Here we consider the creation of example certificates.
The openssl Command
The openssl command is a utility that comes with the
OpenSSL distribution. It provides a variety of subcommands. Each
subcommand is invoked as
]]>
where subcmd denotes the subcommand in question.
We shall use the following subcommands to create certificates for
the purpose of testing Erlang/OTP SSL:
- req to create certificate requests and a
self-signed certificates,
- ca to create certificates from certificate requests.
We create the following certificates:
- the erlangCA root certificate (a self-signed
certificate),
- the otpCA certificate signed by the erlangCA,
- a client certificate signed by the otpCA, and
- a server certificate signed by the otpCA.
The openssl configuration file
An openssl configuration file consist of a number of
sections, where each section starts with one line containing
[ section_name ], where section_name is the name
of the section. The first section of the file is either
unnamed, or is named [ default ]. For further details
see the OpenSSL config(5) manual page.
The required sections for the subcommands we are going to
use are as follows:
subcommand |
required/default section |
override command line option |
configuration file option |
req |
[req] |
- |
-config FILE |
ca |
[ca] |
-name section |
-config FILE |
openssl subcommands to use
Creating the Erlang root CA
The Erlang root CA is created with the command
\011openssl req -new -x509 -config /some/path/req.cnf \\
\011 -keyout /some/path/key.pem -out /some/path/cert.pem
where the option -new indicates that we want to create
a new certificate request and the option -x509 implies
that a self-signed certificate is created.
Creating the OTP CA
The OTP CA is created by first creating a certificate request
with the command
\011openssl req -new -config /some/path/req.cnf \\
\011 -keyout /some/path/key.pem -out /some/path/req.pem
and the ask the Erlang CA to sign it:
\011openssl ca -batch -notext -config /some/path/req.cnf \\
\011 -extensions ca_cert -in /some/path/req.pem -out /some/path/cert.pem
where the option -extensions refers to a section in the
configuration file saying that it should create a CA certificate,
and not a plain user certificate.
The client and server certificates are created
similarly, except that the option -extensions then has the
value user_cert.
An Example
The following module create_certs is used by the Erlang/OTP
SSL application for generating certificates to be used in tests. The
source code is also found in ssl-X.Y.Z/examples/certs/src.
The purpose of the create_certs:all/1 function is to make
it possible to provide from the erl command line, the
full path name of the openssl command.
Note that the module creates temporary OpenSSL configuration files
for the req and ca subcommands.