If you’re like me, and since you are reading this blog you probably are, at least, way down deep, where it counts, in the cockles of our hearts, maybe below the cockles, maybe in the sub-cockle area, maybe in the liver, maybe in the kidneys, maybe even in the colon. we don’t know, but it means that you hate getting certificate warnings every time you connect to a device over https. You’ve got a certificate authority in house…it’s time you start to use it.
If you want to issue certificates from your trusted root CA to your appliances, applications, etc., you have to get a certificate request and a key that can be used to issue a certificate. While some things come with their own management interface to generate the key and CSR, more and more either simply come with OpenSSL and leave you to it, or just generate their own cert and key and hope you can figure out how to replace those files if you wish to roll your own. Assuming you can find where the app stores its certs and keys, this post will help you use OpenSSL to generate your own CSR and key, submit the CSR to your CA, and issue a cert that you can use and that your workstations will trust.
While no two devices/applications/widgets will be quite the same, more and more are using OpenSSL or at least some part of it. There will be some consistency in where you will find the secret sauce. If you have access to the file system, search for a directory called ssl or openssl, or with SSL in the name, or search for files ending in pem, cer or cert, and/or key. These may be under directories named etc, bin, utilities, share, certs, or something else, depending on the http architecture in place. If that does you no good at all, as a last resort you can RTFM.
If you don’t have direct file system access and are using a GUI or web based console, look in the section for general, networking, connections, security, or something with wording to that effect. You may only see a radio button to enable https. Click that to see if it then reveals previously hidden options. Once you have found the location, if there is a routine/script to generate a key and a certificate signing request, follow that per the vendor’s instructions, and skip down to step one below for submitting a request to your CA. If you have to do it all by hand, here is how to do it.
First, you need to download and install the Visual C++ 2008 Redistributable on your workstation if you have not already. Download it from http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF&displaylang=en and install it using all defaults.
Then, download and install the Win32 version of OpenSSL v0.9.8I light from http://www.slproweb.com/products/Win32OpenSSL.html, again using all the defaults. Make sure to get the right version for your operating system. By default this will create the directory structure off of root, c:\OpenSSL\
Once installed, open an administrative command prompt, change to the openssl\bin directory and issue the following command, where 1024 is the length of your key. You can of course choose 2048 or larger exponential value if you choose.
C:\OpenSSL\bin>openssl genrsa -out privkey.pem 1024 [enter] Loading ’screen’ into random state – done Generating RSA private key, 1024 bit long modulus …….++++++ ………..++++++ e is 65537 (0×10001)
This generates the 1024 bit private key that will be used to create the certificate request.
Next, you need to generate the request itself, using the key you just created. You’ll be prompted to provide information to fill out the CSR. Remember that the country code is the x500 two letter designation for the country…US readers should spell out their state.
C:\OpenSSL\bin>openssl req -new -key privkey.pem -out request.csr [enter]
Loading ’screen’ into random state – done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:fill out what you want and hit enter
State or Province Name (full name) [Some-State]:fill out what you want and hit enter
Locality Name (eg, city) []:fill out what you want and hit enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]:fill out what you want and hit enter
Organizational Unit Name (eg, section) []:fill out what you want and hit enter
Common Name (eg, YOUR name) []:fill out what you want and hit enter
Email Address []:fill out what you want and hit enter
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:fill out what you want and hit enter
An optional company name []:fill out what you want and hit enter
Do NOT forget that challenge password. You will need to configure your device/app with this so that it can open the private key file.
This will output a certificate signing request. Now we just need to get a certificate. The following assumes you have Windows CA that is properly set up to use IIS.
- Open the CSR in your favourite text editor and copy the CSR.
- Then open a browser and go to https://yourcertificateauthorityfqdn.internaldomain.tld/certsrv
- Click Request a certificate
- Click advanced certificate request
- Click Submit a certificate request by using a base64 blah de blah blah blah…
- Paste the CSR text into the window, select the Web Server template, and click Submit>
If your CA is configured to automatically issue certificates, the next screen will let you download your cert. If not, you’ll need your CA Admin to authorise and issue the cert. Once you have your cert, you can use it as-is if your device uses DER format. But since most third party devices use PEM format, we need to convert the certificate from the DER format that Microsoft’s CA issues, to PEM format. Take the newly issued cert and copy it back to your SSL\BIN directory. Assuming the certificate name is certnew.cer, issue this cmd.
C:\OpenSSL\bin>openssl x509 -in certnew.cer -inform DER -out cert.pem -outform PEM [enter]
Copy the key and certificate to your application’s SSL directory, configure the app to use the certificate and key, enter the passphrase to open the private key, bounce the device/server, and test it out. Just about every product has its own way of doing this, so I can’t provide specifics here. For Splunk, you can see this post, for Juniper SSL VPN devices you can see this post, and I will probably post some more as I get to things like Bluecoat, ESX servers, etc.
Until then, go grab a cold one. You’ve earned it. Or, if it is not yet beer:30 where you are, have fun with this little video instead. Personally, I have been using Thawte certificates for public facing purposes, and internally generated certs for everything else. Thawte has the ubiquity, their certs are MUCH less expensive, and their customer service is excellent.
Direct link for RSS and email subscribers…http://www.youtube.com/watch?v=roOKDqHOy30
You might also enjoy:
