|The OpenSSL Project has developed a open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security TLS (v1) protocols as well as a full-strength general purpose cryptography library.
OpenSSL is based on the SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style licence, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.
The OpenSSL toolkit can be used to generate the keys that a web server (e.g. Apache) needs to encrypt the data sent between the client (browser) and the web server.
A simple overview of this process can be found here below:
More information about the OpenSSL Project can be found at:
- A client browser connects to the Apache HTTP server via a Web request.
- The browser asks to start a secure session with the server.
- The server returns the site's certificate (= mobilefish.com_cert.pem) which also includes the server public key.
- The browser analyzes the certificate and informs the user about its validity (e.g., was it issued by a recognized, trusted certificate authority?).
- The browser creates a session key, which is encrypted with the server's public key, which is then sent to the server. This public or asymmetric key is generally 1024 bits. Much stronger public keys of 2048 bits could be provided but, perhaps for performance reasons, these are not in general use.
- The server then decrypts this information using its private key (mobilefish.com_key.pem).
- Both the browser and the server now are using the same session key. This is a symmetric key used to encrypt and decrypt data exchanged by the browser and server. Browsers and servers usually negotiate the strongest mutually supported session. This means that if the user's browser and your Web server both support 128-bit SSL sessions, a 128-bit session is established. If the user's browser only supports 40-bit SSL sessions, then a 40-bit session is established even if your Web server supports 128-bit sessions.
The latest OpenSSL version (no binary distributions) can be downloaded from:
Links to OpenSSL binary distributions can be found at:
Create certificate signed by your own CA and private key.
In this guide the certificate is signed by your own CA.
You must complete the previous guide "Create a Root Certification Authority (CA) certificate" before you start with this one.
Operating system used
Windows XP Home Edition Version 5.1 SP 2
OpenSSL v0.9.7d or higher
- Open a dos window and goto OpenSSL bin directory:
e.g.: cd C:\Tools\openssl\bin
- Create a certificate:
C:\Tools\OpenSSL\bin>perl ca.pl -newreq
You should see and do the following:
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
writing new private key to 'newreq.pem'
Enter PEM pass phrase:mybigsecret
Verifying - Enter PEM pass phrase:mybigsecret
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Noord-Holland
Locality Name (eg, city) :Zaandam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mobilefish.com
Organizational Unit Name (eg, section) :
Common Name (eg, YOUR name) : www.mobilefish.com
Email Address :
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :
An optional company name :
Request (and private key) is in newreq.pem
||The two-letter ISO 3166 abbreviation for your country.
|State or Province Name.
||The state or province where your organization is legally located. Do not abbreviate.
In this example: Noord-Holland
||The city where your organization is legally located. Do not abbreviate.
In this example: Zaandam
||The exact legal name of your organization. Do not abbreviate your organization name.
In this example: Mobilefish.com
|Organization Unit Name
||Section of the organization.
Mobilefish.com does not have any organizational units but in yours it maybe Marketing, Research and Development, Human Resources, Sales
||The fully qualified domain name for your web server. This must be an exact match.
In this example the url https://www.mobilefish.com will be used. The common name must be: www.mobilefish.com
||Enter your organization general email address.
In this example
|Challenge password and optional company name
||Leave both fields empty.
- The file C:\Tools\OpenSSL\bin\newreq.pem is created, containing the certificate and private key.
- To check the signature and information provided in the certificate request, type:
C:\Tools\OpenSSL\bin>openssl req -in newreq.pem -noout -text
Version: 0 (0x0)
Subject: C=NL, ST=Noord-Holland, L=Zaandam, O=Mobilefish.com,
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
- The certificate can now be signed by your own CA.
C:\Tools\OpenSSL\bin>perl ca.pl -sign
You should see the following:
Using configuration from C:\Tools\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:mycasecret
Check that the request matches the signature
Serial Number: 1 (0x1)
Not Before: Dec 4 17:58:57 2004 GMT
Not After : Dec 4 17:58:57 2005 GMT
countryName = NL
stateOrProvinceName = Noord-Holland
localityName = Zaandam
organizationName = Mobilefish.com
commonName = www.mobilefish.com
X509v3 Basic Constraints:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
OU=Certification Services/CN=Mobilefish.com CA/
Certificate is to be certified until Dec 4 17:58:57 2005 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
- The file C:\Tools\OpenSSL\bin\newcert.pem is created, containing the signed certificate by your own CA and private key.
- To extract the private key from newreq.pem, do the following.
C:\Tools\OpenSSL\bin>openssl rsa < newreq.pem > newkey.pem
Enter pass phrase:mybigsecret
writing RSA key
The file C:\Tools\OpenSSL\bin\newkey.pem is created.
- To make maintenance easier rename the following files:
newcert.pem into mobilefish.com_cert.pem
newkey.pem into mobilefish.com_key.pem
- The signed certificate (mobilefish.com_cert.pem) and private key (mobilefish.com_key.pem) are now both created and can be used to setup SSL for the web server. You also need the CA certificate (cacert.pem) which contains the public key. It is used to verify the user certificates signed by the private CA key.
This file can be found at: ..\OpenSSL\bin\demoCA\cacert.pem
More information on how to setup SSL for Apache 2 on Windows XP.
To give you a preview of how the CA signed certificate looks like:
Unfortunately all text are in dutch.