From Secure Computing Wiki
Revision as of 09:40, 8 February 2008 by (talk) (corrected links)
Jump to navigation Jump to search

I've found OpenSSL to be one of the most difficult tools to wrap my head around. Even after a lot of fiddling and time, I'm still fuzzy about all the details and components of SSL certificates. When my employer wanted me to implement an OpenVPN server, however, I was forced to learn a bit about OpenSSL. As a result, I've written a small management script, which I've decided to share with the community at large.

As I've mentioned many places on the SCN Wiki, please contribute. Whereas this script meets most of my needs, I'm not everybody. Perhaps there are features that I haven't included, or you want everything to be called with options from the command line. You're welcome to update and modify this script to meet your needs. It's BSD-licensed.


I spent some time a while back writing a page on implementation of an OpenVPN Server. I've gotten a few question about the script I wrote for that, and this is a page dedicated to that script, and OpenSSL in general. If you have questions, please post them in the section below, and I'll try to answer them. Alternatively, emails me directly and I'll both reply directly and post the answer appropriately here.

Webster's Dictionary defines SSL as: [quote]A protocol designed by Netscape Communications Corporation to provide encrypted communications on the Internet. SSL is layered beneath application protocols such as HTTP, SMTP, Telnet, FTP, Gopher, and NNTP and is layered above the connection protocol TCP/IP. It is used by the HTTPS access method.[/quote]

SSL certificates are trusted through a chain. Most web browsers have a pre-defined list of Root Certificate Authorities installed. These authorities are the large, commercial, companies that, for a fee, will generate a certificate for use, after a process of verifying the identity of the applicant. Since these root Certificate Authorities are already pre-installed and, thus, pre-trusted, any certificates signed by them will just work in the given browser. A significant disadvantage of these commercial authorities, however, is that they generally come with a high monetary cost. Not only does the Root CA need to profit from the sale, there are costs on their end for the verification of the applicant's identity, and the upkeep for their infrastructure.

Some of the bigger Root Certificate Authorities out there, with links, are:

  1. Verisign
  2. GoDaddy
  3. Thawte

Sample Setup

For the OpenVPN installation, we needed to do a few things.

  1. Create a Certificate Authority for the company.
  2. Create a server certificate and private key for the OpenVPN server daemon.
  3. Create client certificate/key pairs for every openvpn client connection.
  4. Maintain our CRL so we can disable OpenVPN clients.

In addition to the list above, we needed to do non-OpenVPN specific task, such as:

  1. Create SSL certificate/key pairs for our web server.
  2. Create SSL certificate/key pairs for our LDAP server.
  3. Create SSL certificate/key pairs for signing code in some of our utilities and software that's written in-house.
  4. Create SSL certificate/key pairs for our mail servers.
  5. The list goes on...

As you can see, there's a lot of things that use, or can use, SSL certificates. The beauty of this is that, once you've got your framework set up, it's easy to add certificates down the line.