Appendix E. Generating SSL Certificates

For the Dr.Web Mail Security Suite components that use a secure SSL/TLS data channel and application protocols, such as HTTPS, LDAPS, SMTPS and so on, to exchange data, it is necessary to provide private SSL keys and the corresponding certificates. Keys and certificates for some components are generated automatically; as for the others, they should be provided by a Dr.Web Mail Security Suite user. All the components use certificates in the PEM format.

To generate private keys and certificates used for connections via SSL/TLS, including verification certificates of Certification Authority (CA) and signed certificates, you can use the openssl command-line utility (included in the OpenSSL cryptographic package).

Consider a sequence of actions required for generating a private key and the corresponding SSL certificate together with an SSL certificate signed with a CA verification certificate.

To generate a private SSL key and a certificate

1.To generate a private key (the RSA algorithm, the key length is 2048 bits), run the command:

$ openssl genrsa -out keyfile.key 2048

If you want to password protect the key, use the -des3 option. The generated key is in the keyfile.key file located in the current directory.

To view the generated key, use the command:

$ openssl rsa -noout -text -in keyfile.key

2.To generate a certificate for a specified time period based on the existing private key (in this case, for 365 days), run the command:

$ openssl req -new -x509 -days 365 -key keyfile.key -out certificate.crt

This command will request data (a name, an organization and so on) that identify the certified object. The generated certificate will be located in the certificate.crt file.

To scan the contents of the generated certificate, use the command:

$ openssl x509 -noout -text -in certificate.crt

To register a certificate as a trusted CA certificate

1.Move or copy the certificate file to the system trusted certificate directory (/etc/ssl/certs on Debian or Ubuntu).

2.In the trusted certificate directory, create a symbolic link to the certificate, where the name of the link is the hash value of the certificate.

3.Reindex the contents of the system directory containing certificates.

The example commands provided below perform all these three actions. It is assumed that the current directory is the trusted certificate directory /etc/ssl/certs and the certificate that is registered as a trusted one is located in the /home/user/ca.crt file:

# cp /home/user/ca.crt .
# ln -s ca.crt `openssl x509 -hash -noout -in ca.crt`.0
# c_rehash /etc/ssl/certs

To create a signed certificate

1.Generate a request file for signing a certificate (Certificate Signing Request—CSR) based on an existing private key. If the key is absent, generate it.

The request for signing is created with the command:

$ openssl req -new -key keyfile.key -out request.csr

This command, as well as the command for certificate creation, requests data that identifies the certified object. Here, keyfile.key is the existing file of the private key. The received request will be saved to the request.csr file.

To check the result of request creation, use the command:

$ openssl req -noout -text -in request.csr

2.To create a signed certificated based on the request and the existing CA certificate, use the command:

$ openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -set_serial 01 -in request.csr -out sigcert.crt

To create a signed certificate, you must have the following three files: the file of the root certificate ca.crt and its private key ca.key (the certificate.crt certificate and the keyfile.key key may be used istead of ca.crt and ca.key, then the obtained certificate will be self-signed), as well as the request for signing request.csr. The created signed certificate will be saved to the file sigcert.crt.

To check the result, use the command:

$ openssl x509 -noout -text -in sigcert.crt

Repeat the procedure of creating a key and a certificate (or a signed certificate, if necessary) as many times as the number of unique certificates you need to create. For example, from a security point of view, every agent for distributed file scanning by Dr.Web Network Checker within a scanning cluster should have its own key/certificate pair.

Converting a signed certificate

Some browsers or mail clients may require to convert the signed certificate used for authorization to the PKCS12 format.

Such conversion can be performed by using the command:

# openssl pkcs12 -export -in sigcert.crt -out sigcert.pfx -inkey keyfile.key

Here, sigcert.crt is the existing file of the signed certificate, keyfile.key is the file of the corresponding private key. The resulting converted certificate is saved to the sigcert.pfx file.