SSL Zertifikat erstellen

Bei den Eisenst?dter Linuxwochen habe ich von einer wirklich netten organisation namens CaCert erfahren. CaCert stellt gratis Zertifikate aller Art aus.

Also dachte ich mir, machen wir uns doch mal daran und erstellen uns so ein Ding f?r den Server …. naja, leichter gesagt als getan, aber nichts was ein wenig Googlen nicht herausfinden k?nnte :)

Simple SSL cert HOWTO

– Make a new ssl private key:

Generate a new unencrypted rsa private key in PEM format:
openssl genrsa -out privkey.pem 1024
You can create an encrypted key by adding the -des3 option.

– To make a self-signed certificate:

Create a certificate signing request (CSR) using your rsa private key:
openssl req -new -key privkey.pem -out certreq.csr
( This is also the type of CSR you would create to send to a root CA for them to sign for you. )

Self-sign your CSR with your own private key:
openssl x509 -req -in certreq.csr -signkey privkey.pem -out newcert.pem

– To make a certificate signed by your own certificate authority (CA):

Configure /etc/ssl/openssl.cnf and use CA.pl to create the CA private key and certificate:
vi /etc/ssl/openssl.cnf
/usr/lib/ssl/misc/CA.pl -newca

Your copy of openssl.cnf and CA.pl may be located elsewhere.

Create an unsigned certificate using your rsa private key:
openssl req -new -x509 -key privkey.pem -out cert.pem
Use your private key and your certificate to make a CSR:
cat cert.pem privkey.pem | openssl x509 -x509toreq -signkey privkey.pem -out certreq.csr
Sign the certificate with the CA private key using the CSR you just made:
openssl ca -in certreq.csr -out newcert.pem
rm -f certreq.csr

– To install the signed certificate and private key for use by an ssl server:

The newcert.pem is the certificate signed by your local CA that you can then use in an ssl server:
( openssl x509 -in newcert.pem; cat privkey.pem ) > server.pem
ln -s server.pem `openssl x509 -hash -noout -in server.pem`.0 # dot-zero

( The server.pem is a PEM file that can be used by apache along with the hash file. )

You can view the contents of a CSR with:
openssl req -noout -text -in certreq.csr
You can view the contents of a certificate with:
openssl x509 -noout -text -in newcert.pem
You can display the MD5 fingerprint of a certificate with:
openssl x509 -fingerprint -noout -in newcert.pem
You can verify that your private key, CSR, and signed cert match by comparing:
openssl rsa -noout -modulus -in privkey.pem |openssl md5
openssl req -noout -modulus -in certreq.csr |openssl md5
openssl x509 -noout -modulus -in newcert.pem |openssl md5