Everything is Linux

Tuesday, August 5, 2014

SSL Certificate Signing Request



SSL Certificate Signing Request

                Ensure the openssl package is not vulnerable to Heartbleed attack. To ensure the same, check the version of openssl  package. Following are the versions which are not vulnerable,

Ø  Openssl 1.0.1g
Ø  Openssl 1.0.0 branch
Ø  Openssl 0.9.8 branch

Only  openssl 1.0.1 through 1.0.1f are vulnerable to Heartbleed attack. If server has any version between 1.0.1 and 1.0.1f, then openssl needs to be updated before generating the CSR/Key. This can be checked using following command.

# rpm –qa | grep openssl

1.        Generate Private key

# openssl genrsa -des3 -out server.key 1024

Pass phrase needed. Give the passphrase as it would be kept secret.

The generated private key looks like follows,

# cat server.key

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,485B3C6371C9916E
ymehJu/RowzrclMcixAyxdbfzQphfUAk9oK9kK2
jadfoiyqthakLKNqw9z1MoaqkPyqeHevUm26no
AJKIETHKJADFS2BGb0n61/Ksk8isp7evLM4+QY
KAQETKjdiahteksMJOjXLq+vf5Ra299fZPON7yr
-----END RSA PRIVATE KEY-----

2.        Generate Certificate signing request

# openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:

Enter the same passphrase which we have given in point 1. You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value, If you enter '.', the field will be left blank. -----
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:  Valid Email ID for which certificate to be sent

Please enter the following 'extra' attributes to be sent with your certificate request

A challenge password []:
An optional company name []:

# ls -ltr server.*

-rw-r--r-- 1 root root   963 Jun 13 20:26 server.key
-rw-r--r-- 1 root root   664 Jun 13 20:35 server.csr

3.       Then server.csr needs to be sent to Certifying authority for SSL certificate.

Labels: , ,

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]



Links to this post:

Create a Link

<< Home