20032009 Ericsson AB. All Rights Reserved. The contents of this file are subject to the Erlang Public License, Version 1.1, (the "License"); you may not use this file except in compliance with the License. You should have received a copy of the Erlang Public License along with this software. If not, it can be retrieved online at http://www.erlang.org/. Software distributed under the License is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for the specific language governing rights and limitations under the License. Creating Certificates UAB/F/P Peter Högfeldt 2003-06-16 A create_certs.xml

Here we consider the creation of example certificates.

The openssl Command

The openssl command is a utility that comes with the OpenSSL distribution. It provides a variety of subcommands. Each subcommand is invoked as

]]>

where subcmd denotes the subcommand in question.

We shall use the following subcommands to create certificates for the purpose of testing Erlang/OTP SSL:

req to create certificate requests and a self-signed certificates, ca to create certificates from certificate requests.

We create the following certificates:

the erlangCA root certificate (a self-signed certificate), the otpCA certificate signed by the erlangCA, a client certificate signed by the otpCA, and a server certificate signed by the otpCA.
The openssl configuration file

An openssl configuration file consist of a number of sections, where each section starts with one line containing [ section_name ], where section_name is the name of the section. The first section of the file is either unnamed, or is named [ default ]. For further details see the OpenSSL config(5) manual page.

The required sections for the subcommands we are going to use are as follows:

subcommand required/default section override command line option configuration file option req [req] - -config FILE ca [ca] -name section -config FILE openssl subcommands to use
Creating the Erlang root CA

The Erlang root CA is created with the command

\011openssl req -new -x509 -config /some/path/req.cnf \\ \011 -keyout /some/path/key.pem -out /some/path/cert.pem

where the option -new indicates that we want to create a new certificate request and the option -x509 implies that a self-signed certificate is created.

Creating the OTP CA

The OTP CA is created by first creating a certificate request with the command

\011openssl req -new -config /some/path/req.cnf \\ \011 -keyout /some/path/key.pem -out /some/path/req.pem

and the ask the Erlang CA to sign it:

\011openssl ca -batch -notext -config /some/path/req.cnf \\ \011 -extensions ca_cert -in /some/path/req.pem -out /some/path/cert.pem

where the option -extensions refers to a section in the configuration file saying that it should create a CA certificate, and not a plain user certificate.

The client and server certificates are created similarly, except that the option -extensions then has the value user_cert.

An Example

The following module create_certs is used by the Erlang/OTP SSL application for generating certificates to be used in tests. The source code is also found in ssl-X.Y.Z/examples/certs/src.

The purpose of the create_certs:all/1 function is to make it possible to provide from the erl command line, the full path name of the openssl command.

Note that the module creates temporary OpenSSL configuration files for the req and ca subcommands.