More About WASD OpenSSL Certificate Management

WASD OpenSSL v1.0.0e, 6th September 2011

Copyright © 1998-2011 Mark G. Daniel
This program, comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the
conditions of the GNU GENERAL PUBLIC LICENSE, version 3, or any later version.
http://www.gnu.org/licenses/gpl.txt

OpenSSL
Copyright © 1998-2011 The OpenSSL Project
Copyright © 1995-1998 1995-1998 Eric Young
See OpenSSL License

Local Copy
Default Configuration
Certificate Authority
Server Certificates
Key Size
Finger Pokin'
Wipeout

This directory contains a number of procedures providing an elementary certificate management environment for WASD without needing to be too concerned too with the intricacies of OpenSSL. It should be emphasized that this facility does not pretend to be any more than a casual source of server certificates and does not exploit anywhere-near the full capabilities of OpenSSL certificate management. Nor does it claim to be robust or fool-proof (a casual inspection of the procedures will reveal the phrase "quick and dirty" used more than once). The contents may be used as-are or cloned to create a site-specific instance. This document assumes a site copy is desired.

Local Copy

This directory structure, procedures and default configuration file are designed for simple copying into something site-specific. The site copy does not need to be part of the OpenSSL or WASD trees.

$ CREATE /DIRECTORY device:[directory]
$ COPY HT_ROOT:[OPENSSL-0_9_6E.WASD]*.COM,*.CNF,*.HTML device:[directory]

When first used the procedures will create the following directory structure.

device:[directory]
                 .CERT]
                 .CERT.WORK]

The top-level directory contains the procedures, etc., [.CERT] the generated certificates, and [.CERT.WORK] the certificate database, serial number index and random number seed. This directory is also used as scratch space during procedure use.

Default Configuration

The configuration file DEFAULT.CNF may be edited to provide _default responses more in line with local requirements. The following section entries can generally be modified from the WASD-specifics, others only with more detailed knowlege of OpenSSL.

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= AU

stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= SA

localityName			= Locality Name (eg, city)
localityName_default		= Adelaide

0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= WASD HTTPd Server Cert

organizationalUnitName		= Organizational Unit Name (eg, section)
organizationalUnitName_default	= Testing Only

commonName			= Common Name (eg, YOUR name)
commonName_default		= WASD VMS Web Services

emailAddress			= Email Address
emailAddress_default		= Mark.Daniel@dsto.defence.gov.au

To specify a different configuration file name (in the same directory) assign the symbol CONFIGFILENAME before executing any WASD procedures.

$ CONFIGFILENAME = "LOCAL.CNF"
$ @CREATE_CA_CERT.COM
$ @CREATE_SERVER_CERT.COM name

Certificate Authority

A Certificate Authority (or CA) certificate may then be generated. This forms the "authority" for any server certificates subsequently issued using it. It requires a "PEM pass phrase" (password) to be supplied. The password is case-sensitive. This password must be provided when generating server certificates ... don't forget it!

$ @CREATE_CA_CERT

Server Certificates

These certificates are used for authentication and encryption purposes by Secure Sockets Layer services provided by a server. When creating such a certificate the CA password will be required (and remember, the password is case-sensitive). When creating a server certificate details of the server and it's organisation need to be provided.

$ @CREATE_SERVER_CERT name

Key Size

The RSA private key size specified by these procedures is a recommended 2048 bits. Some older browsers (e.g. VMS Netscape Navigator Gold 3.03) will not have an encryption algorithm supporting this key size and will report messages to that effect. New certificates using a 512 bit key size (determined empirically) for both CA and server will need to be generated to support such an environment. Assign the symbol RSAKEYSIZE before executing any WASD procedures.

$ RSAKEYSIZE = 512
$ @CREATE_CA_CERT.COM
$ @CREATE_SERVER_CERT.COM name

Finger-Pokin'

It is possible to manually "fiddle" the certificate management database if an inadvertant certificate is created, a problem aborts certificate processing, etc. It involves the modification of two files.

[.CERT.WORK]SERIAL.TXT
This file contains the serial number of the next certificate. This can be "stepped back" (or anywhere for that matter) by simple editing. The file SERIAL.TXT-OLD is the previous version and could be copied over the current to undo the last certificate generation.
[.CERT.WORK]INDEX.TXT
This file contains a list of issued certificate details (it is to this the message "Data Base Updated" refers), one certificate per line. This too can be manually modified - with care (each line is generally longer than eighty characters). The file INDEX.TXT-OLD is the previous version and could be copied over the current to undo the last certificate generation.

Make quite sure whatever you modify represents exactly what you intend to undo!

Wipeout!

It is possible to "clean out" all server certificates, or even more drastically delete the CA certificate and all the database files (effectively returning the environment to an empty condition). Use with caution!

$ @CREATE_CLEAN