I am newbie in openSSL library and PKI . I have simple question for openSSL experts.

Does anybody know how to create certificates for code samples in this article "An Introduction to OpenSSL programming (Part I/II)" by Eric Rescorla

www.rtfm.com/openssl-examples/part1.pdf

www.rtfm.com/openssl-examples/part2.pdf

I have downloaded source code from http://www.rtfm.com/openssl-examples The problem is that certificates are expired and I don't know how to create new root certificate.

How to create root certificate? How to create certificates for client and server app? Wich ciphering algorithm should I use? As far as i understand i shuld do the following:

• Create key pair. Secret and public keys.
• Create certificate request (p10 format).
• Create selfsigned root sertificate (x509 format).

Details is not clear from the article.

This is how I am trying to create certificates:

1) Creating CA private key and certificate request: openssl req -newkey rsa -keyout ./ca_key.pem out.pem -out ./ca_req.pem -days 1095 -passin pass:"password" -subj "some information about CA" -extensions v3_ca

2) Create self signed CA certificate openssl ca -create_serial -in ca_req.pem -out root.pem -days 1095 -passin pass:"password" -selfsign -extension v3_ca

3)generate server private key and request for certificate openssl req -newkey rsa -keyout server_key.pem out server_req.pem -days 1095 -passin pass:"password" -subj "some information about server"

4)create server certifiate (this certificate is not self signed. This certificate signed by CA private key) openssl ca -in server_req.pem -out server.pem -passin pass:"password"

5)generate user private key and request for certificate openssl req -newkey rsa -keyout user_key.pem out user_req.pem -days 1095 -passin pass:"password" -subj "some information about client"

6)create user certifiate (this certificate is not self signed. This certificate signed by CA private key) openssl ca -in user_req.pem -out client.pem -passin pass:"password"

I am not sure about "rsa" algorithm here. May be I shuold use other algorthm.

So i have root.pem, server.pem, client.pem I put client key and certificate to client.pem And the same thing for server.pem. ( The same way as in the articles sample certificates.)

But when i try to start server with these new generated certificates i have an error: "Couldn't open DH file."

When I put old DH file to current folder and server starts. (dh1024.pem What is it?)

The next step. I start client and I got another error message: "Cetrificate doesn't verify."

The error code is 20. Desciption for code 20 in x509_vfy.h is "unable to get issuer certificate locally"

All of this means that I have created certificates incorrectly. I don't know how to do it correctly.

Does anybody have an idea?

This is the solution. May be it is not optimal but it works. The only difference with question solution is option: "-des3 1024"

#!/bin/sh

alg="rsa"

ossl="openssl"

passwd="password"

#certificate autority folder
caFolder="./demoCA"

#delete old certificates, CA folder and keys 
rm -rf *.pem

rm -rf $caFolder

#create folder structure
mkdir $caFolder
mkdir "$caFolder/private"
mkdir "$caFolder/newcerts"

#generate RSA private key for CA
$ossl genrsa -out ca_key.pem 1024

#Creating certificate request:
$ossl req -new -key ca_key.pem -out ./ca_req.pem -days 1095 -passin pass:$passwd  -passout pass:$passwd \
-subj /C=RU/ST=Moscow/L=Moscow/O=company/OU=TestCAs/CN=TestCA/emailAddress=TestCA@company.ru -extensions v3_ca

cp ca_key.pem "$caFolder/private/cakey.pem" 

touch "$caFolder/index.txt"

#Create self signed CA certificate 
$ossl ca -create_serial -in ca_req.pem -out ca_cert.pem -days 1095 -passin pass:$passwd -selfsign -extensions v3_ca -notext
cp ca_cert.pem "$caFolder/cacert.pem"


#generate SERVER private key and request for certificate 
$ossl genrsa -out server_key.pem -passout pass:$passwd -des3 1024

$ossl req -new -key server_key.pem  -passin pass:$passwd \
-passout pass:$passwd -out server_req.pem -days 1095 \
-subj /C=RU/ST=Moscow/L=Moscow/O=company/OU=SSLServers/CN=localhost/emailAddress=SSLServer@company.ru  

#create SERVER certifiate (this certificate is not self signed. This certificate signed by CA private key)
$ossl ca -in server_req.pem -out server_cert.pem -passin pass:$passwd -notext


#generate RSA private key for client
$ossl genrsa -out user_key.pem -passout pass:$passwd -des3 1024

#generate request certificate for client
$ossl req -new -key user_key.pem -out user_req.pem -days 1095 \
-passin pass:$passwd -passout pass:$passwd \
-subj /C=RU/ST=Moscow/L=Moscow/O=company/OU=Clients/CN=Client/emailAddress=Client@company.ru 

#create user certifiate (this certificate is not self signed. This certificate signed by CA private key) 
$ossl ca -in user_req.pem -out user_cert.pem -passin pass:$passwd -notext

#generate  DH   param
$ossl dhparam -out dh1024.pem 1024

cat ./user_key.pem ./user_cert.pem > client.pem  

cat ./server_key.pem  ./server_cert.pem  > server.pem

cp ./ca_cert.pem root.pem

The error code is 20 "unable to get issuer certificate locally" is caused because there is no CA certificate Present . Both client and server certificate need to be signed by a common CA .