Sunday, September 26, 2010

Creating and installing SSL certificates with OpenSSL

This message describes the steps I used to create and install SSL certificates for use on a 4D Server. It's rather lengthy but I had a tough time finding comprehensive information about the process and I hope this will help someone. Please excuse/correct any inaccuracies in the message.

I recently renewed an SSL certificate at GoDaddy for use with a 4D 2004/Active4D db. The db app is rock solid and has run for years and I do not want to move to another server. I discovered that GoDaddy - and I believe all other certificate authorities - are switching to 2048-bit certificates.

4D 2004 can use 2048-bit SSL certificates but cannot generate them. I believe all versions of 4D after 2004 can also use 2048-bit certificates. 4D v11 SQL Release 6 can now also generate them:


2048 Bit SSL CSR and Keypairs Can Now Be Generated From Within 4D

Also see the 4D doc on SSL:



4D Doc Center: Using SSL Protocol

You cannot use the following commands in 4D 2004 to generate 2048-bit certificates:

GENERATE ENCRYPTION KEYPAIR - Can only generate 1024-bit
GENERATE CERTIFICATE REQUEST - Relies on the above

I'd always used a 4D routine to generate the key pair and was stumped. Fortunately, a message from Jeffrey Kain stated that 2048-bit certificates can be used with 4D 2004 and I plowed ahead. I believe the following works because 4D uses OpenSSL.
Wikipedia - OpenSSL

Some terminology:

Key Pair - The public and private key files used to encrypt and decrypt the data. These files are installed on the server. It is these two files that need to be generated for SSL to work.

Wikipedia - Public-key cryptography

Certificate - A digital document used to identify a site. The certificate contains a public key.

Wikipedia - Public-key certificate

Certificate Authority (CA) - Entity that issues certificates (like GoDaddy or VeriSign).
Wikipedia - Certificate Authority

Certificate Signing Request (CSR) - Document containing at least the web site name that is submitted to a CA in order to generate a public certificate.
Wikipedia - Certificate Signing Request

Intermediate Certificate - A certificate needed for some CAs like GoDaddy because they are not root authorities.
Wikipedia - Intermediate Certificate Authorities

The certificate that the following generates serves two roles: certify the identity of the site and provide keys for SSL encryption. The SSL encryption is probably the primary goal for most sites but, without the certification, browsers will generally present the user with a warning.

If you'd like to see what happens when you go to a site without certification (i.e. uses a self-signed certificate), go to the site for this mailing list:


4D Mailing Lists Info

Basic steps to create the key files:

1. Use OpenSSL to generate the private key and the CSR.

2. Submit the CSR to a CA (like VeriSign or GoDaddy) to generate the public key.

3. Install the private key and the public key on the server.


Detailed steps (on Mac):

1. Open Terminal.

2. Navigate to a directory in which you will store the documents. For example, you might create a folder on your Desktop named SiteSSL and navigate there:

 cd ~/Desktop/SiteSSL

3. Use OpenSSL to create the private key and the CSR:

 openssl req -new -newkey rsa:2048 -nodes -out request.csr -keyout key.pem

The above will ask for information that will be included in the CSR. I believe that only the Common Name (CN) is required for most certificates, particularly those that will be used with an intermediate certificate. The CN should be the full domain that will use the certificate, for example, www.domain.com. Be sure you enter it correctly.

Here's an example session:


$ openssl req -new -newkey rsa:2048 -nodes -out request.csr -keyout key.pem
Generating a 2048 bit RSA private key
................+++
..............................................+++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Santa Cruz
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany, Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$


Two files are created:

request.csr - The CSR which will be submitted to the CA in order to generate a certificate.

key.pem - The private key. This is named properly for use by 4D Server.

4. Use your browser to go to the site of the CA that will provide the certificate. In my case, 
GoDaddy.com.

5. Submit your CSR. In the above example, this is the contents of the file named request.csr. You will usually need to open the file, copy the contents, and paste the contents into a web form.


GoDaddy Community - Requesting Your SSL Certificate

(I won't attempt to describe the poorly-documented, error-filled, ugly process that GoDaddy uses to generate a certificate. For people who use it all the time, perhaps it works well. I've used other sites in the past and they were no better. VeriSign was worse.)

6. Download the certificate from the CA. Depending on the CA, the certificate might not be immediately available and/or might be emailed to you.

7. Rename the downloaded certificate to the filename used by 4D: cert.pem

The cert.pem file in conjunction with the key.pem file are the files you need.

If your CA is not a root authority (like GoDaddy), you have a bit more to do. If your CA is a root authority (like VeriSign), skip to step 11.

8. Download your CA's intermediate certificate. (For GoDaddy, the file is named "gd_intermediate.crt".)
GoDaddy Certificates Repository

9. Open both cert.pem and the intermediate certificate file in a text editor.

10. Copy and paste the contents of the intermediate certificate file to the end of the cert.pem file. You may need to add a LF at the end of the cert.pem file before the paste. You should end up with two lines in the middle that look like this:

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

The cert.pem file I created does not end in a LF (i.e. a blank line). I'm not sure if this is a requirement. It is a requirement that both files use only LF for the end-of-line character.

11. Copy the files cert.pem and key.pem to the folder containing your 4D structure.

12. Restart the 4D Server.

13. Go to an SSL page on your site (the URL begins with https) to confirm SSL is working.

14. Click your browser's SSL icon (usually a lock) and confirm that the new certificate is being used. The expiration date is probably the easy way to tell.


I hope the above is useful.

Will Mayall


P.S. Is the cost and hassle of SSL worth it? Perhaps. If you transmit financial data or if users log into your site, you have little choice - you really should encrypt the data. But for other data, it's not so clear. I suspect the biggest risk for most data is theft by an insider. Hacking into a useful unencrypted data stream seems hit-and-miss, although it is obviously possible.

Regarding the certificate authority aspect, there seems to be less value there. This seems to be primarily a way for businesses to make money selling certificates. And the move to 2048-bit SSL seems like pure marketing or perhaps paranoia.

What's here

I'm going to start posting stuff that I simply don't want to lose.