Creating a Self-Signed CA Certificate
The first step in creating a Certificate Authority (apart from designing the management, administrative and legal framework) is to create a self-signed certificate for the Certificate Authority. This is done in SSLeay by running the req command (see Example 5 in the Appendix). This command produces a certificate file (CAcert.pem) and key file (CAkey.pem). The CA certificate and key files must remain in $SSLDIR/private, which is where SSLeay will look for them by default (as specified in the ssleay.cnf CA default section), both when acting as a certificate authority, and also when used by the server to implement SSL and validate client certificates signed by the CA.
Install the self-signed certificate in a browser so the browser will recognize server certificates signed by the Certificate Authority. Installing a CA certificate in a browser is somewhat dangerous, unless you trust that certificate and the security of the Certificate Authority. Once installed, the browser accepts any certificate signed by that authority.
To install the CA certificate, load it using HTTP Content-Type application/x-x509-ca-cert. To do this in a manner which does not depend on the server, use the cgi-script (Example 6 in the Appendix), or save the certificate in a file with a cacert suffix and define this suffix in the server configuration file to correspond to the application/x-x509-ca-cert MIME type. For the Apache server, for example, add the line AddType application/x-x509-ca-cert cacert to srm.conf. The certificate and key files must also remain available to SSLeay for the server to be able to use the public key, and the certificate authority to use the private key.
b. Creating a Server Certificate
A server certificate authenticates the server to the client. To make a server certificate, create a certificate request, sign it with the self-signed CA certificate, and then install the certificate as follows:
Use the "req" command to create a new certificate request with SSLeay (See Example 8 in the Appendix). This command creates files containing a certificate request and the private key.
Sign the request using the "ca" command (see Example 11 in the Appendix). This will produce a file containing the certificate.
Copy the certificate and key files to the server certificate directories.
cp newcert.pem $certdir/sitecert.pem
cp newkey.pem $certdir/sitekey.pem
Create hashes for the certificates in the server directory:
CD $certdir
ln -s sitecert.pem `$SSLDIR/bin/x509 -noout -hash < sitecert.pem`.0
Create the DER format server certificate file:
$SSLDIR/bin/x509 -in CAcert.pem -out CAcert.der -outform DER
Update the server configuration file to specify that this is the server certificate to use.
In order to easily find certificates, SSLeay uses hashes of the certificate subject names. Thus, when looking for the certificate of the issuer of a certificate, it looks for a file named with the hash value of the issuer name. The avoids opening files and examining certificates to find a match. The SSLeay x509 command may be used to manipulate certificates; one option is to create a hash of the subject name.
Once these steps have been completed, an SSL connection may be established if the server does not require client certificates.
b. Creating a Client Certificate
A client certificate is used to authenticate a client to a server. Creating and installing a client certificate is more difficult than creating a server certificate because the client must generate a key-pair, keep the private key to itself, and send the public key to the certificate authority to be incorporated into a certificate request. Once a signed certificate has been created using the Certificate Authority, this client certificate must be installed in the client so that the client may present it when needed.
Different clients such as Netscape Navigator 3.01 Gold and Microsoft Internet Explorer 3.02 support different mechanisms for creating client certificates. In this section, we demonstrate a technique for creating and installing a client certificate for each, using SSLeay certificate routines to sign certificate requests (Back up the Windows NT registry before creating client certificates with Internet Explorer).
The procedure for creating a client certificate involves HTML forms; these forms include client specific features such as special tags or JavaScript programs, and Perl CGI scripts that call SSLeay certificate handling applications. The procedures do not rely on special server features, other than the ability to run Perl CGI scripts. The examples completely automate the process, causing a client certificate to be installed once the request form is submitted. (In a production environment the Certificate Authority would need to perform validation instead of automatically issuing the certificate.)
The general steps for creating a client certificate are as follows:
User requests HTML page that displays form on client
User enters identification information
Submission of the form causes the following sequence to occur:
Browser generates a key pair (public and private key)
Private key is stored in browser
Public key is sent with identification information to the server
Server CGI script creates certificate and loads it into the client
The HTML form includes fields (containing defaults) for the different distinguished name attributes which are to be used in the client certificate, information allowing the browser to generate a key-pair, and a hidden field used to return this information to the CGI script. This hidden information is browser dependent.
In Netscape Navigator, the form contains an additional FORM tag, the
tag. This tag creates a key pair, and causes the public key to be returned as a form value when the form is submitted (see Example 12 in the Appendix for source of a sample form). The tag causes the browser to display a choice of security grades, depending on the version of Navigator