IT Security
Page tree
Skip to end of metadata
Go to start of metadata

background

This guide demonstrates how to obtain, deploy and verify an X.509 certificate. While written specifically in the context of a domain-validation single-address certificate for www.obfuscate.xyz from Gandi, the OpenSSL commands are valid for other vendors (e.g.: Thawte), for other certificate types (e.g.: wildcard), and for other validation modes (e.g.: organization-validation or extended-validation).

When following this guide, replace www.obfuscate.xyz with the common name for your website.  Similarly, if purchasing a certificate from another vendor, replace the URLs for the bundle of intermediate CA certificates and the root certificates, as necessary.

Note that when the single-address certificate signing request is for www.«domain», Gandi adds «domain» as a subject alternative name; and when the request is for «domain», Gandi adds www.«domain». Similarly, when the wildcard certificate signing request is for *.«domain», Gandi adds «domain» as a subject alternative name.

how to obtain an X.509 certificate

step 1: generate the configuration file (CFG)

Using a text editor, generate www.obfuscate.xyz.cfg containing the following configuration directives:

[ req ]
distinguished_name = req_distinguished_name
default_md = sha256
prompt = no

[ req_distinguished_name ]
C = CA
ST = British Columbia
L = Vancouver
O = The University of British Columbia
OU = Department of Obfuscation
CN = www.obfuscate.xyz

Notes:

  • Do not delete this file. If you inadvertently delete this file and are unable to restore it from an archive, then you may regenerate it manually using values extracted from the CSR or the CRT.
  • For DV (domain validation) certificates, it is not necessary to specify country (C), state (ST), locality (L), organization (O) or organizational unit (OU) in the Distinguished Name. These values are only used for OV (organization validation) and EV (extended validation) certificates.
  • To request a wildcard certificate, set the common name (CN) to *.obfuscate.xzy rather than a specific name such as www.obfuscate.xyz.

step 2: generate the private key file (KEY)

Using the following command, generate www.obfuscate.xyz.key containing a 2048-bit RSA private key.

openssl genrsa -out www.obfuscate.xyz.key 2048

Notes:

  • Do not delete this file as it contains the private key that underpins the identity presented by the end-entity certificate. If you are unable to restore it from an archive, then you will need to purchase a new certificate, discarding the previously created CSR and previously obtained CRT.
  • Do not lose control of www.obfuscate.xyz.key. In particular, do not store it in a location served by the web server. Further, the file permissions should read-write for user, read-only group, and none for other (i.e., 640); with user and group ownership set to 'root'.
  • Unless CA requirements regarding the private key change (e.g.: key length), you do not need to regenerate the private key on each renewal.

step 3: generate the certificate signing request (CSR)

Using the following command, generate www.obfuscate.xyz.csr containing a certificate signing request based on the private key and configuration files.

openssl req -config www.obfuscate.xyz.cfg -new -key www.obfuscate.xyz.key -out www.obfuscate.xyz.csr

Notes:

  • Do not delete this file. If you inadvertently delete this file and are unable to restore it from an archive, then you may re-run the command to generate a new CSR, which may be needed during renewals.
  • While it is possible to combine the generation of a private key and the generation of a certificate signing request into a single command, it is advantageous to keep them separate for clarity.
  • While it is possible to generate a certificate signing request using the default configuration, it is advantageous to capture, for future reference, the parameters used. Additionally, some CAs (although not Gandi) require the specification of subject alternative names via the CSR, which can only be accomplished via the configuration file.
  • Unless CA requirements regarding the certificate signing request change (e.g.: signature algorithm), you do not need to regenerate the CSR on each renewal.

step 4: obtain the end-entity certificate (CRT)

Submit the certificate signing request to UBC IT Security at security@ubc.ca, indicating that you used OpenSSL to create the CSR (i.e.: that you followed this guide).  After domain control validation via SMTP, UBC IT Security will provide you with the end-entity certificate issued by Gandi.  Save this as www.obfuscate.xyz.pem.

Notes:

  • Do not delete this file. If you inadvertently delete this file and are unable to restore it from an archive, then contact UBC IT Security asking for it to be re-issued.

step 5: obtain the bundle of intermediate CA certificates

Using the following command, obtain the bundle of intermediate CA certificates from Gandi.

wget -q -O - https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem > www.obfuscate.xyz-cacerts.pem

step 6: generate the chained certificate (for Apache httpd and nginx)

Using the following command, generate www.obfuscate.xyz-chained.pem containing the concatenation of the end-entity certificate and the intermediate CA certificates, ordered from leaf towards root.

cat www.obfuscate.xyz.pem www.obfuscate.xyz-cacerts.pem > www.obfuscate.xyz-chained.pem

Notes:

  • The order of certificates in this file is normally from leaf (i.e.: end-entity certificate) towards root.
  • This file should never contain root certificates.

step 7: generate the PKCS12 archive (for Microsoft IIS)

This step uses www.obfuscate.xyz-chained.pem, which was generated in the previous step.

Using the following command, generate www.obfuscate.xyz-pfxpass.txt containing a random 36-character string to be used as the passprase for the PKCS12 archive.

openssl rand -base64 36 > www.obfuscate.xyz-pfxpass.txt

Using the following command, generate www.obfuscate.xyz-chained.pfx a PKCS12 archive containing the private key, the end-entity certificate, and the intermediate CA certificates.

openssl pkcs12 -export -inkey www.obfuscate.xyz.key -in www.obfuscate.xyz-chained.pem -out www.obfuscate.xyz-chained.pfx -passout file:www.obfuscate.xyz-pfxpass.txt -name www.obfuscate.xyz

Notes:

  • Do not lose control of www.obfuscate.xyz-pfxpass.txt.  Since the PKCS12 archive contains the private key, the passphrase securing the PKCS12 archive should be held as securely as the private key itself.

step 8: generate the Java keystore (for Apache Tomcat)

This step uses www.obfuscate.xyz-chained.pfx and www.obfuscate.xyz-pfxpass.txt, which were generated in the previous step.

Using the following command, generate www.obfuscate.xyz-jkspass.txt containing a random 36-character string to be used as the passphrase to secure the Java keystore.

openssl rand -base64 36 > www.obfuscate.xyz-jkspass.txt

Using the following command, generate www.obfuscate.xyz-keypass.txt containing a random 36-character string to be used as the passphrase to secure the key stored in the Java keystore.

openssl rand -base64 36 > www.obfuscate.xyz-keypass.txt 

Using the following command, generate www.obfuscate.xyz-chained.jks, a Java keystore containing the private key, the end-entity certificate, and the intermediate CA certificates.

keytool -importkeystore \
  -srckeystore www.obfuscate.xyz-chained.pfx -srcstoretype pkcs12 -srcalias www.obfuscate.xyz \
  -destkeystore www.obfuscate.xyz-chained.jks -deststoretype jks -destalias www.obfuscate.xyz \
  -srcstorepass `cat www.obfuscate.xyz-pfxpass.txt` \
  -deststorepass `cat www.obfuscate.xyz-jkspass.txt` \
  -destkeypass `cat www.obfuscate.xyz-keypass.txt` 

Notes:

  • Do not lose control of www.obfuscate.xzy-jkspass.txt and www.obfuscate.xyz-keypass.txt.  Since the Java keystore contains the private key, the passphrases securing the Java keystore should be held as securely as the private key itself.

epilog: resulting files

Execution of the commands detailed in steps 1 through 8 will result in the generation of the following files:

  • www.obfuscate.xyz.cfg: OpenSSL configuration (CFG)
  • www.obfuscate.xyz.key: 2048-bit RSA private key (KEY) (warning)
  • www.obfuscate.xyz.csr: certificate signing request (CSR)
  • www.obfuscate.xyz.pem: end-entity certificate (CRT)
  • www.obfuscate.xyz-cacerts.pem: bundle of intermediate CA cerificates
  • www.obfuscate.xyz-chained.pem: concatenation of end-entity and intermediate CA certificates
  • www.obfuscate.xyz-pfxpass.txt: passphrase used to secure the PKCS12 archive (warning)
  • www.obfuscate.xyz-chained.pfx: PKCS12 archive containing the private key, the end-entity certificate and the intermediate CA certificates
  • www.obfuscate.xyz-jkspass.txt: passphrase used to secure the Java keystore (warning)
  • www.obfuscate.xyz-keypass.txt: passphrase used to secure the private key within the Java keystore (warning)
  • www.obfuscate.xyz-chained.jks: Java keystore containing the private key, the end-entity certificate and the intermediate CA certificates

Notes:

  • Do not lose control of the files marked (warning) as they either contain or grant access to the private key.  Specifically, this means setting the file/group ownership and permission flags appropriately so that unauthorized users, locally and remotely, can not gain access to the private key.
  • By following a naming convention, all the files associated with a particular certificate are kept together. This includes the bundle of intermediate CA certificates, which was saved as www.obfuscate.xyz-cacerts.pem rather than as GandiStandardSSLCA2.pem.
  • One approach to managing these files is to store them outside of the context of the software that will use them (see next section on how to deploy an X.509 certificate).  For example, these files could be kept in /root/ssl or /home/sysadmin/ssl and copied to locations needed by the software (with appropriate updates to ownership and permissions).  In particular, software running on Linux machines configured with enhanced security policies, such as those employed by SELinux, will expect these files to be in specific locations.

how to deploy an X.509 certificate

Apache httpd

for versions up to 2.4.7 (inclusive)

Apache httpd versions up to 2.4.7 require the use of three configuration directives to specify the private key (SSLCertificateKeyFile), the end-entity certificate (SSLCertificateFile) and the bundle of intermediate CA certificates (SSLCertificateChainFile).

Example configuration:

<VirtualHost 192.168.1.1:443>
  ServerName www.obfuscate.xyz
  ServerAlias obfuscate.xyz

  SSLEngine on
  SSLCertificateFile       /path/to/www.obfuscate.xyz.pem
  SSLCertificateKeyFile    /path/to/www.obfuscate.xyz.key
  SSLCertificateChainFile  /path/to/www.obfuscate.xyz-cacerts.pem
  ...
</VirtualHost>

Notes:

  • The configuration snippet, above, does not provide guidance regarding configuration directives regarding protocols and cipher suites.
  • A common error is to use SSLCACertificateFile to specify the file containing the bundle of intermediate certificates. In Apache versions up to 2.4.7, use SSLCertificateChainFile for this purpose.

version 2.4.8 onwards

From Apache httpd version 2.4.8 onwards, the SSLCertificateChainFile configuration directive is deprecated and the SSLCertificateFile configuration directive accepts the chained certificate (similar to nginx).

Example configuration:

<VirtualHost 192.168.1.1:443>
  ServerName www.obfuscate.xyz
  ServerAlias obfuscate.xyz

  SSLEngine on
  SSLCertificateFile    /path/to/www.obfuscate.xyz-chained.pem
  SSLCertificateKeyFile /path/to/www.obfuscate.xyz.key
  ...
</VirtualHost>

Notes:

  • The configuration snippet, above, does not provide guidance regarding configuration directives regarding protocols and cipher suites.

nginx

Example configuration:

server {
  listen 192.168.1.1:443;
  server_name www.obfuscate.xyz obfuscate.xyz;

  ssl on;
  ssl_certificate     /path/to/www.obfuscate.xyz-chained.pem;
  ssl_certificate_key /path/to/www.obfuscate.xyz.key;
  ...
}

Notes:

  • The configuration snippet, above, does not provide guidance regarding configuration directives regarding protocols and cipher suites.

Microsoft IIS

Using IIS management tools (Start -> Administrative Tools -> IIS), import the PKCS12 archive (www.obfuscate.xyz-chained.pfx) and edit the bindings to use the new certificate.

The passphrase securing the PKCS12 archive is contained in www.obfuscate.xyz-pfxpass.txt.

Apache Tomcat provides support for multiple SSL/TLS implementations.  The server.xml configuration snippet, below, assumes the use of JSSE rather than APR.

<Connector address="192.168.1.1" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
           keystoreFile="/path/to/www.obfuscate.xyz-chained.jks"
           keystorePass="«passphrase contained in www.obfuscate.xyz-jkspass.txt»"
           keyAlias="www.obfuscate.xyz"
           keyPass="«passphrase contained in www.obfuscate.xyz-keypass.txt»" />

Notes:

  • The passphrase securing the Java keystore which is contained in www.obfuscate.xyz-jkspass.txt.  Use this passphrase with the keystorePass attribute.
  • The passphrase securing the key within the Java keystore is contained in www.obfuscate.xyz-keypass.txt.  Use this passphrase with the keyPass attribute.
  • Do not lose control of Tomcat's server.xml.  Since this configuration file contains the passphrases to the Java keystore and the key, it should be held as securely as the private key itself.
  • The configuration snippet, above, does not provide guidance regarding configuration directives regarding protocols and cipher suites.

how to verify an X.509 certificate

step 1: verify the certificate's integrity

Using the following commands, verify the integrity of the private key (KEY), the certificate signing request (CSR), and the end-entity certificate (CRT).

The SHA1 hash value output by the three commands should be identical, indicating that the end-entity certificate is based on the certificate signing request over the private key.

openssl rsa -noout -modulus -in www.obfuscate.xyz.key | openssl dgst -sha1 -binary | xxd -p
output of previous command
021d551fb04d52b18464ddb26ba95c79d94a3c3d 
openssl req -noout -modulus -in www.obfuscate.xyz.csr | openssl dgst -sha1 -binary | xxd -p
output of previous command
021d551fb04d52b18464ddb26ba95c79d94a3c3d 
openssl x509 -noout -modulus -in www.obfuscate.xyz.pem | openssl dgst -sha1 -binary | xxd -p
output of previous command
021d551fb04d52b18464ddb26ba95c79d94a3c3d 

step 2: verify the certificate's trust chain

Using the following command, examine the end-entity certificate. Note that it has subject CN=www.obfuscate.xyz and is issued by CN=Gandi Standard SSL CA 2.

 openssl x509 -noout -subject -issuer -fingerprint -in www.obfuscate.xyz.pem
output of previous command
subject= /OU=Domain Control Validated/OU=Gandi Standard SSL/CN=www.obfuscate.xyz
issuer= /C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
SHA1 Fingerprint=C2:1A:1D:78:9C:04:94:AF:3B:CE:FC:FB:89:B8:4B:72:12:CC:0E:62

Using the following commands, examine the bundle of intermediate CA certificates. Note that the bundle contains two certificates.

The first certificate in the bundle has subject CN=Gandi Standard SSL CA 2 and is issued by CN=USERTrust RSA Certificate Authority, the SHA2 Root CA.

cat www.obfuscate.xyz-cacerts.pem | gawk 'BEGIN {RS="-----END CERTIFICATE-----\n";ORS=RS} NR==1 {print}' | openssl x509 -noout -subject -issuer -fingerprint
output of previous command
subject= /C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
issuer= /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
SHA1 Fingerprint=24:71:06:A4:05:B2:88:A4:6E:70:A0:26:27:17:16:2D:09:03:E7:34

Since not all operating systems and browsers include the SHA2 Root CA in their trust stores, the second certificate in the bundle provides a cross-signed intermediate CA certificate having subject CN=USERTrust RSA Certificate Authority but issued by CN=AddTrust External CA Root, the SHA1 CA Root.

cat www.obfuscate.xyz-cacerts.pem | gawk 'BEGIN {RS="-----END CERTIFICATE-----\n";ORS=RS} NR==2 {print}' | openssl x509 -noout -subject -issuer -fingerprint
output of previous command
subject= /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
SHA1 Fingerprint=EA:B0:40:68:9A:0D:80:5B:5D:6F:D6:54:FC:16:8C:FF:00:B7:8B:E3

In the image below, note that the same private key is used as the basis for both the SHA2 CA Root Certificate and the Intermdiate CA Certificate #2, allowing two certificate chains to co-exist:

  • chain #1:
    • End Entity Certificate (in www.obfuscate.xyz.pem)
    • Intermediate CA Certificate #1 (in www.obfuscate.xyz-cacerts.pem)
    • SHA2 Root CA Certificate (in trust store)
  • chain #2:
    • End Entity Certificate (in www.obfuscate.xyz.pem)
    • Intermediate CA Certificate #1 (in www.obfuscate.xyz-cacerts.pem)
    • Intermediate CA Certificate #2 (in www.obfuscate.xyz-cacerts.pem)
    • SHA1 Root CA Certificate (in trust store)

Using one the following commands, verify the end-entity certificate's trust chain.

For Debian and Debian-based distributions (e.g.: Ubuntu):

openssl verify -CApath /etc/ssl/certs -untrusted www.obfuscate.xyz-cacerts.pem www.obfuscate.xyz.pem
expected output of previous command
www.obfuscate.xyz.pem: OK

For RedHat and Redhat-based distributions (e.g.: CentOS):

openssl verify -CAfile /etc/ssl/certs/ca-bundle.trust.crt -untrusted www.obfuscate.xyz-cacerts.pem www.obfuscate.xyz.pem
expected output of previous command
www.obfuscate.xyz.pem: OK

If your trust store contains both the SHA1 and the SHA2 Root CA Certificates, then the shortest chain is validated.

If your trust store contains neither the SHA1 nor the SHA2 Root CA Certificates, then your trust store is not up to date. Please ask the system administrator to update the CA certificates in the trust store via the system's package management system.

Although not recommended since your operating system should provide one or both of these in the root store, you may obtain the root cerificates using the following commands.

For the SHA1 CA Root, download the root certificate with the following command.

wget -q -O - http://crt.comodoca.com/AddTrustExternalCARoot.crt | openssl x509 -inform DER -outform PEM > AddTrustExternalCARoot.pem

For the SHA2 CA Root:

wget -q -O - http://crt.usertrust.com/USERTrustRSACertificationAuthority.crt | openssl x509 -inform DER -outform PEM > USERTrustRSACertificateAuthority.pem

Use the following commands to verify the end-entity certificate's trust chain directly against these root certificates.

For the SHA1 CA Root:

openssl verify -CAfile AddTrustExternalCARoot.pem -untrusted www.obfuscate.xyz-cacerts.pem www.obfuscate.xyz.pem 
expected output of previous command
www.obfuscate.xyz.pem: OK

For the SHA2 CA Root:

openssl verify -CAfile USERTrustRSACertificateAuthority.pem -untrusted www.obfuscate.xyz-cacerts.pem www.obfuscate.xyz.pem
expected output of previous command
www.obfuscate.xyz.pem: OK

step 3: verify the certificate's deployment with OpenSSL

Using the following command, verify the deployment of the private key, end-point certificate and intermediate CA certificates.

For Debian and Debian-based distributions (e.g.: Ubuntu):

echo "GET /" | openssl s_client -CApath /etc/ssl/certs -connect www.obfuscate.xyz:443 -servername www.obfuscate.xyz
expected output of previous command (truncated)
    ...
    Verify return code: 0 (ok)
---
DONE

 

For RedHat and RedHat-based distributions (e.g.: CentOS):

echo "GET /" | openssl s_client -CAfile /etc/ssl/certs/ca-bundle.trust.crt -connect www.obfuscate.xyz:443 -servername www.obfuscate.xyz
expected output of previous command (truncated)
    ...
    Verify return code: 0 (ok)
---
DONE

step 4: verify the certificate's deployment with Qualys SSL Labs

Use Qualys SSL Labs to obtain a comprehensive analysis of the server's configuration in addition to verifying the certificate's deployment.

For example, as of , the overall rating, certificate details and certification paths for https://www.obfuscate.xyz are:

Overall Rating for www.obfuscate.xyz

Certificate Details for www.obfuscate.xyz

Certification Paths for www.obfuscate.xyz

resources

regarding X.509 certificates

regarding OpenSSL

for Microsoft IIS administrators

for Apache Tomcat administrators

version 6

version 7

version 8

 

4 Comments

  1. Grigoryan, Armenak

    Thanks, Luca. Much needed. This instruction is the example how documentation should be done!

  2. Filipozzi, Luca

    For DNS-based domain control validation (updated per John's comment on ), use the following steps.

    Step 1: Generate the "MD5 hash":
    openssl req -in www.obfuscate.xzy.csr -outform der | openssl dgst -md5
    Step 2: Generate the "split SHA256 hash" (64-character string split into two 32-character string separated by a dot):
    openssl req -in www.obfuscate.xzy.csr -outform der | openssl dgst -sha256  -r | awk '{printf "%s.%s\n",substr($1,1,32),substr($1,33,32)}'
    Step 3: Create CNAME record:
    _«MD5 hash».www.obfuscate.xyz. IN CNAME «split SHA256 hash».comodoca.com.

    (warning) Note the underscore in front of the the «MD5 hash».

    1. Bratlien, John

      Comodo has updated the DNS-based DCV scheme to use SHA-256 and a slightly different format:

      _<MD5 hash>.www.obfuscate.xyz. CNAME <SHA-256 hash>.comodoca.com

      Note that a "hex (base-16) encoded SHA-256 hash will not fit in a single DNS label because it is too long. The SHA-256 hash should therefore be split into two labels, each 32 characters long."

      For more detail see 'DNS CNAME-based'
      https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/791/0/

      1. Filipozzi, Luca

        Thanks. I've updated the instructions.