SSL/TLS brief comprehensive

unpublished draft
TLSSSL

What is TLS/SSL

How TLS/SSL works

How to obtain normal TLS/SSL Certificate

Component of TLS/SSL

Root CA key: Usually a rsa 2048 | 4096 private key Root CA certificate: A certificate that signed by above key (for self-signed: X509 self-signed) Server certificate key: Usually a rsa 2048 private key Certificate Signing Request: A CSR with additional information about the specific organization using with the Server certificate key. (Website) Certificate: The final artifact including Root CA key, Root CA certificate, Certificate Signing Request.

Self-generate

Simple version
# Root CA key
# for non password protected key, remove -des3 option
openssl genrsa -des3 -out rootCA.key 2048
# Root CA certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 4096 -out rootCA.crt
# Server certificate key
# Usually file name should be named by format websitename.key
openssl genrsa -out local-practice.key 2048
# Certificate Signing Request
# Important: Please mind that while creating the signing request is important to specify 
# the Common Name providing domain name for the service, 
# also it has to be different than the root CA common name.
openssl req -new -key local-practice.key -out local-practice.csr
# Generate the certificate using the domain CSR and key along with root CA key
openssl x509 -req -in local-practice.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out local-practice.crt -days 2048 -sha256 -extfile v3.ext
v3.ext File could look like
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
Could try later
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
 
[alt_names]
DNS.1 = <common_name>

More specific way self sign

Understanding and generating OpenSSL.cnf files More simple example

## Origin
# Create a self signed certificate (notice the addition of -x509 option)
openssl req -config example-com.conf -new -x509 -sha256 -newkey rsa:2048 -nodes \
    -keyout example-com.key.pem -days 365 -out example-com.cert.pem
# Create a signing request (notice the lack of -x509 option)
openssl req -config example-com.conf -new -sha256 -newkey rsa:2048 -nodes \
    -keyout example-com.key.pem -days 365 -out example-com.req.pem

## Self using
# Root CA key
# for non password protected key, remove -des3 option
openssl genrsa -des3 -out rootCA.key 2048
# Root CA certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 4096 -out rootCA.crt
# Server certificate key
# Usually file name should be named by format websitename.key
openssl genrsa -out local-server.key 2048
# Certificate Signing Request
# Important: Please mind that while creating the signing request is important to specify 
# the Common Name providing domain name for the service, 
# also it has to be different than the root CA common name.
openssl req -config cert-req.conf -new -key local-server.key -out local-server.csr
# Generate the certificate using the domain CSR and key along with root CA key
openssl x509 -req -in local-server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out local-server.crt -days 2048 -sha256 -extfile cert-req.conf -extensions req_ext
cert-req.conf
[ req ]
default_bits        = 2048
default_keyfile     = server-key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
#   Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
[ subject ]
countryName         = Country Name (2 letter code)
countryName_default     = US

stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = NY

localityName            = Locality Name (eg, city)
localityName_default        = New York

organizationName         = Organization Name (eg, company)
organizationName_default    = Example, LLC

# Use a friendly name here because it's presented to the user. The server's DNS
#   names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
#   by both IETF and CA/Browser Forums. If you place a DNS name here, then you
#   must include the DNS name in the SAN too (otherwise, Chrome and others that
#   strictly follow the CA/Browser Baseline Requirements will fail).
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = Example Company

emailAddress            = Email Address
emailAddress_default        = test@example.com

# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]

subjectKeyIdentifier        = hash
authorityKeyIdentifier    = keyid,issuer

# You only need digitalSignature below. *If* you don't allow
#   RSA Key transport (i.e., you use ephemeral cipher suites), then
#   omit keyEncipherment because that's key transport.
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
#   CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
#   In either case, you probably only need serverAuth.
# extendedKeyUsage    = serverAuth, clientAuth

# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
[ req_ext ]

subjectKeyIdentifier        = hash

basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment # Or: nonRepudiation, digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
#   CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
#   In either case, you probably only need serverAuth.
# extendedKeyUsage    = serverAuth, clientAuth

[ alternate_names ]

DNS.1       = example.com
DNS.2       = www.example.com
DNS.3       = mail.example.com
DNS.4       = ftp.example.com

# Add these if you need them. But usually you don't want them or
#   need them in production. You may need them for development.
# DNS.5       = localhost
# DNS.6       = localhost.localdomain
# DNS.7       = 127.0.0.1

# IPv6 localhost
# DNS.8     = ::1

# avoid ERR_CERT_COMMON_NAME_INVALID for chrome
# IPv4 localhost
# IP.1       = 127.0.0.1

# IPv6 localhost
# IP.2     = ::1

openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout cert.key -out cert.pem -config req.cnf -sha256

# 
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = www.company.com
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.company.com
DNS.2 = company.com
DNS.3 = company.net

Khanh Nguyen

Web developer & .Net lover