OpenSSL on FreeBSD

OpenSSL is an open source toolkit and cryptographic library that implements the SSL and TLS protocols. OpenSSL provides Cryptographic tools for securing network connections.

1. Install OpenSSL

• tsuweg# cd /usr/ports/security/openssl

• tsuweg# cp Makefile Makefile.old

• tsuweg# echo EXTRACONFIGURE +=no-idea >> Makefile

• tsuweg# make install clean

• tsuweg# rehash

 

2. Configure

• tsuweg# cp /etc/make.conf /etc/make.conf.old

• tsuweg# echo “WITH_OPENSSL_PORT=YES” >> /etc/make.conf

• tsuweg# mv /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.old

• tsuweg# cd /usr/local/openssl

• tsuweg# cp openssl.cnf.sample openssl.cnf

now,test open ssl by type command below :

• tsuweg# openssl

 

3.  Create Certificate Request for CA Submission

A.  Generate Request

We will use CA.pl script included with OPENSSL to create certificate request.

• tsuweg# cd /usr/local/openssl

• tsuweg# cp misc/CA.pl certs

Run the script to create certificate request

• tsuweg# cd /usr/local/openssl/certs

• tsuweg# setenv OPENSSL /usr/local/bin/openssl

• tsuweg# ./CA.pl -newreq

fill passprase, country,province. After fill an email, just enter twice.

Running CA.pl indirectly create a file named newkey.pem. next step :

• tsuweg# cp newkey.pem tsuweg-encrypted-key.pem

We will also get new file named newreq.pem that contains certificate request. next :

• tsuweg# cp newreq.pem tsuweg-req.pem

file tsuweg-encrypted-key.pem is encrypted with the password.If this file is going to be used on an unattended server, it may be a good idea to decrypt the file so that daemons are able to load it without user intervention. To remove the encryption and make the unencrypted file readable only to root, use the following commands :

• tsuweg# openssl rsa -in tsuweg-encrypted-key.pem\

• ? -out tsuweg-unencrypted-key.pem

• tsuweg# chmod 400 tsuweg-unencrypted-key.pem

 

B.  Create A Self-Signed SSL Certificate

1. Command below will create self certificate for about 3 years

• tsuweg# cd /usr/local/openssl

• tsuweg# cp misc/CA.pl certs

• tsuweg# sed -I .old ‘s/365/1095/’ openssl.cnf

2. Run the script

• tsuweg# cd /usr/local/openssl/certs

• tsuweg# setenv OPENSSL /usr/local/bin/openssl

• tsuweg# ./CA.pl -newca

The first prompt will asked about certificate name. Juste type enter. Next, fill the passphrase and remember it. After entering email address,just type enter twice.

3. Generate certificate request

• tsuweg# ./CA.pl -newreq

fill pasphrase same one you used earlier. After fill email address, just type enter twice

4. Create the signed certificate from the request and certificate authority files.

• tsuweg# ./CA.pl -signreq

Enter the password that used earlier. Answer yes twice.

• tsuweg# cp newcert.pem tsuweg-cert.pem

• tsuweg# cp newkey.pem tsuweg-encrypted-key.pem

• tsuweg# cp demoCA/cacert.pem ./tsuweg-CAcert.pem

• tsuweg# cp demoCA/private/cakey.pem ./tsuweg-encrypted-CAkey.pem

If this file is going to be used on an unattended server, it may be a good idea to decrypt this file so that daemons are able to load it without user intervention.To remove the encryption and make the unencrypted file readable only to root, use this command .

• tsuweg# openssl rsa -in tsuweg-encrypted-key.pem \

• ? -out tsuweg-unencrypted-key.pem

• tsuweg# chmod 400 tsuweg-unencrypted-key.pem

5. convert  PEM (Privacy Enhanced Mail) text based certificate to the DER format.

• tsuweg# openssl x509 -in tsuweg-CAcert.pem -inform PEM \

• ? -out tsuweg-CAcert.cer -outform DER

 

 

Source :  Hong,Bryan J.Building a server with FreeBSD 7.