SSL in a Nutshell
I’m going to skip the commands and just give you a clue as to what the steps are.
- Generate a key that will be used to encrypt stuff. Name it something like host.key.
- Use the key to create a Certificate Signing Request (CSR) e.g. host.csr which asks for specific information about which entity is requesting the key for which site or individual, and encapsulates that in the request.
- Send the CSR to a Certificate Authority (CA). This is often done by cutting and pasting an ASCII encoded version of host.csr, which is probably what was generated in the previous step. “Official” CA’s are companies which theoretically have been vetted by someone we’re supposed to trust, and their certificate is included in many web browsers, e-mail clients, etc. If the CA is not on the list of vetted CA’s then each time a web browser or other client uses a certificate signed by the untrusted CA, there will be a warning. Users can often override this permanently by installing the certificate of the CA into their browser, etc. manually.
- After bringing the broomstick of the Wicked Witch of the West to the CA of Oz, the CA will grant your wish by sending back a certificate (host.crt or host.cert).
- “Install” the certificate by putting it in a logical place on the web server (e.g. /etc/apache2/ssl/host.crt) and edit the appropriate apache configuration file (possibly /etc/apache2/apache2.conf, /etc/apache2/mods-available/ssl.conf or something similar) to point to it. Use grep to search for config files containing the string “SSL”. The file(s) will generally be well-commented enough to figure out what to do.
Other useful extensions to memorize
Browsers in partiular, like to import and/or export in specific data formats:
- host.crl a Certificate Revocation List (CRL) which is exactly what it sounds like: A list of revoked certificates — i.e. a blacklist.
- host.der is a binary? message transfer syntax known as Distinguished Encoding Rules (DER)
- host.pem is a Privacy Enhanced Mail (PEM) format which is an ASCII armored version of the certificate that incorporates the certificate (in DER format?) plus the key… Adding the key to this seems like a bad idea. Maybe the key is not always part of a PEM.
- .p7b, .p7c – PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
- .p12 – PKCS#12, may contain certificate(s) (public) and private keys (password protected)
I’m a little shakier on DER, PEM, PKCS#7 and PKCS#12 as to the where, when and how to regarding their use.
http://sial.org/howto/openssl/ is an amazingly wonderful resource for getting a better grip on this stuff.