Generating demo TLS certificates

The following sections contains the steps for quick-start creation/signing of certificates for running the Database Encryption, TLS Replication, and/or TLS sockets examples. These steps are for demonstration/training purpose only and should never be used in production. The steps you might use in your environment and the certificate operations related to creation, signing, renewal, revocation, placement, protection, etc. should be a part of a comprehensive security plan that aligns with the security needs of your organization.

Creating a demo CA (Certification Authority)

Creating a demo root certificate authority involves three steps. In the real world, you would use certificates signed by competent Certificate Authorities (CAs). Certificate Authorities' certificates themselves are signed (and trusted) by other CAs eventually leading to a Root CA, which self-signs.

  1. Generate a private key with the OpenSSL command: openssl genrsa -des3 -out ca.key 4096. The command prompts for a password with which to protect the private key.

  2. Generate a self-signed certificate with the OpenSSL command: openssl req -new -x509 -days 365 -key ca.key -out ca.crt. The command first prompts for the password of the private key followed by a series of interactive queries regarding the attributes of the certificate. Below is sample output:

    Enter pass phrase for ca.key:
    You are about to be asked to enter information that will be incorporated into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    

    -----

    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:PA
    Locality Name (eg, city) []:Malvern
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Pvt. Ltd
    Organizational Unit Name (eg, section) []:Certificate Authority
    Common Name (e.g. server FQDN or YOUR name) []:www.example.com
    Email Address []:example@example.com
    

At this point, ca.crt is a root certificate that can be used to sign other certificates (including intermediate certificate authorities). The private key of the root certificate must be protected from unauthorized access.

Creating and signing demo leaf-level certificates

The root certificate is used to sign regular, leaf-level certificates. Below are steps showing the creation of a certificate for authentication.

  1. Generate a private key. This is identical to step (a) of root certificate generation.

  2. Generate a certificate sign request with the OpenSSL command openssl req -new -key client.key -out client.csr. The command first prompts for the password of the private key followed by a series of interactive queries regarding the attributes of the certificate. Below is sample output:

    Enter pass phrase for client.key:
    You are about to be asked to enter information that will be incorporated into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.

    -----

    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:PA
    Locality Name (eg, city) []:Malvern
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:XYZQ International
    Organizational Unit Name (eg, section) []: OurSourceServer
    Common Name (e.g. server FQDN or YOUR name) []:www.xyzq.com
    Email Address []:xyzq@xyzq.com
    Please enter the following 'extra' attributes to be sent with your certificate request
    A challenge password []:challenge
    An optional company name []:XYZQ Pvt. Ltd
    

    Typically, organization that generates the certificate sign then sends it to a certificate authority (or a root certificate authority), which audits the request and signs the certificate with its private key, thereby establishing that the certificate authority trusts the company/organization that generated the certificate and requested its signing. In this example, we sign the certificate sign request with the root certificate generated above.

  3. Sign the certificate sign request with an OpenSSL command like:

    openssl ca -config $PWD/openssl.cnf -in client.ccr -out client.crt

    The output of this command looks like the following:

    >You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    Country Name (2 letter code) [US]: US
    State or Province Name (full name) [Philadelphia]:Illinois
    City (e.g., Malvern) [Malvern]:Chicago"
    Organization Name (eg, company) [FIS]:FIS
    Organizational Unit Name (eg, section) [GT.M]:GT.M
    Common Name (e.g. server FQDN or YOUR name) [localhost]:fisglobal.com
    Ename Address (e.g. helen@gt.m) []:root@gt.m
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    Using configuration from /usr/lib/ssl/openssl.cnf
    Enter pass phrase for ./certs/ca.key:
    Check that the request matches the signature
    Signature ok
    Certificate Details:
     Serial Number: 14 (0xe)
     Validity
     Not Before: Jun 11 14:06:53 2014 GMT
     Not After : Jun 12 14:06:53 2014 GMT
     Subject:
     countryName = US
     stateOrProvinceName = Illinois
     organizationName = FIS
     organizationalUnitName = GT.M
     commonName = fisglobal.com
     emailAddress = helen@gt.m
     X509v3 extensions:
     X509v3 Basic Constraints:
     CA:FALSE
     Netscape Comment:
     OpenSSL Generated Certificate
     X509v3 Subject Key Identifier:
     96:FD:43:0D:0A:C1:AA:6A:BB:F3:F4:02:D6:1F:0A:49:48:F4:68:52
     X509v3 Authority Key Identifier:
     keyid:DA:78:3F:28:8F:BC:51:78:0C:5F:27:30:6C:C5:FE:B3:65:65:85:C9
    Certificate is to be certified until Jun 12 14:06:53 2014 GMT (1 days)
    Sign the certificate? [y/n]:y
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
[Important] Important

Keep the self-signed root certificate authority and leaf-level certificates in a secure location. Protect their directories with 0500 permissions and the individual files with 0400 permissions so that unauthorized users cannot access them.

Please refer to OpenSSL documentation http://www.openssl.org/docs/ for information on how to create intermediate CAs, Certificate Revocation Lists, and so on.

Example: Creating demo certificates

This section contains an example for quick-start creation/signing of demo certificates for use with running the TLS Replication, Database Encryption, and TLS sockets examples in the GT.M manuals. The OpenSSL configuration file pointed to by the OPENSSL_CONF environment variable is example101.cnf. This configuration file is only suitable for the running examples and should not be used in production. Note that GT.M does not use openssl.cnf or the configuration file pointed to by the OPENSSL_CONF environment variable for any operation. The OpenSSL configuration settings that you might use in your environment and the certificate operations related to creation, signing, renewal, revocation, placement, protection, etc. should be a part of a comprehensive security plan that aligns with the security needs of your organization.

Create the following files:

cert_setup

This file sets up a dummy $PWD/certs directory for use in running TLS examples.

Here is the code:

echo "Creating cert directories ...in $PWD"
mkdir -p $PWD/certs/newcerts
touch $PWD/certs/index.txt
touch $PWD/certs/index.txt.attr
echo "01" > $PWD/certs/serial
echo "Generating root CA...."
./gen_ca  

gen_ca

This file creates a demo root certification authority in the $PWD/certs directory for use with the TLS examples.

Here is the code:

#Generates root certification authority and sets it to expire in 365 days. Ensure that you have a properly configured /etc/ssl/openssl.cnf file.
mkdir -p $PWD/certs
openssl genrsa -des3 -out $PWD/certs/$1ca.key
openssl req -new -x509 -days 365 -key $PWD/certs/$1ca.key -out $PWD/certs/$1ca.crt
#Important: Keep the self-signed root certificate authority and leaf-level certificates in a secure location. Protect their directories with 0500 permissions and the individual files with 0400 permissions so that unauthorized users cannot access them.

gen_leaf

This file creates the leaf-level certificate and gets it signed from the demo root certification authority.

Here is the code:

#Generates leaf-level certificates in $PWD/certs
openssl genrsa -des3 -out $PWD/certs/$1.key
openssl req -new -key $PWD/certs/$1.key -out $PWD/certs/$1.csr
openssl ca -config $PWD/example101.cnf -in $PWD/certs/$1.csr -out $PWD/certs/$1.crt
openssl x509 -in $PWD/certs/$1.crt -dates -issuer -subject -noout

example101.cnf

This file specifies the OpenSSL configuration file to use for running the example:

HOME = .
RANDFILE= $ENV::HOME/.rnd
[ ca ]
default_ca = CA_default  
  
[ CA_default ]
dir  = ./certs 
certs  = $dir/certs
crl_dir  = $dir/crl
database = $dir/index.txt
unique_subject = no  
new_certs_dir = $dir/newcerts  
certificate = $dir/ca.crt  
serial  = $dir/serial  
crlnumber = $dir/crlnumber 
crl  = $dir/crl.pem  
private_key = $dir/ca.key   
RANDFILE = $dir/private/.rand 
x509_extensions = usr_cert  
name_opt  = ca_default  
cert_opt  = ca_default  
default_days = 365   
default_crl_days= 30   
default_md = default  
preserve = no   
policy  = policy_anything
  
[ policy_match ]
countryName  = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName  = supplied
emailAddress  = optional
  
[ policy_anything ]
countryName  = optional
stateOrProvinceName = optional
localityName  = optional
organizationName = optional
organizationalUnitName = optional
commonName  = optional
emailAddress  = optional
  
[ req ]
default_bits  = 1024
default_keyfile  = privkey.pem
distinguished_name = req_distinguished_name
attributes  = req_attributes
x509_extensions = v3_ca 
string_mask = utf8only
  
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Philadelphia
localityName = Collegeville
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Example Pvt. Ltd.
organizationalUnitName  = Organizational Unit Name (eg, section)
organizationalUnitName_default = Example Unit
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress  = Email Address
emailAddress_max = 64
  
[ req_attributes ]
challengePassword  = A challenge password
challengePassword_min  = 4
challengePassword_max  = 20
unstructuredName  = An optional company name
  
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment   = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
  
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true

Now make gen_leaf, gen_ca, and cert_setup executable and run the following commands:

export OPENSSL_CONF=$PWD/example101.cnf
./cert_setup
./gen_leaf demo

Enter blank values or example data as appropriate. You demo certificates are now ready for use in the documentation examples.