Join Sean Colins for an in-depth discussion in this video Creating a demo certificate authority, part of Understanding Secure Sockets Layer.
- View Offline
- In chapter five we're going to cover using the OpenSSL to create at the command line a certificate authority to then create a certificate and then to sign that certificate with ourselves, that makes us a self-signed CA. We're going to enable Apache on this local system. This isn't even a Mac OS10 server, it's just a plain vanilla Mac and we're going to enable Apache to use SSL. We're going to have it use our certificate and then we're going to show you our certificate being used in a web browser.
All of that in chapter five. We're going to split it into several different movies. So that's what you have to look forward to here. I'm going to start by opening up the terminal application. And on a Mac that's in the Utilities folder. You can get there by going through Applications, Utilities. But if you're on Linux or on Windows, just go into a command line prompt, no worries, and the first thing you're going to do is you're going to find out if you actually have OpenSSL on your system because that's really important. On Unix, that is the which command and that is which openssl.
And it tells you the location of the application. And this is going to work for you on any variant of Unix, that's great and so there's your OpenSSL installation. I would like to point out however that if you are on a Mac that your SSL files are, in fact, in a different location. So we will now use locate to locate the openssl.cnf file and it finds it for us. So there we are. That is our location. I'm going to simply copy and paste. I'm going to type cd paste. And I'm now in that directory. And if I type ls you can see there is my openssl.cnf file.
So we now know where we are. You can see in our directory here we have a couple of directories, we have private, miscellaneous and certs, but we've got our openssl.cnf file and that's important because the openssl.cnf file is where we get our configuration information that will be used when we run the openssl command to create our certificate and our certificate authority. So we're going to need to make some minor adjustments to what is in there. So I'm going to use the application nano.
Nano is, oh but before I do, I want to point something out. A lot of the commands that we're going to be running here will require us to be a root user and I don't like to log in as root, but using sudo is a great option and I can do that based on the session if I just type the -s flag and hit return. It'll ask me for my password, which I will put in now, hit return and now everything I type will be issued as root. That's an extremely useful thing to do and will work great for you so I totally recommend that you do this now.
So what I was going to say before was nano. Fantastic little text editor. If you like VI or some other text editor at the command line, feel free to use whichever one you like, but we are going to now open the openssl.cnf file. And here we are inside of it. Okay, so our cnf file is just the same one that you're going to be looking at. You're going to see a lot of the same stuff when you open yours up, I want you to arrow down to where you see CA_default, and you see the d i r line? See right here it says demoCA? I want to change that.
I want to change that to something that I control. It really doesn't need to be changed, it could still be called demoCA, but I'm going to just call this one groundswell, something that I enjoy from a past title we did a long time ago in the Wayback Machine on Mac OS 10 server. So the directory is going to be called groundswell, that ./ just means that it's just going to be in the same directory where my OpenSSL stuff is. If I wanted to be explicit about this, however, I could do that as well and in fact I'll do that now.
System/Library/OpenSSL/groundswell. So that will just make that folder right there. So I'd like to draw your attention now to the lines below this. So that's our directory, right, this is the dir, and below that we see we're defining certs and crl_dir, these are all defining programmatic elements that will be used in a script later on, anything with the dollar sign refers back to something, a variable that was defined earlier on and so you see $dir/certs is just saying wherever you see certs in the script it goes there.
So this is sort of setting the ground work for where this is going to be located in the file system and this is telling it where all of these other things are going to go in the file system. So that's all, terrific. I'm going to make one more change just so you can see the effect of that change whenever we run this later on. Further down here, there is a notation of the default country name, right? And so countryname_default AU. I'm in the U.S. so I'm going to put U.S. here and I'm going to save that out, so we're going to control O in nano in order to write that out.
Hit return and I'm just doing that, I didn't have to, it's not necessary, but it's going to show you where you see U.S. show up as a default later on, you'll know that that's because we changed it here. You can change any of these parameters down here like the localityName, organizationName, eg, company, all of this stuff is stuff that you can customize, though there's really no reason to customize it. So it's purely academic in nature. That makes sense now because I'm teaching this, so here we are. I've got everything in here changed that I wanted to change, I'm going to hit control O one last time just to be sure that it's out and control X to exit.
Okay, so now we've got an edited openssl.cnf file. What remains to be done now is I have to set up the directory structure that SSL needs, that OpenSSL needs to set up a CA, and because I told it that there was going to a folder here named groundswell in this location, I need to create that. So I'm going to start with mkdir groundswell. And if I run ls again I can see that there is groundswell. If I cd into groundswell and I ls, there's nothing in there. Okay, so I'm going to run mkdir or make directory a few more times.
We're going to create a folder called newcerts, we're going to make one called certs. We're going to make one called req. We're going to make one called private. And again, we're creating these because the program when it creates the CA expects these things to be here so we need to make them so they are where they are expected to be, otherwise our process will fail and we don't want that to happen. I'm going to echo "01" into serial, then I'm going to touch a file, touch just creates a file called index.txt, and that's it so if I type ls one more time here you can see the results.
I have certs, index.txt, newcerts, private, req, and serial. So that's all fantastic. Now I've got my system set up and ready to use. It's ready for the next step which will be the creation of the certificate authority, and we're going to do that in the very next movie.
- SSL communications
- Certificate authorities
- Public key infrastructures
- Symmetric and asymmetric key pairs
- Cryptographic hash functions
- Encryption algorithms
Start now, and by the end of this course you'll have the knowledge to create SSL certificates, as well as revoke and renew them, from the command line.