Certificate Generation & Checking with OpenSSL

CS 463 Lecture, Dr. Lawlor

OpenSSL is a neat little command line tool for generating and verifying certificates.

Verify a Certificate

Hit the lock icon in your browser, get info, and save the https certificate to a Base64 .pem file. You can dump this to the screen with:

openssl x509 -in somewhere.pem -noout -text

You can verify the certificate against your system's disturbingly long trusted certificate lists (/usr/share/ca-certificates/mozilla/ or /etc/ssl/certs/ on my machine) using:

openssl verify googleIA.pem
googleIA.pem: OK

Generate Server Certificate

OpenSSL's "req" command can generate "self-signed" certificates. These provide no protection against man-in-the-middle attacks (anybody could just sign their own certificate to impersonate the server), but are secure against eavesdroppers who don't modify your traffic.

openssl req \
  -x509 -nodes -days 9999 \
  -subj '/C=US/ST=Alaska/L=Fairbanks/O=University of Alaska Fairbanks/OU=Really Dr. Lawlor/CN=netrun.cs.uaf.edu' \
  -newkey rsa:2048 -keyout mycert.key -out mycert.crt

You can dump the info to the screen as before:

openssl x509 -in mycert.crt -noout -text

You can even start a simple demo HTTPS server using that certificate:

openssl s_server -cert mycert.crt -key mycert.key -www

Now you can visit https://localhost:4433 and talk to the server. You'll get a warning about the self-signed certificate. It doesn't have any content, just info about the ciphers used, but it is HTTPS!

The same certificate could be used with a real web server, like Apache, using mod_ssl. The config lines are:

SSLEngine  on
SSLCertificateFile /etc/apache/ssl.crt/mycert.crt
SSLCertificateKeyFile /etc/apache/ssl.key/mycert.key

I really aught to do this for NetRun!