Solved

How do I self-sign a key using OpenSSL on Ubuntu 11.04 server?

Posted on 2011-09-12
19
1,027 Views
Last Modified: 2012-05-12
I am trying to follow these directions:
https://help.ubuntu.com/community/OpenSSL

to create a self signed certificate on 64 bit Ubuntu 11.04 server.  I have created my Certificate Authority and am at the point of trying to sign the certificate using this command (it will help you see where I am on the page):
openssl ca -in tempreq.pem -out server_crt.pem

I get the following output:
Using configuration from /home/bthomson/myCA/caconfig.cnf
Enter pass phrase for /home/bthomson/myCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'MYWEBSITE.com'
stateOrProvinceName   :PRINTABLE:'SC'
countryName           :PRINTABLE:'US'
emailAddress          :IA5STRING:'MYEMAIL@hotmail.com'
organizationName      :PRINTABLE:'MY COMPANY NAME'
organizationalUnitName:PRINTABLE:'IT'
MYWEBSITE.com:invalid type in 'policy' configuration

Can anyone help me figure out what causes this? (and how to resolve it)
0
Comment
Question by:developmentguru
  • 10
  • 7
  • 2
19 Comments
 
LVL 17

Expert Comment

by:Garry-G
ID: 36523789
Instead of going through the hassle with the gazillion of parameters, you can save yourself a lot of work and just put "WebCert" on a box ... see http://frank4dd.com/sw/ for docs and demo.
Apart from that, might need to see the .cnf files for further debugging ...
0
 
LVL 21

Author Comment

by:developmentguru
ID: 36523999
I am trying to understand how it works, rather than just use a tool to do it for me.  If you are familiar with the process then perhaps you can see the issue with the instructions I found.  I don't need to be able to use more than a couple of self signed certificates for personal web development usage at home.  I may want to add another site in the future though.

If I ran into this error the last time through the instructions I missed it.  I have been trying to get this to work for about 3 weeks now.

The site I linked gives an exampleserver.cnf which I used and just replaced the fields to match what I was trying to do.  Is this the file you would need to see?
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36524116
Did you add a default for the commonName value? Make sure you set the field to e.g. "supplied", otherwise you'll probably get a mismatch ... apart from that, using the stock .cnf files from the web site link above worked out fine for me, with only the home directory path changed ...
0
 
LVL 21

Author Comment

by:developmentguru
ID: 36524153
Where would that commonName come up?  I replaced what I had in there (I had replaced it with something company specific) with "supplied" and got the same error with the same values so... either I need to redo all of the steps or something needs to be reloaded.
0
 
LVL 31

Assisted Solution

by:Frosty555
Frosty555 earned 250 total points
ID: 36524217
These instructions might be easier to understand:

http://www.akadia.com/services/ssh_test_certificate.html

The basic idea behind certificates is that they provide a way for visitors to a webpage to:
     a) Encrypt their communication using a public/private key pair (prevent the user from  eavesdropping)
     b) Validate the identity of the web server through a third party authority (protect the user from imposters posing as the remote server)

(a) is accomplished through public/private key pair encryption. (b) is accomplished by getting that public/private keypair signed by an authority that takes steps to ensure the authenticity of the parties involved.

So normally the process for getting a proper SSL certificate is to do this:

1) The administrator generates a private key for his/her server (the .KEY file). This key is optionally encrypted with a passphrase.

2) The administrator creates a "certificate signing request" (the CSR file), which will be issued to a signing authority to validate the authenticity of his key. He/she pays some money, and then submits the request to an eligible certificate signing authority (e.g. Geotrust, Thawte, etc.).

3) The authority responds back with a certificate for the administrator to use (the .CRT file). The CRT file contains contact information for all parties involved (the signing authority, the administrator, etc).

4) The administrator installs the signed certificate into his server (e.g. Apache server) and all is well for the duration of the certificate.

5) Once the certificate expires, the administrator must get a new one by going back to step 2.


The catch is that step #2 is not free. You have to pay a fee for a certificate authority to sign and issue a certificate to you for you to use.

So as a workaround, you can sign your own certificate (YOU get to be the signing authority). You can do this for free, and it works just as well to encrypt the communication channel. The catch is that since you signed your own certificate there is no trustworthy authority that can verify your identity. Your visitors web browsers will warn them of this fact. So long as you don't mind the warnings, you can sign your own certificates and use them.
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36524239
Check the first occurrence in your caconfig.cnf (section local_ca_policy) - when I change the "supplied" value for commonName to something else, I get the same error you listed above ...
0
 
LVL 31

Assisted Solution

by:Frosty555
Frosty555 earned 250 total points
ID: 36524272
Also, be aware that Apache on Ubuntu 11.04 comes with its own pre-generated SSL key so that you don't have to fuss about with all of this mess. You should only have to do all of this work if you want to learn and understand how SSL works (or if you want to purchase a REAL, signed certificate)

If you just want a quick SSL-secured webserver, then just install Apache from its package (apt-get install apache2). It comes with a default, self-signed certificate called a "snakeoil" certificate that you can use without having to mess around.

Look at "/etc/apache2/sites-available/default-ssl", that file is pre-configured  to set up Apache with that snakeoil certificate. Just link that file into your "/etc/apache2/sites-enabled" folder and you should be good to go.
0
 
LVL 21

Author Comment

by:developmentguru
ID: 36524295
@Frosty555
I am trying to develop a commercial web site.  I will need a valid Certificate Authority at some point, just not during development.  My web browser will be the only one to see the web site as I develop it on my own Ubuntu 11.04 server box.  Once I have it working to my satisfaction then I will need to spend the (from what I have seen) several hundred dollars per year to make it official.

@Garry-G
What fields in the caconfig.cnf SHOULD I be changing?  It looks like I will need to edit that file and run all of the steps up to and including the one that is causing the error.  I just don't want to do it several times in order to find all of the pieces I got wrong.
0
 
LVL 21

Author Comment

by:developmentguru
ID: 36524319
It is interesting to note that, in the example I have been working on, the commonName WAS changed...
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 17

Accepted Solution

by:
Garry-G earned 250 total points
ID: 36524322
For starters, go back to the file given at the Ubuntu howto file as a basis, and run the CA signature again - you should be able to sign the CSR with it (for the test, I kept it unchanged).
The relevant part anyway is to keep the "local_ca_policy" section unchanged and you should be good ... it's sort of the "rules" your client CA certificates need to follow ...
0
 
LVL 21

Author Comment

by:developmentguru
ID: 36524343
I have redone all of the steps replacing the commonName value with "supplied" and still get the error.
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36524381
Hm ... if the error occurs with the original caconfig.cnf file, I'm out of ideas ...
0
 
LVL 21

Author Comment

by:developmentguru
ID: 36524398
I should use the original verbatim?
0
 
LVL 21

Author Comment

by:developmentguru
ID: 36524402
(I just replaced the one value)
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36524459
Worth a try ...
0
 
LVL 21

Author Comment

by:developmentguru
ID: 36524594
Replacing the file with the original (only changing the two directory areas to match) DID get me past this error, thanks!

Now, can you explain why the issues happened?  It is good to be past that part of my problems but understanding why the problem existed is worth a lot more in my opinion.
0
 
LVL 17

Assisted Solution

by:Garry-G
Garry-G earned 250 total points
ID: 36524632
As mentioned above, the "policy" section defines what values are valid in a client certificate. Valid values are "match", "supplied" or "optional". "match" only allows values that are identical to the ones in the CA's appropriate fields, "supplied" means it has to be present, while "optional" of course means it doesn't have to be supplied. Putting anything else in the policy values breaks openssl I reckon ... guess it could use some better error handling ;)
0
 
LVL 21

Author Comment

by:developmentguru
ID: 36524659
I have to say, that was a well worded explanation that I (as an Apache newbie) needed to see, thanks.  I will most likely be asking another question about Apache setup later today.  I hope I get the same rapid and helpful responses.
0
 
LVL 21

Author Closing Comment

by:developmentguru
ID: 36524686
Thanks for the help.  I got a lot of good info from both Garry-G and from Frosty555.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now