Appendix E. Generating SSL certificates

For the Dr.Web for UNIX Mail Servers components that use a secure SSL/TLS data channel and application protocols, such as HTTPS, LDAPS, SMTPS, and so on, it is necessary to provide private SSL keys and the corresponding certificates. Keys and certificates for some components are generated automatically; and for others—they should be provided by the Dr.Web for UNIX Mail Servers user. All the components use certificates in the PEN format.

To generate private keys and certificates used for connections via SSL/TLS, including verification certificates of Certification Authority (CA) and signed certificates, you can use the command-line utility openssl (included in an OpenSSL cryptographic package).

Consider sequence of actions required for generating a private key and the corresponding SSL certificate together with a SSL certificate signed by the CA verification certificate.

To Generate a Private SSL Key and a Certificate

1.To generate a private key (the RSA algorithm, the key length is 2048 bits), run the command:

$ openssl genrsa -out keyfile.key 2048

If you want to password-protect the key, use the -des3 option. The generated key is in the file keyfile.key located in the current directory.

To view the key, use the command:

$ openssl rsa -noout -text -in keyfile.key

2.To generate a certificate for the specified time period, based on the existing private key (in this case, for 365 days), run the command:

$ openssl req -new -x509 -days 365 -key keyfile.key -out certificate.crt

Note that this command will request data (name, organization, and so on) that should identify the certifying object. The generated certificate will be located into the file certificate.crt.

To scan the contents of the generated certificate, use the command:

$ openssl x509 -noout -text -in certificate.crt

To Register a Certificate as a Trusted CA Certificate

1.Move or copy the certificate file to the system trusted certificate directory (/etc/ssl/certs/ in Debian/Ubuntu).

2.In the trusted certificate directory, create a symbolic link to the certificate, where the name of the link is the hash value of the certificate.

3.Reindex the contents of the system directory containing certificates.

The example below performs all these three actions. This assumes that the current certificate directory is the trusted certificates directory /etc/ssl/certs/ and the certificate that is registered as a trusted one is located in the /home/user/ca.crt file:

# cp /home/user/ca.crt ./
# ln -s ca.crt `openssl x509 -hash -noout -in ca.crt`.0
# c_rehash /etc/ssl/certs/

To create a signed certificate

1.Generate a request for signing a certificate (Certificate Signing Request, CSR) based on the existing private key. If the key is absent, generate it.

The request for signing is created with the command:

$ openssl req -new -key keyfile.key -out request.csr

This command, as well as the command responsible for certificate creation, requests data that should identify the certified object. keyfile.key here is the existing file of the private key. The received request will be saved to the file request.csr.

To check the result of request creation, use the command:

$ openssl req -noout -text -in request.csr

2.Create a signed certificated, based on the request and the existing CA certificate, by using the command:

$ openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -set_serial 01 -in request.csr -out sigcert.crt

To create a signed certificate, you must have the following three files: the file of the root certificate ca.crt and its private key ca.key (the certificate.crt certificate and the keyfile.key key may be used istead of ca.crt and ca.key, then the obtained certificate will be self-signed), as well as the request for signing request.csr. The created signed certificate will be saved to the file sigcert.crt.

Use the following command to check the result:

$ openssl x509 -noout -text -in sigcert.crt

Repeat this procedure as many times as unique certificates you want to create. For example, every agent for distributed file scanning Dr.Web Network Checker within a scanning cluster should has its own key and certificate.

Modifying a signed certificate

Some browsers or mail clients may require modification of the signed certificate, used for authorization, to the PKCS12 format.

You can modify the certificate using the command:

# openssl pkcs12 -export -in sigcert.crt -out sigcert.pfx -inkey keyfile.key

Sigcert.crt here is an existing file of the signed certificate. keyfile.key is a file of the corresponding private key. The modified certificate is saved to sigcert.pfx.