setting up an openssl client/server

Matthias Apitz guru at unixarea.de
Sun Jul 22 13:29:26 UTC 2012 

El día Sunday, July 22, 2012 a las 08:36:51AM +0100, Matthew Seaman escribió:

> On 22/07/2012 07:38, Matthias Apitz wrote:
> > What it is missing, as well in the pages of www.openssl.org and
> > www.freebsd.org, is a complete step by step guide to make certificates
> > and keys to SSL a simple client/server communition, or at least I can't
> > see them.
> 
> I've found TinyCA (ports: security/tinyca) to be simple and easy to use
> for setting up a personal certification authority.  Just remember not to
> fill in the e-mail field when creating a HTTPS server cert if you want
> the filename of the cert to be based on the site URL.
> 

Thanks for the hint, but this did not help, it (perl) dumps core; and as
well it does no help to dig into the details. With Google I found out
how to build new certificates for the example code (works now) and I'm
still trying to understand all the details. Here is for the records how
one can get it working;

	matthias




configure and compile the source using openssl from the ports:

$ tar xzf openssl-examples-20020110.tar.gz
$ cd openssl-examples-20020110
$ ./configure --with-openssl=/usr/local/openssl\
      --with-openssl-inc=/usr/local/include\
      --with-openssl-lib=/usr/local/lib
$ make

generate new certs and keys as described here:

http://www.gentoo-wiki.info/OpenSSL

(the text below is from the above web site with some changes for
FreeBSD)

  First step

  Inside the example code directory openssl-examples-20020110 do

  ( for FreeBSD use 'openssl' from /usr/local/bin )
  $ PATH=/usr/local/bin:$PATH

  $ mkdir newca
  $ cd newca
  ( orig: $ cp /etc/ssl/misc/CA.sh . )
  for FreeBSD port of openssl use:
  $ cp /usr/local/openssl/misc/CA.sh .
  $ ./CA.sh -newca

  will create a new CA. Remember the passphrase as you will need
  it to sign certificates.

  $ cp demoCA/cacert.pem ../root.pem

  Second step

  $ ./CA.sh -newreq

  will create a certificate and a certification request.
  Set the passphrase to 'password' as this is hard-coded in
  the examples' source code. It is important to set the
  [Common Name] to 'localhost'.


  Third step

  $ ./CA.sh -sign

  will sign your newly created certificate. Enter the password for
  your CA which you have defined in step 1.


  Fourth step

  $ cat newreq.pem newkey.pem newcert.pem > ../localhost.pem
  $ cd ..
  $ ln -s localhost.pem server.pem
  $ ln -s localhost.pem client.pem

  Maybe you also want to issue

  $ openssl dhparam 1024 -2 -out dh1024.pem -outform PEM

  in order to update the DH parameters.

  The above setup will only work for local testing. If you want to
  use OpenSSL to connect between different hosts, you either have
  to disable the common name and host name comparison in client.c
  in order to be able to use the same certificate on all hosts
  which may pose a security problem, or repeat steps two and three
  above with the correct host names (FQDN - fully qualified domain name,
  ie. host name plus domain name) instead of 'localhost'.

  Final note: if the SSL_get_verify_result() method in client.c
  returns the error code 10 (outdated certificate), also check
  the CA's certificate (root.pem) expiration date! In my case,
  I tried to set the expiration time 100 years in the future -- which
  resulted in a point of time in the past possibly due to a number overflow.




-- 
Matthias Apitz
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e <guru at unixarea.de> - w http://www.unixarea.de/
UNIX since V7 on PDP-11 | UNIX on mainframe since ESER 1055 (IBM /370)
UNIX on x86 since SVR4.2 UnixWare 2.1.2 | FreeBSD since 2.2.5

More information about the freebsd-questions mailing list