SSLeay Environment for Certificate Management
After building and installing SSLeay, but before using it to manage
certificates, it is necessary to:
1. Create the directory structure needed to manage certificates
2. Modify the SSLeay configuration file appropriately
Creating the Directory Structure for Managing Certificates
Once SSLeay has been installed in the $SSLDIR directory (e.g.
/opt/dev/ssl), it is necessary to create directories for certificate
management, and to initialize the certificate serial number counter, and
the certificate "database" file (index.txt). The scripts and instructions
in this cookbook assume that this environment has been established, as
follows:
mkdir ${SSLDIR}/certs
mkdir ${SSLDIR}/crl
mkdir ${SSLDIR}/newcerts
mkdir ${SSLDIR}/private
echo "01" > ${SSLDIR}/serial
touch ${SSLDIR}/index.txt
Modifying the SSLeay Configuration File
The SSLeay configuration file (ssleay.cnf) has multiple sections. Each
section is used for a different purpose, and the sections include the
following:
ca, CA_default
define certificate authority configuration
policy_match, policy_anything
define different request policies
req, req_distinguished_name, req_attributes
define request defaults
These configuration sections must be updated before the certificate
authority may be used, especially the "dir" specification in the
certificate authority configuration which defines where everything is kept
(and should be $SSLDIR).
Certificate Authority Configuration Section
RANDFILE = /opt/dev/ssl/.rand
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /opt/dev/ssl # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/private/CAcert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/clr/crl.pem # The current CRL
private_key = $dir/private/CAkey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = x509v3_extensions # The extentions to add to the cert
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
SSLeay Configuration File: Certificate Authority Configuration Section
Certificate Request Policy Section
The policy section of the configuration file is used to define different
certificate request signing policies. The examples here include the most
lenient policy ("policy_anything") and a stricter policy ("policy_match")
which restricts the values of certificate fields. The policy is used when
considering signing a certificate request. "Match" means that the value of
the field in the request must match the value in the CA certificate, or the
request will not be signed. "Optional" means the the field need not be
present, while "supplied" means that it must be present in the certificate
request.
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
localityName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
SSLeay Configuration File: Certificate Policy Section
Certificate Request Defaults Section
The "req" section of the configuration file is used when creating
certificate requests, and supplies defaults and length limits for the
various distinguished name fields. Some of these fields (e.g. commonName)
will be different for each certificate request, while others will use the
default (e.g. countryName). In our examples the "req" section has the
following configuration:
[ req ]
default_bits = 512
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = MA
localityName = Locality Name (eg, city)
localityName_default = Cambridge
organizationName = Organization Name (eg, company)
organizationName_default = The Open Group
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Research Institute
commonName = Common Name (eg, YOUR name)
commonName_default = example.opengroup.org
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
emailAddress_default = ssl_admin@opengroup.org
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
SSLeay Configuration File: Certificate Request Section
------------------------------------------------------------------------
Cookbook