Generate Certificate Signing Request on Linux

You create a CSR and have it signed by a CA before you can use a certificate. This tutorial is a continuation from my tutorial on creating a CA. However, you do not need to create a CA to generate a CSR.

Install Prerequisites

I wrote this tutorial using Fedora 18. The only prerequisite I needed was OpenSSL.

su -c 'yum install openssl'

Create Directory Structure

mkdir /home/cg/mycert

cd /home/cg/mycert/

mkdir private conf csr

We will run all commands by default in the /home/cg/mycert directory, unless stated otherwise.

Config File

vim /home/cg/mycert/conf/serverconfig.cnf

This file would serve as the config file if you wish to use it. An example file is below.

[ ca ]
default_ca = CA_default

[ CA_default ]
dir = /home/cg/mycert/
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/certs/cacert.pem
serial = $dir/serial
#crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
#RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
#crl_extensions = crl_ext
default_days = 3650
#default_startdate = YYMMDDHHMMSSZ
#default_enddate = YYMMDDHHMMSSZ
#default_crl_days= 30
#default_crl_hours = 24
default_md = sha1
preserve = no
#msie_hack
policy = policy_match

[ policy_match ]
countryName = match
stateOrProvinceName = match
localityName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 4096 # Size of keys
default_keyfile = key.pem # name of generated keys
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
#input_password
#output_password
string_mask = nombstr # permitted characters
req_extensions = v3_req

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = New York
localityName = Locality Name (city, district)
localityName_default = New York
organizationName = Organization Name (company)
organizationName_default = Code Ghar
organizationalUnitName = Organizational Unit Name (department, division)
organizationalUnitName_default = IT
commonName = Common Name (hostname, FQDN, IP, or your name)
commonName_max = 64
commonName_default = CGIT
emailAddress = Email Address
emailAddress_max = 40
emailAddress_default = codeghar@example.com

[ req_attributes ]
#challengePassword = A challenege password
#challengePassword_min = 4
#challengePassword_max = 20
#unstructuredName = An optional company name

[ usr_cert ]
basicConstraints= CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
#nsComment = ''OpenSSL Generated Certificate''
#nsCertType = client, email, objsign for ''everything including object signing''
subjectAltName=email:copy
issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl = 
#nsRenewalUrl =
#nsCaPolicyUrl = 
#nsSslServerName =

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:TRUE
#keyUsage = cRLSign, keyCertSign
#nsCertType = sslCA, emailCA
#subjectAltName=email:copy
#issuerAltName=issuer:copy
#obj=DER:02:03

[ crl_ext ]
#issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

Generate CSR

You can use the config file (serverconfig.cnf) we created in the previous step to answer a lot of the questions asked during certificate generation. Just run the following command and answer the questions. Most questions will have the default values provided in serverconfig.cnf.

openssl req -new -config conf/serverconfig.cnf -keyform PEM -keyout private/key.csr.server1.pem -outform PEM -out csr/csr.server1.pem -nodes

If you want to provide your own custom values you may run the following command instead.

openssl req -new -newkey rsa:4096 -keyform PEM -keyout private/key.csr.server1.pem -outform PEM -out csr/csr.server1.pem -nodes

You will be asked relevant questions. Following is an example output of the process.

Generating a 4096 bit RSA private key
..............................................................................++
.................++
writing new private key to 'private/key.csr.server1.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [New York]:
Locality Name (city, district) [New York]:
Organization Name (company) [Code Ghar]:
Organizational Unit Name (department, division) [IT]:
Common Name (hostname, FQDN, IP, or your name) [CGIT]:
Email Address [codeghar@example.com]:server1@example.com

Two files, key.csr.server1.pem and csr.server1.pem, will be created in $dir/private and $dir/csr directories respectively. Keep these files in a safe location and back them up.

You will submit csr.server1.pem to the CA who will sign it. The CA will sign the file and return the resulting file to you. That will be the certificate you will finally use.

Create Private Certificate Authority on Linux

This tutorial will show you how to create your own private CA or Certificate Authority. This will give you the opportunity to sign your own certificates without having to pay someone else. However, since your private CA will not be trusted by others it may prompt warnings when others use it. You will need to add your root certificate to the machines you want to trust your CA.

I had written a similar article in 2008 (Create a Certificate Authority and Certificates with OpenSSL) but this tutorial supersedes the instructions for creating CA in the older one.

Install Prerequisites

I wrote this tutorial using Fedora 18. The only prerequisite I needed was OpenSSL.

su -c 'yum install openssl'

Create Directory Structure

mkdir /home/cg/myca

cd /home/cg/myca/

mkdir private certs newcerts conf export csr

echo '01' > serial

touch index.txt

We will run all commands by default in the /home/cg/myca directory, unless stated otherwise.

Config File

vim /home/cg/myca/conf/caconfig.cnf

This file would serve as the default config file for the CA. It should look something like the following:

[ ca ]
default_ca = CA_default

[ CA_default ]
dir = /home/cg/myca/
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/certs/cacert.pem
serial = $dir/serial
#crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
#RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
#crl_extensions = crl_ext
default_days = 3650
#default_startdate = YYMMDDHHMMSSZ
#default_enddate = YYMMDDHHMMSSZ
#default_crl_days= 30
#default_crl_hours = 24
default_md = sha1
preserve = no
#msie_hack
policy = policy_match

[ policy_match ]
countryName = match
stateOrProvinceName = match
localityName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 4096 # Size of keys
default_keyfile = key.pem # name of generated keys
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
#input_password
#output_password
string_mask = nombstr # permitted characters
req_extensions = v3_req

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = New York
localityName = Locality Name (city, district)
localityName_default = New York
organizationName = Organization Name (company)
organizationName_default = Code Ghar
organizationalUnitName = Organizational Unit Name (department, division)
organizationalUnitName_default = IT
commonName = Common Name (hostname, FQDN, IP, or your name)
commonName_max = 64
commonName_default = CGIT
emailAddress = Email Address
emailAddress_max = 40
emailAddress_default = codeghar@example.com

[ req_attributes ]
#challengePassword = A challenege password
#challengePassword_min = 4
#challengePassword_max = 20
#unstructuredName = An optional company name

[ usr_cert ]
basicConstraints= CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
#nsComment = ''OpenSSL Generated Certificate''
#nsCertType = client, email, objsign for ''everything including object signing''
subjectAltName=email:copy
issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl = 
#nsRenewalUrl =
#nsCaPolicyUrl = 
#nsSslServerName =

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:TRUE
#keyUsage = cRLSign, keyCertSign
#nsCertType = sslCA, emailCA
#subjectAltName=email:copy
#issuerAltName=issuer:copy
#obj=DER:02:03

[ crl_ext ]
#issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

Thanks to http://wwwneu.secit.at/web/documentation/openssl/openssl_cnf.html for helping with this file.

Generate Root Certificate

You can use the config file (caconfig.cnf) we created in the previous step to answer a lot of the questions asked during certificate generation. Just run the following command and answer the questions. Most questions will have the default values provided in caconfig.cnf.

openssl req -new -x509 -days 3650 -config conf/caconfig.cnf -keyform PEM -keyout private/key.ca.cg.pem -outform PEM -out certs/crt.ca.cg.pem

Although we specified the default number of days in caconfig.cnf file, we still have to specify the days flag when using the x509 flag. If we don’t the certificate is created with a default value of 30 days. Thanks to Re: default_days problem and OpenSSL req(1).

If you want to provide your own custom values you may run the following command instead.

openssl req -new -x509 -days 3650 -newkey rsa:4096 -extensions v3_ca -keyform PEM -keyout private/key.ca.cg.pem -outform PEM -out certs/crt.ca.cg.pem

You will be asked for a passphrase. Make sure you use a secure passphrase and don’t forget it. You will also be asked other relevant questions. Following is an example output of the process.

Generating a 4096 bit RSA private key
..............................................................................++
...........................................................................................................................................................................................................................................++
writing new private key to 'private/key.ca.cg.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [New York]:
Locality Name (city, district) [New York]:
Organization Name (company) [Code Ghar]:
Organizational Unit Name (department, division) [IT]:
Common Name (hostname, FQDN, IP, or your name) [CGIT]:
Email Address [codeghar@example.com]:

Two files, key.ca.cg.pem and crt.ca.cg.pem, will be created in $dir/private and $dir/certs directories respectively. Make sure you keep these files in a secure place and make their backups.

crt.ca.cg.pem is your root certificate and will be used to sign all the other certificates.

Verify Root Certificate

You should verify that the certificate was created properly with accurate information.

openssl x509 -in certs/crt.ca.cg.pem -inform pem -noout -text

Export Root Certificate

Since this newly created CA and its root certificate are not recognized and trusted by any computer, you need to import the root certificate on all other computers. By default an OS will have a list of trusted CAs and you need to import your CA to that list. The process varies for different OSes.

Windows

The root certificate we created is in PEM encoded format. For Windows we need it to be in DER encoded format. A great resource on the differences between the two is DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them.

openssl x509 -in certs/crt.ca.cg.pem -outform der -out export/ca.cg.crt

Verify the certificate was created successfully.

openssl x509 -in export/ca.cg.crt -inform der -noout -text

Once you have the exported file, copy it to your Windows machine. You can follow the instructions provided by How To Import a Trusted Root Certification Authority In Windows to import the certificate to the Trusted Root Certification Authorities store on Local Computer.

You can also export the certificate to PKCS12 format. Thanks to Importing a User Certificate to the Windows Certificate Store for this information.

openssl pkcs12 -export -out export/ca.cg.p12 -in certs/crt.ca.cg.pem -inkey private/key.ca.cg.pem

You will be asked to provide the passphrase you used to create the root certificate. You will also be asked for a new “Export Password”.

Copy the .p12 file to Windows and double-click it. A wizard will open and guide you to install it.

Conclusion

The process to create a CA is very simple. Next I will write about signing a certificate request.

Further Reading

Linux Ecosystem is Less About Technology More About Ideas

I was watching The Real Story Behind Wayland and X, a talk by Daniel Stone. The way he described the X server, we had been using a terrible piece of technology for years (still are). Linux had an inferior product doing critical things for the user. There were developers trying to fix its issues but were hindered by many other issues. A fresh start was needed and Wayland it was. It could even have been Mir.

My epiphany was that it’s not about a particular piece of technology. Its design or implementation could be highly undesirable but it keeps doing something useful-ish. The Linux ecosystem encourages you to fix the issues in existing technology or start from scratch. In the long run the Linux ecosystem is all about getting to a perfect OS from a technological standpoint. The users and developers should be prepared to throw everything out. That’s what innovation is all about. Of course, you’ll lose a few features here and there but that might not always be a bad thing. There’s more work to do when building something new and it takes longer to complete it. But at the end of the day, after all the pain and suffering, something beautiful and useful does emerge.

Letting go of X was a simple decision. These decisions may not always be as simple in other situations. But we should support those who want to improve things for everyone.

Politics and Pragmatism in Using Linux Distributions

Recently I’ve been making decisions on which Linux distribution deserves my support when I write how-to or similar articles. I started my journey with Ubuntu. Out of all, this is the distribution closest to my heart and may be it always will be. I ventured into CentOS for work-related reasons and found it to be a workhorse. I forayed into Fedora on a netbook with some success. I have had to use a bit of SLES for more work-related stuff. And I have been attracted to, used, and migrated businesses to Debian. Both politics and pragmatism have played a part each time I used a distribution. And thus this post.

You can see from my recent posts that I have made a decision to go with Fedora. It was mostly for political (philosophical) reasons but also for pragmatism (cutting-edge technology, etc.). When the time came for me to choose something other than Debian or Ubuntu, I chose Fedora over openSUSE mainly for philosophical reasons. And I’ve been re-evaluating my decision ever since.

I am very happy I picked Fedora. It’s making bold decisions in the future direction of a Linux distribution, especially with the two most controversial and highly-debated steps: /usr unification and systemd. I have started using Fedora 17 alpha and find systemd a joy to use. I only care about systemctl enable/disable or systemctl start/stop as a user (or sysadmin) and it does exactly what I want it to. Much better than chkconfig, service or invoke-rc.d. The /usr unification hasn’t affected me so much so far. Package availability has also been excellent for the server use cases to which I have put Fedora 17.

Fedora seems like a good fit for me for now. But a second question still remains: which distribution should I recommend to others for home/workstation use when asked? My gut feeling is Ubuntu because they do a lot of good work for this sort of user. I’m also well-versed in it so I can provide ample support if required. But I also want to provide a different answer for users who don’t want to use Ubuntu. A very valid answer for this would be Linux Mint but it’s so similar to Ubuntu that it might not be an option in some cases. This leaves a few distributions that I would really like others to use (if only because they’ll come to me for answers most of the time).

The first distribution is openSUSE. Yes, I have some misgivings about the whole openSUSE, SUSE, and Microsoft triangle. But purely on technical merits is openSUSE good enough to replace Ubuntu as my default recommendation for others? This is a question I have asked myself and the one I’ll try to answer over the next few months. I’ve decided to be pragmatic about this particular case rather than political. I’m willing to be pragmatic if openSUSE can bring in new users to Linux like Ubuntu has done for a while. It’s a tall order but openSUSE looks like a good candidate from where I stand.

The other distribution I may recommend is Mageia. It’s on its way to the second release. These people have a very pragmatic, user-centric approach to their distribution and them being a community allays many misgivings I have about openSUSE. Technically they also appear to be sure-footed and thus deserve the support of people like me. Maybe Mageia can serve Ubuntu’s role of bring new users to Linux.

I wouldn’t recommend Fedora because of two things: (a) hardware support can mean using other repositories (such as RPMfusion); and (b) it’s too bleeding-edge to keep users on it for a while without too many issues.

Now that I have to give up my moral high ground, how does it feel? Very liberating, actually. When I use FreeBSD license instead of GPL, I consider the freedom of people over freedom of code. So why should I take such hard stances when it comes to Linux? People should matter more than code or a distribution. If Ubuntu or openSUSE are not ideal Linux ecosystem participants, they are productive and willing participants nonetheless. It may be about time I gave up on idealism and focus more on doing good for more people.

Making a case for excluding users from open source

Open source or free software is meant to remove the shackles of proprietary software binding users all over the world. This in itself is a very noble idea and goal. However, it’s also a very tough goal. Not because people are happy with their shackles but because most people don’t care about them. I see around myself people who want to do stuff and it doesn’t matter how they do it. Want to watch some TV show online? Pay Netflix, Hulu, whatever, to watch it. Even with all the hoopla about content piracy, people are signing up in droves for these services.

Computers are complex machines. Not everyone can or is willing to understand how they function. All many people want is to be able to fire up a browser and connect with friends/family using Facebook or to sign in to Hotmail every once in a while. They also want to be able to carry a phone that can play music, games, YouTube, etc.

The computer industry, in my very limited knowledge, is very cyclical. But with each cycle more and more people have become users of technology. But if we look at this technology adoption, it has been forced down the throats of people. TV was a simple device but now it’s a beast; there are so many TVs to choose from, let alone the myriad devices surrounding it. 10 years ago no consumer wanted this but the companies researching and producing these products have forced them onto all consumers. It’s very rare that you find a good old-fashioned TV anymore. Thus, newer technology is quickly replacing older one even if the consumers are satisfied with their perfectly-fine/working technology.

The proponents of open source and free software need to classify users all over the world first. We all need to know who is already using technology and what they are using it for. We also need to know who isn’t using technology and how they will use it if they can. I will take the liberty to classify users myself, with a purely subjective and non-scientific point of view.

There are two digital worlds: the haves and the have-nots. For the have-nots, open source and free software is a godsend. They are able to not only use technology but possibly learn how it functions. I believe they are prime candidates to be targeted for open source. On the other hand, the haves already have access to a plethora of technology and a lot of them have no inclination to ever learn more about it.

If you ever want to lose faith in technology-using humanity, head over to Tales from Tech Support or Not Always Right. No matter how hard we try, such users will never be able to appreciate the hard work and love put into open source. So isn’t it better for our sanity to let them be? Just like I have no idea how my car functions or plumbing works or electricity has been implemented in my home, they have no idea how computers function. But there’s a big difference between computers and cars/plumbing/electricity: their interface is simple enough to learn and repeat over different devices. Computers, on the other hand, have so many interfaces that we can’t expect everyone to learn them easily. Those willing to put an effort into learning them should be supported and welcomed; others left on their own.

Open source should not aim to take over the world. Open source should aim to make products that proponents of open source want to use. If regular users find benefit in these products, chalk that up as a win. But if the same regular users are not served by open source products, do not chalk it up as a loss. If commercial interests merge with open source interests, more users benefit, but even if they diverge the world doesn’t necessarily have to end. They keep doing their thing and we keep doing ours. We can continue to scratch our itch and let users decide whether they have the same itch to scratch. We won’t have many successful commercial ventures this way but at least we will not lose our passion for open source. The same passion we lose when our hard work is questioned for not being as good as shackling proprietary stuff. Open source was and must remain an alternative; if it dominates, well and good, if not, I really don’t see it as a bad thing.

Brush up on Linux

A friend recently asked me if I could point her to the right resources so she could brush up on her Linux skills before an interview. She had used Linux many years ago, and that too in a very limited way. She fuzzily recalled navigating the file system, using vi, starting some service, and not much more. Obviously, Linux is such a vast subject that you cannot just cram your way to a successful interview. However, it certainly is possible to prepare for some basic questions asked during an interview.

Since her situation was such that the interviewing team used Red Hat Enterprise Linux, I suggested she head over to the CentOS public mirror list and download CentOS 6 LiveDVD. It would allow her to play around before installing.

She downloaded VirtualBox and installed it. She created a VM and used the downloaded LiveDVD to first play and then install CentOS.

Finally, I recommended some online resources and tutorials to help her get familiar with Linux.

Commands cheat sheet: http://www.pixelbeat.org/cmdline.html
To manage software (packages) in RHEL, CentOS, and Fedora, use yum: http://yum.baseurl.org/wiki/YumCommands
vi cheat sheet: http://www.gentoo.org/doc/en/vi-guide.xml
bash beginner’s tutorial; although its title says BeOS, it seems to be relevant to bash in general: http://www.beforever.com/bashtut.htm
Filesystem Hierarchy Standard (FHS); good to know the standard for which files go where: http://www.pathname.com/fhs/2.2/

Delete Large List of Files

It all started when I was reading More Elegant Way To Delete Large List of Files? on reddit. Reading comments on the page led me to Perl to the rescue: case study of deleting a large directory. But me being a Python fan, I wasn’t satisfied with a Perl solution. My search led me to meeb’s comment on Quickest way to delete large amounts of files.

To summarize my quest for knowledge.

Using Perl: perl -e 'chdir "BADnew" or die; opendir D, "."; while ($n = readdir D) { unlink $n }'

Using Python:


#!/usr/bin/env python
import shutil
shutil.rmtree('/stuff/i/want/to/delete')

Using Bash:
Step 0: (optional) Create a list of files to delete (source: valadil’s comment and ensuing discussion). This step will help you figure out exactly what will be deleted.

find . -name "log*.xml" -exec echo rm -f {} \; > test_file;

Step 1: find . -type f -name "log*.xml" -print0 | xargs --null -n 100 rm

If it were up to me, I would use the Bash method as it’s easier for me to understand.