OpenSSL Certificates

Instructions to Create Certificates for Email Relay

Introduction

This brief tutorial explains how to generate a Certificate Authority, mailserver certificate and a client "personal" certificate. For more information on this topic see Claus Aßmann's STARTTLS page and Greg Shapiro's STARTTLS Certificate page.

Create a Certificate Authority

The Certificate Authority is the top of the Certificate Tree. The example below contains example input for the prompt responses. You would use responses appropriate for your environment

mkdir CA
cd CA
mkdir certs crl newcerts private
echo "01" > serial
cp /dev/null index.txt
cp /usr/local/openssl/openssl.cnf.sample openssl.cnf
vi openssl.cnf   (set values)
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem \
	-days 365 -config openssl.cnf
Generating a 1024 bit RSA private key
..................++++++
.....................................................++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [California]:
Locality Name (eg, city) []:Oakland
Organization Name (eg, company) [Joe Blow Inc.]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:JoeBlows Certificate Authority
Email Address []:joeblow@testdomain.com

Create the Mail Server Certificates

The Mail Server Certificates will be used to authenticate the client certificates. (certificate and private key in file newreq.pem)

openssl req -nodes -new -x509 -keyout newreq.pem -out newreq.pem \
	-days 365 -config openssl.cnf
Generating a 1024 bit RSA private key
....................++++++
...........................................................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [California]:
Locality Name (eg, city) []:Oakland
Organization Name (eg, company) [Joe Blow Inc.]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:JoeBlows Certificate Authority
Email Address []:certs@testdomain.com
	
		

To sign new certificate with certificate authority:

openssl x509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
Getting request Private Key
Generating certificate request
	
openssl ca -config openssl.cnf -policy policy_anything \
	-out newcert.pem -infiles tmp.pem
Using configuration from openssl.cnf
Enter pass phrase for .//private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 13 20:57:38 2006 GMT
Not After : Jul 13 20:57:38 2007 GMT
Subject:
	countryName               = US
	stateOrProvinceName       = California
	localityName              = Oakland.....

Certificate is to be certified until Jul 13 20:57:38 2007 GMT (365 days)
Sign the certificate? [y/n]:y
	
rm tmp.pem

Create the Client Certificates

Next create a client certificate to be used by the email client. The process is the same as above. For sake of discussion use the names "yourcert.pem" and "yourreq.pem". We'll convert this personal certificate to p12 format in the next setup.

Convert pem Format to P12

Convert the cert so that it can be imported to my mail client

openssl pkcs12 -export -in yourcert.pem -out yourcert.p12 -inkey yourkey.pem
Enter Export Password:
Verifying - Enter Export Password:

updated: 06Dec06