Last Updated on 2017-07-02 by Sture

OpenSSL – Open Secure Sockets Layer

Description

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL tookit and its related documentation.

OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style licence, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.

WWW: http://www.openssl.org/.

Preparation for Installation

Start PuTTY on a Windows PC, Terminal on a Mac or similar terminal application on a Linux PC.

In this example Terminal on a Mac is used.

Open a remote SSH session to the server with:

Mac:~ user$ ssh user@192.168.1.4 [enter]

N.B.: Replace user@192.168.1.4 with User ID and IP Address on Your server!

[user@server ~]$

Enable superuser privileges with:

[user@server ~]$ sudo -s [enter]
Password: <-- passwd [enter]
[root@server /usr/home/user]#

N.B.: Enter user password, not the root password!

Installation

Install the OpenSSL port with;

[root@server /usr/home/user]# pkg install openssl [enter]
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        openssl: 1.0.2l,1

Number of packages to be installed: 1

The process will require 12 MiB more space.
3 MiB to be downloaded.

Proceed with this action? [y/N]: y [enter]
[1/1] Fetching openssl-1.0.2l,1.txz: 100%    3 MiB   1.5MB/s    00:02
Checking integrity... done (0 conflicting)
[1/1] Installing openssl-1.0.2l,1...
Extracting openssl-1.0.2l,1: 100%
Message from openssl-1.0.2l,1:
Edit /usr/local/openssl/openssl.cnf to fit your needs.
[root@server /usr/home/user]#

Configuration

Disable use of the old version of openssl in directory /usr/bin/ with:

[root@server /usr/home/user]# mv /usr/bin/openssl /usr/bin/openssl.default [enter]
[root@server /usr/home/user]#

Create a symbolic link to enable the use the new version of openssl with:

[root@server /usr/home/user]# ln -s /usr/local/bin/openssl /usr/bin/ [enter]
[root@server /usr/home/user]#

Edit /usr/local/openssl/openssl.cnf to fit your needs with:

[root@server /usr/home/user]# ee /usr/local/openssl/openssl.cnf [enter]

.
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = SE
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Example State

localityName                    = Locality Name (eg, city)
localityName_default            = Example City

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Example Company

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Example Unit

commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64
emailAddress_default            = your.mail@example.net

# SET-ex3                       = SET extension number 3
.

CA requires some setup stuff to be done before it can be used. To makes things easier run script:

[root@server /usr/home/user]# /usr/local/openssl/misc/CA.sh -newca [enter]
[root@server /usr/home/user]#

Generating Certificates

If a signature from a CA is not required, a self-signed certificate can be created. First, generate the RSA key:

[root@server /usr/home/user]# openssl genrsa -rand -genkey -out cert.key 2048 [enter]
0 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
................................................+++
......+++
e is 65537 (0x10001)
[root@server /usr/home/user]#

Use this key to create a self-signed certificate valid for filve years. Follow the usual prompts for creating a certificate:

[root@server /usr/home/user]# openssl req -new -x509 -days 1825 -key cert.key -out cert.crt -sha256 [enter]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [SE]: [enter]
State or Province Name (full name) [Example State]: [enter]
Locality Name (eg, city) [Example City]: [enter]
Organization Name (eg, company) [Example Company]: [enter]
Organizational Unit Name (eg, section) [Example Unit]: [enter]
Common Name (e.g. server FQDN or YOUR name) []:server.example.net [enter]
Email Address [your.mail@example.net]: [enter]
[root@server /usr/home/user]#

Two new files has been created in the current directory: a private key file cert.key, and the certificate itself, cert.crt. These files should be placed in a directory, preferably under /usr/local/etc/ssl/. Permissions of 0700 are appropriate for these files and can be set using chmod.

[root@server /usr/home/user]# mv cert.* /usr/local/etc/ssl/ [enter]
[root@server /usr/home/user]#

[root@server /usr/home/user]# chmod 0700 /usr/local/etc/ssl/cert.* [enter]
[root@server /usr/home/user]#