL or TLS, it is secure (in theory), hence the S. HTTPS is intended to be secure because it uses a pair of private and public key each encoded in separate certificates: Private certificate (usually referred to as the key) and public certificate (usually referred to as the CRT or PEM certificate). PEM is actually an encoding mechanism of SSL certificates. SSL public certificates can be self signed (they are their own issuer) or they can be signed by a recognized Certificate Authority (CA) – free or commercially. In the case of the vast majority of HTTPS website, they obtain the public / private key pair (an SSL private certificate/key actually holds a public public [modulus] key and a private [exponent] key) via internally generated mechanisms such as Openssl or via 3rd party security devices. From the private part, OpenSSL will extract the public key (modulus) and create a Certificate Signing Request (CSR). The CSR is sent to a public or private Certificate Authority to sign the CSR that results in a public certificate. The public certificate Subject and Issure sections, after it has been signed, will look like:
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
Validity
Not Before: Feb 5 02:45:55 2015 GMT
Not After : Feb 5 15:43:21 2016 GMT
Subject: C=NL, CN=www.domain.com/[email protected]Using Openssl to generate certificates for your HTTPS webserver in a Linux VPS
As a VPSie customer, when a Linux VPS server is deployed, after the VPS has been customized and secured to match your requirements, it is time to deploy Linux packages that will allow to transform your VPS server into services server. If the VPS scope is to become an HTTPS website, you will need the private/public key pair (private key) and a CSR.OpenSSL SSL certificates generation
All our Linux VPS packages are shipped with OpenSSL by default so there are no direct prerequisites to generating the SSL private key and the certificate signing request (CSR). About Openssl genrsa You can use the /etc/ssl/ folder to keep your certificates. The openssl module the is responsible with private rsa key generation is genrsa. A private key can be encrypted using DES/3DES/AES/Camelia algorithms or not. If you choose to encrypt it it will require a passphrase.root@vpsie:~# cd /etc/ssl/private/
root@vpsie:/etc/ssl/private# openssl genrsa -h
usage: genrsa [args] [numbits]
-des encrypt the generated key with DES in cbc mode
-des3 encrypt the generated key with DES in ede cbc mode (168 bit key)
-seed
encrypt PEM output with cbc seed
-aes128, -aes192, -aes256
encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
encrypt PEM output with cbc camellia
-out file output the key to 'file
-passout arg output file pass phrase source
-f4 use F4 (0x10001) for the E value
-3 use 3 for the E value
-engine e use engine e, possibly a hardware device.
-rand file:file:...
load the file (or the files in the directory) into
the random number generator
root@vpsie:/etc/ssl/private# openssl genrsa -aes128 -out private.key 2048
Generating RSA private key, 2048 bit long modulus
..................................................+++
...................................................+++
e is 65537 (0x10001)
Enter pass phrase for private.key:
Verifying - Enter pass phrase for private.key:
root@vpsie:/etc/ssl/private# openssl req -new -key private.key -out certificate.csr
Enter pass phrase for private.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]My Linux VPS
Organizational Unit Name (eg, section) []:VPS
Common Name (e.g. server FQDN or YOUR name) []:www.mydomain.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
root@vpsie:/etc/ssl/private# cat certificate.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIC3jCCAcYCAQAwgZgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazER
MA8GA1UEBwwITmV3IFlvcmsxFjAUBgNVBAoMDVZNeSBMaW51eCBWUFMxDDAKBgNV
BAsMA1ZQUzEZMBcGA1UEAwwQd3d3Lm15ZG9tYWluLmNvbTEiMCAGCSqGSIb3DQEJ
ARYTYW5kcmVpQG15ZG9tYWluLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALOjKtbuRemm88No93EfoGeVZU+7IGr6AIaqX0esKDxq5Vtlm+71gc2z
msRL6G7xJU4DvbBdOKBkSKaSdEhPt4uCtgHJpNSA1ez0s2FFXASbN3LPR9oxmyxl
W8oCmAkZNP9B+H0i9kpRs3FtVQzb3fWVMw9slB7bh2p1ZZg/PJm7fE2uAg7vcMAg
9FL+MNKKq7WDSafGqvCV+kVYmguAmgGbsfq2wB0X6I9v0i7sx0Fxmc+B8ZwDj1us
heq5Lt9kF4c63DEjfGhIG8wT8aCIgir7PdCHttppfJz4uXK092EI37ImwDl2lKsX
+Rg2ojqhXzKbxtX4mZoZS0dUlOhladcCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IB
AQA/zOGxiGx8JW4SCnY99bsaiA4zr/a0g33A7E/tSx4gNP9C5CKUk3TUNrZL0h4h
dEwr5yNcp90UWo0zZ6TXid+XaaAcGaF63uX+GrE5lIBSmCX3BohHAaKlYIZG9Pr/
I0pSMfqU6dQQy4CbMiFy0hrBBgcdQIs1xeFVHtU8uG1nFAAsHM+7kaGIjD8yYiOo
4Hf+bEzN+PUEmOwRNsxs4tT4MpeR1U7BBRevtzh3sZ3pRNlJ2lPX/z2+P3rQUARc
9Fq92ORt5TrJHUnTO4tsYxBf8W5P9qckXbmMM9jkMfIDx5RQ0QaTxyaI1uO70Srg
gMZSPb8FRdqtgc1Xha/FIAhK
-----END CERTIFICATE REQUEST-----
You can actually try these SSL settings on our platform in few minutes utilizing our PCS (Private Cloud Solution) which allows you to have VPSie(s) on a private network – NAT – Port forward – traffic control for inbound and outbound – multiple gateway IPs which you could use for the load-balancing and failover.
