The following sections contains the steps for quick-start creation/signing of certificates for running the Database Encryption, TLS Replication, and/or TLS sockets examples. These steps are for demonstration/training purpose only and should never be used in production. The steps you might use in your environment and the certificate operations related to creation, signing, renewal, revocation, placement, protection, etc. should be a part of a comprehensive security plan that aligns with the security needs of your organization.
Creating a demo root certificate authority involves three steps. In the real world, you would use certificates signed by competent Certificate Authorities (CAs). Certificate Authorities' certificates themselves are signed (and trusted) by other CAs eventually leading to a Root CA, which self-signs.
Generate a private key with the OpenSSL command:
openssl genrsa -des3 -out ca.key 4096
. The command prompts for a password with which to protect the private key.Generate a self-signed certificate with the OpenSSL command:
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
. The command first prompts for the password of the private key followed by a series of interactive queries regarding the attributes of the certificate. Below is sample output:Enter pass phrase for ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:PA Locality Name (eg, city) []:Malvern Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Pvt. Ltd Organizational Unit Name (eg, section) []:Certificate Authority Common Name (e.g. server FQDN or YOUR name) []:www.example.com Email Address []:example@example.com
At this point, ca.crt is a root certificate that can be used to sign other certificates (including intermediate certificate authorities). The private key of the root certificate must be protected from unauthorized access.
The root certificate is used to sign regular, leaf-level certificates. Below are steps showing the creation of a certificate for authentication.
Generate a private key. This is identical to step (a) of root certificate generation.
Generate a certificate sign request with the OpenSSL command
openssl req -new -key client.key -out client.csr
. The command first prompts for the password of the private key followed by a series of interactive queries regarding the attributes of the certificate. Below is sample output:Enter pass phrase for client.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:PA Locality Name (eg, city) []:Malvern Organization Name (eg, company) [Internet Widgits Pty Ltd]:XYZQ International Organizational Unit Name (eg, section) []: OurSourceServer Common Name (e.g. server FQDN or YOUR name) []:www.xyzq.com Email Address []:xyzq@xyzq.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:challenge An optional company name []:XYZQ Pvt. Ltd
Typically, organization that generates the certificate sign then sends it to a certificate authority (or a root certificate authority), which audits the request and signs the certificate with its private key, thereby establishing that the certificate authority trusts the company/organization that generated the certificate and requested its signing. In this example, we sign the certificate sign request with the root certificate generated above.
Sign the certificate sign request with an OpenSSL command like:
openssl ca -config $PWD/openssl.cnf -in client.ccr -out client.crt
The output of this command looks like the following:
>You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [US]: US State or Province Name (full name) [Philadelphia]:Illinois City (e.g., Malvern) [Malvern]:Chicago" Organization Name (eg, company) [FIS]:FIS Organizational Unit Name (eg, section) [GT.M]:GT.M Common Name (e.g. server FQDN or YOUR name) [localhost]:fisglobal.com Ename Address (e.g. helen@gt.m) []:root@gt.m Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./certs/ca.key: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 14 (0xe) Validity Not Before: Jun 11 14:06:53 2014 GMT Not After : Jun 12 14:06:53 2014 GMT Subject: countryName = US stateOrProvinceName = Illinois organizationName = FIS organizationalUnitName = GT.M commonName = fisglobal.com emailAddress = helen@gt.m X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 96:FD:43:0D:0A:C1:AA:6A:BB:F3:F4:02:D6:1F:0A:49:48:F4:68:52 X509v3 Authority Key Identifier: keyid:DA:78:3F:28:8F:BC:51:78:0C:5F:27:30:6C:C5:FE:B3:65:65:85:C9 Certificate is to be certified until Jun 12 14:06:53 2014 GMT (1 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Important | |
---|---|
Keep the self-signed root certificate authority and leaf-level certificates in a secure location. Protect their directories with 0500 permissions and the individual files with 0400 permissions so that unauthorized users cannot access them. |
Please refer to OpenSSL documentation http://www.openssl.org/docs/ for information on how to create intermediate CAs, Certificate Revocation Lists, and so on.
This section contains an example for quick-start creation/signing of demo certificates for use with running the TLS Replication, Database Encryption, and TLS sockets examples in the GT.M manuals. The OpenSSL configuration file pointed to by the OPENSSL_CONF environment variable is example101.cnf. This configuration file is only suitable for the running examples and should not be used in production. Note that GT.M does not use openssl.cnf or the configuration file pointed to by the OPENSSL_CONF environment variable for any operation. The OpenSSL configuration settings that you might use in your environment and the certificate operations related to creation, signing, renewal, revocation, placement, protection, etc. should be a part of a comprehensive security plan that aligns with the security needs of your organization.
Create the following files:
This file sets up a dummy $PWD/certs directory for use in running TLS examples.
Here is the code:
echo "Creating cert directories ...in $PWD" mkdir -p $PWD/certs/newcerts touch $PWD/certs/index.txt touch $PWD/certs/index.txt.attr echo "01" > $PWD/certs/serial echo "Generating root CA...." ./gen_ca
This file creates a demo root certification authority in the $PWD/certs directory for use with the TLS examples.
Here is the code:
#Generates root certification authority and sets it to expire in 365 days. Ensure that you have a properly configured /etc/ssl/openssl.cnf file. mkdir -p $PWD/certs openssl genrsa -des3 -out $PWD/certs/$1ca.key openssl req -new -x509 -days 365 -key $PWD/certs/$1ca.key -out $PWD/certs/$1ca.crt #Important: Keep the self-signed root certificate authority and leaf-level certificates in a secure location. Protect their directories with 0500 permissions and the individual files with 0400 permissions so that unauthorized users cannot access them.
This file creates the leaf-level certificate and gets it signed from the demo root certification authority.
Here is the code:
#Generates leaf-level certificates in $PWD/certs openssl genrsa -des3 -out $PWD/certs/$1.key openssl req -new -key $PWD/certs/$1.key -out $PWD/certs/$1.csr openssl ca -config $PWD/example101.cnf -in $PWD/certs/$1.csr -out $PWD/certs/$1.crt openssl x509 -in $PWD/certs/$1.crt -dates -issuer -subject -noout
This file specifies the OpenSSL configuration file to use for running the example:
HOME = . RANDFILE= $ENV::HOME/.rnd [ ca ] default_ca = CA_default [ CA_default ] dir = ./certs certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt unique_subject = no new_certs_dir = $dir/newcerts certificate = $dir/ca.crt serial = $dir/serial crlnumber = $dir/crlnumber crl = $dir/crl.pem private_key = $dir/ca.key RANDFILE = $dir/private/.rand x509_extensions = usr_cert name_opt = ca_default cert_opt = ca_default default_days = 365 default_crl_days= 30 default_md = default preserve = no policy = policy_anything [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Philadelphia localityName = Collegeville 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Example Pvt. Ltd. organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Example Unit commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = CA:true
Now make gen_leaf, gen_ca, and cert_setup executable and run the following commands:
export OPENSSL_CONF=$PWD/example101.cnf ./cert_setup ./gen_leaf demo
Enter blank values or example data as appropriate. You demo certificates are now ready for use in the documentation examples.