SSLeay Environment for Certificate Management After building and installing SSLeay, but before using it to manage certificates, it is necessary to: 1. Create the directory structure needed to manage certificates 2. Modify the SSLeay configuration file appropriately Creating the Directory Structure for Managing Certificates Once SSLeay has been installed in the $SSLDIR directory (e.g. /opt/dev/ssl), it is necessary to create directories for certificate management, and to initialize the certificate serial number counter, and the certificate "database" file (index.txt). The scripts and instructions in this cookbook assume that this environment has been established, as follows: mkdir ${SSLDIR}/certs mkdir ${SSLDIR}/crl mkdir ${SSLDIR}/newcerts mkdir ${SSLDIR}/private echo "01" > ${SSLDIR}/serial touch ${SSLDIR}/index.txt Modifying the SSLeay Configuration File The SSLeay configuration file (ssleay.cnf) has multiple sections. Each section is used for a different purpose, and the sections include the following: ca, CA_default define certificate authority configuration policy_match, policy_anything define different request policies req, req_distinguished_name, req_attributes define request defaults These configuration sections must be updated before the certificate authority may be used, especially the "dir" specification in the certificate authority configuration which defines where everything is kept (and should be $SSLDIR). Certificate Authority Configuration Section RANDFILE = /opt/dev/ssl/.rand #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = /opt/dev/ssl # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/private/CAcert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/clr/crl.pem # The current CRL private_key = $dir/private/CAkey.pem # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = x509v3_extensions # The extentions to add to the cert default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match SSLeay Configuration File: Certificate Authority Configuration Section Certificate Request Policy Section The policy section of the configuration file is used to define different certificate request signing policies. The examples here include the most lenient policy ("policy_anything") and a stricter policy ("policy_match") which restricts the values of certificate fields. The policy is used when considering signing a certificate request. "Match" means that the value of the field in the request must match the value in the CA certificate, or the request will not be signed. "Optional" means the the field need not be present, while "supplied" means that it must be present in the certificate request. # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match localityName = match organizationName = match organizationalUnitName = match commonName = supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional SSLeay Configuration File: Certificate Policy Section Certificate Request Defaults Section The "req" section of the configuration file is used when creating certificate requests, and supplies defaults and length limits for the various distinguished name fields. Some of these fields (e.g. commonName) will be different for each certificate request, while others will use the default (e.g. countryName). In our examples the "req" section has the following configuration: [ req ] default_bits = 512 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = MA localityName = Locality Name (eg, city) localityName_default = Cambridge organizationName = Organization Name (eg, company) organizationName_default = The Open Group organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Research Institute commonName = Common Name (eg, YOUR name) commonName_default = example.opengroup.org commonName_max = 64 emailAddress = Email Address emailAddress_max = 40 emailAddress_default = ssl_admin@opengroup.org [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 SSLeay Configuration File: Certificate Request Section ------------------------------------------------------------------------ Cookbook