OpenSSL on FreeBSD
December 2, 2010 Leave a comment
OpenSSL is an open source toolkit and cryptographic library that implements the SSL and TLS protocols. OpenSSL provides Cryptographic tools for securing network connections.
1. Install OpenSSL
- tsuweg# cd /usr/ports/security/openssl
- tsuweg# cp Makefile Makefile.old
- tsuweg# echo EXTRACONFIGURE +=no-idea >> Makefile
- tsuweg# make install clean
- tsuweg# rehash
2. Configure
- tsuweg# cp /etc/make.conf /etc/make.conf.old
- tsuweg# echo “WITH_OPENSSL_PORT=YES” >> /etc/make.conf
- tsuweg# mv /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.old
- tsuweg# cd /usr/local/openssl
- tsuweg# cp openssl.cnf.sample openssl.cnf
now,test open ssl by type command below :
- tsuweg# openssl
3. Create Certificate Request for CA Submission
A. Generate Request
We will use CA.pl script included with OPENSSL to create certificate request.
- tsuweg# cd /usr/local/openssl
- tsuweg# cp misc/CA.pl certs
Run the script to create certificate request
- tsuweg# cd /usr/local/openssl/certs
- tsuweg# setenv OPENSSL /usr/local/bin/openssl
- tsuweg# ./CA.pl -newreq
fill passprase, country,province. After fill an email, just enter twice.
Running CA.pl indirectly create a file named newkey.pem. next step :
- tsuweg# cp newkey.pem tsuweg-encrypted-key.pem
We will also get new file named newreq.pem that contains certificate request. next :
- tsuweg# cp newreq.pem tsuweg-req.pem
file tsuweg-encrypted-key.pem is encrypted with the password.If this file is going to be used on an unattended server, it may be a good idea to decrypt the file so that daemons are able to load it without user intervention. To remove the encryption and make the unencrypted file readable only to root, use the following commands :
- tsuweg# openssl rsa -in tsuweg-encrypted-key.pem\
- ? -out tsuweg-unencrypted-key.pem
- tsuweg# chmod 400 tsuweg-unencrypted-key.pem
B. Create A Self-Signed SSL Certificate
1. Command below will create self certificate for about 3 years
- tsuweg# cd /usr/local/openssl
- tsuweg# cp misc/CA.pl certs
- tsuweg# sed -I .old ‘s/365/1095/’ openssl.cnf
2. Run the script
- tsuweg# cd /usr/local/openssl/certs
- tsuweg# setenv OPENSSL /usr/local/bin/openssl
- tsuweg# ./CA.pl -newca
The first prompt will asked about certificate name. Juste type enter. Next, fill the passphrase and remember it. After entering email address,just type enter twice.
3. Generate certificate request
- tsuweg# ./CA.pl -newreq
fill pasphrase same one you used earlier. After fill email address, just type enter twice
4. Create the signed certificate from the request and certificate authority files.
- tsuweg# ./CA.pl -signreq
Enter the password that used earlier. Answer yes twice.
- tsuweg# cp newcert.pem tsuweg-cert.pem
- tsuweg# cp newkey.pem tsuweg-encrypted-key.pem
- tsuweg# cp demoCA/cacert.pem ./tsuweg-CAcert.pem
- tsuweg# cp demoCA/private/cakey.pem ./tsuweg-encrypted-CAkey.pem
If this file is going to be used on an unattended server, it may be a good idea to decrypt this file so that daemons are able to load it without user intervention.To remove the encryption and make the unencrypted file readable only to root, use this command .
- tsuweg# openssl rsa -in tsuweg-encrypted-key.pem \
- ? -out tsuweg-unencrypted-key.pem
- tsuweg# chmod 400 tsuweg-unencrypted-key.pem
5. convert PEM (Privacy Enhanced Mail) text based certificate to the DER format.
- tsuweg# openssl x509 -in tsuweg-CAcert.pem -inform PEM \
- ? -out tsuweg-CAcert.cer -outform DER
Source : Hong,Bryan J.Building a server with FreeBSD 7.
Recent Comments