Complete Guide to OpenSSL Security Using FreeBSD

OpenSSL is an open source toolkit and cryptographic library that implements the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols. OpenSSL is an independent project maintained by volunteers from all over the world. In short, OpenSSL provides cryptographic tools to secure network connections. A common implementation of SSL is to secure web pages with HTTPS (HyperText Transfer Protocol secured with encryption). OpenSSL encryption over the HTTP protocol consists of the following steps:
  1. HTTP clients (web browsers) send HTTPS requests to web servers.
  2. The server responds by sending an SSL Certificate to the client containing the public key, domain name, and issued SSL certificate authority.
  3. The client sends messages that are encrypted using the server's public SSL key.
  4. The server decrypts this message with its private SSL key.
  5. The server finally sends the decrypted message back to the client.
  6. If the client receives the correct message, both parties can begin exchanging information securely, assuming the issuing certificate authority is trusted by the client.
OpenSSL provides the tools necessary to create certificate signing requests, private server keys, and self-signed certificates. When combined with a recognized certificate authority, a trusted server certificate can be created for use with TCP protocols such as HTTP, SMTP, IMAP, and so on. OpenSSL is based on the SSLeay library originally developed by Eric A. Young and Tim J. Hudson. SSLeay is an open source implementation of Netscape's Secure Socket Layer protocol, which was used in the Netscape Secure Server and Navigator browsers in the mid-1990s.

OpenSSL is very easy to install on FreeBSD, here is how to install OpenSSL on a FreeBSD system.

root@router2:~ # cd /usr/ports/security/openssl
root@router2:/usr/ports/security/openssl #
make DISABLE_VULNERABILITIES=yes install clean
root@router2:/usr/ports/security/openssl #
echo "DEFAULT_VERSIONS+=ssl=openssl" >> /etc/make.conf
Before configuring OpenSSL, backup or copy the openssl.cnf file so that if an error occurs during configuration, the original file is still there.

root@router2:~ # cd /usr/local/openssl
root@router2:/usr/local/openssl #
cp openssl.cnf openssl.cnf.backup
Now we can immediately modify the openssl.cnf file, but before that first check the version of OpenSSL you are using.

root@router2:/usr/local/openssl # openssl version
OpenSSL 1.1.1t-freebsd 7 Feb 2023

1. Create a CA Certificate

In this section, the SSL Certificate will be created using the CA.pl script (Perl script) installed by the OpenSSL port. You can create an official certificate to sign your SSL Certificate by submitting a request. The certificate authority requires a certificate request file to generate a valid SSL Certificate for your server. We will use the CA.pl script included with OpenSSL to make the certificate request. The following script will copy the CA.pl file to the /usr/local/openssl/certs folder.

root@router2:~ # cd /usr/local/openssl
root@router2:/usr/local/openssl #
cp misc/CA.pl certs
Run the script below to make a certificate request.

root@router2:~ # cd /usr/local/openssl/certs
root@router2:/usr/local/openssl/certs #
setenv OPENSSL /usr/local/bin/openssl
root@router2:/usr/local/openssl/certs #
./CA.pl -newreq
Use of uninitialized value $1 in concatenation (.) or string at ./CA.pl line 133.
====
/usr/local/bin/openssl req -new -keyout newkey.pem -out newreq.pem -days 365
Ignoring -days; not generating a certificate
Generating a RSA private key
..........+++++
...................+++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:id
State or Province Name (full name) [Some-State]:jawa barat
Locality Name (eg, city) []:bekasi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mediatama
Organizational Unit Name (eg, section) []:networking
Common Name (e.g. server FQDN or YOUR name) []:router2.unixexplore.com
Email Address []:datainchi@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
==> 0
====
Request is in newreq.pem, private key is in newkey.pem
root@router2:/usr/local/openssl/certs #
When creating the certificate above, what you have to pay attention to is writing "Common Name (e.g. server FQDN or YOUR name)". In this section we must enter the host name and domain of our FreeBSD server, in this article "router2" is the host name and "unixexplore.com" is the domain name.

Running the CA.pl file script above will produce the files "newkey.pem" and "newreq.pem", both files contain an encrypted SSL certificate for the private server or private server. To make identification easier, copy the file to router2.unixexplore.com-encrypted-key.pem using the following command.

root@router2:/usr/local/openssl/certs # cp newkey.pem router2.unixexplore.com-encrypted-key.pem
root@router2:/usr/local/openssl/certs #
cp newreq.pem router2.unixexplore.com-req.pem
The router2.unixexplore.com-encrypted-key.pem file is encrypted with the password you entered earlier. It is important for you to always remember the password. You must enter it when the SSL application uses it. If this file is going to be used on an unattended server, it might be a very good idea to decrypt the file, so that the daemon can read it without user intervention. To remove encryption and create unencrypted files that can only be read by root, use the following script.

root@router2:/usr/local/openssl/certs # openssl rsa -in router2.unixexplore.com-encrypted-key.pem -out router2.unixexplore.com-unencrypted-key.pem
Enter pass phrase for router2.unixexplore.com-encrypted-key.pem:
writing RSA key

root@router2:/usr/local/openssl/certs #
chmod 400 router2.unixexplore.com-unencrypted-key.pem

2. Create a Self-Signed SSL Certificate

One way to create your own certificate is to use the CA.pl file. It is worth highlighting that creating your own certificate will cause the Untrusted Certificate dialog box to appear in the client of the application (web browser, email client, etc.). You can install your server certificate file on the client system to avoid this. Below is a script to create your own SSL certificate with a validity period of 3 years.

root@router2:~ # cd /usr/local/openssl
root@router2:/usr/local/openssl #
cp misc/CA.pl certs
root@router2:/usr/local/openssl #
sed -I .old 's/365/1095/' openssl.cnf
Run the following script to create your own SSL certificate authority.

root@router2:~ # cd /usr/local/openssl/certs
root@router2:/usr/local/openssl/certs #
setenv OPENSSL /usr/local/bin/openssl
root@router2:/usr/local/openssl/certs #
./CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
====
/usr/local/bin/openssl req -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem
Generating a RSA private key
.........+++++
...................+++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:id
State or Province Name (full name) [Some-State]:jawa barat
Locality Name (eg, city) []:bekasi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mediatama
Organizational Unit Name (eg, section) []:networking
Common Name (e.g. server FQDN or YOUR name) []:router2.unixexplore.com
Email Address []:datainchi@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
==> 0
====
====
/usr/local/bin/openssl ca -create_serial -out ./demoCA/cacert.pem -days 1095 -batch -keyfile ./demoCA/private/cakey.pem -selfsign -extensions v3_ca -infiles ./demoCA/careq.pem
Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
4b:b7:ad:37:c3:24:ea:c9:62:0a:1b:d5:be:ec:57:4f:e5:94:33:c8
Validity
Not Before: Jun 30 13:17:27 2023 GMT
Not After : Jun 29 13:17:27 2026 GMT
Subject:
countryName = id
stateOrProvinceName = jawa barat
organizationName = mediatama
organizationalUnitName = networking
commonName = router2.unixexplore.com
emailAddress = datainchi@gmail.com
X509v3 extensions:
X509v3 Subject Key Identifier:
DA:90:FF:39:70:F4:F3:93:E8:CF:29:6E:35:BE:0C:74:EB:38:89:CB
X509v3 Authority Key Identifier:
keyid:DA:90:FF:39:70:F4:F3:93:E8:CF:29:6E:35:BE:0C:74:EB:38:89:CB

X509v3 Basic Constraints: critical
CA:TRUE
Certificate is to be certified until Jun 29 13:17:27 2026 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
==> 0
====
CA certificate is in ./demoCA/cacert.pem
root@router2:/usr/local/openssl/certs #

To generate the above certificate request, use the following command.

root@router2:/usr/local/openssl/certs #  ./CA.pl -newreq
Use of uninitialized value $1 in concatenation (.) or string at ./CA.pl line 133.
====
/usr/local/bin/openssl req -new -keyout newkey.pem -out newreq.pem -days 365
Ignoring -days; not generating a certificate
Generating a RSA private key
..............................................................................+++++
..................................+++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:id
State or Province Name (full name) [Some-State]:jawa barat
Locality Name (eg, city) []:bekasi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mediatama
Organizational Unit Name (eg, section) []:networking
Common Name (e.g. server FQDN or YOUR name) []:router2.unixexplore.com
Email Address []:datainchi@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
==> 0
====
Request is in newreq.pem, private key is in newkey.pem
root@router2:/usr/local/openssl/certs #

By using the "copy" command, copy all certificates to the /usr/local/openssl/certs directory, use the following script to do this.

root@router2:/usr/local/openssl/certs # cp newreq.pem router2.unixexplore.com-cert.pem
root@router2:/usr/local/openssl/certs #
cp newkey.pem router2.unixexplore.com-encrypted-key.pem
root@router2:/usr/local/openssl/certs #
cp demoCA/cacert.pem ./unixexplore.com-CAcert.pem
root@router2:/usr/local/openssl/certs #
cp demoCA/private/cakey.pem ./unixexplore.com-encrypted-CAkey.pem
To remove encryption and make unencrypted files readable only by root, use the following script.

root@router2:/usr/local/openssl/certs # openssl rsa -in router2.unixexplore.com-encrypted-key.pem -out router2.unixexplore.com-unencrypted-key.pem
Enter pass phrase for router2.unixexplore.com-encrypted-key.pem:
writing RSA key
root@router2:/usr/local/openssl/certs #
chmod 400 router2.unixexplore.com-unencrypted-key.pem
Now we will export the CA certificate or root certificate so that it can be installed on the system that will use your SSL Certificate. This is necessary to eliminate the appearance of the Untrusted Root SSL Certificate Warning message. This message appears to warn end users that there is a potential problem with the SSL Certificate.

It is more difficult to detect actual hijacked SSL sessions if these unnecessary warnings are not removed. Most client systems (Windows and Mac OS X) recognize SSL certificate files encoded in DER (Distinguished Encoding Rules) binary format. To convert a text-based PEM (Privacy Enhanced Mail) certificate to DER format, type the following command.

root@router2:/usr/local/openssl/certs # openssl x509 -in unixexplore.com-CAcert.pem -inform PEM -out unixexplore.com-CAcert.cer -outform DER
You can send a DER encoded certificate via email with this command.

root@router2:/usr/local/openssl/certs # uuencode unixexplore.com-CAcert.cer unixexplore.com-CAcert.cer | mail -s "Subject" datainchi@gmail.com
CAcert is a certificate authority that issues free SSL Certificates. If you are new to SSL Certificates, this site is a great place to learn about the SSL Certificate signing process. You can create a certificate signing request as described in this guide and signed by CAcert. Certificates signed by CAcert have limited support; most web browsers do not include their root certificates in their trusted CA database. However, CAcert root certificates are included in FreeBSD and some Linux distributions.
Iwan Setiawan

I Like Adventure: Mahameru Mount, Rinjani Mount I Like Writer FreeBSD

Post a Comment

Previous Post Next Post