ssl tutorial part1

Creating a ssl certificate which can be used in servers is easy – except you do this with openssl. In this tutorial I use gnutls.
You even need nearly just one command:

certtool --generate-self-signed --outfile xy

WARNING: If you enter an entry and press enter and nothing happens this is ok. This entry is a list. You can insert a further entry now. To terminate let the line free and press enter.

1. Quick-guide for a very simple ssl Cert :
Use certtool –generate-self-signed –outfile xy and let everything free. The browser will complain about an invalid cert but this ok for the beginning.

2. More extensive guide with decoded options:
Use like last time certtool –generate-self-signed –outfile xy but answer the questions. The questions are hard to understand.
Here a nearly complete decoded list with recommendations for difficult options:

Enter the subject's domain component (DC): e.g marketing, (empty)
E-mail: outdated, (empty)
Enter the certificate's serial number in decimal, (empty)
Does the certificate belong to an authority? Certificate Authority short (CA) is meant. If yes cou can sign other certificates
Path length constraint: a value != 0 or empty limits how often this certificate could be used to sign new certificates (empty)
Is this a TLS web client certificate? for authentification (no)
Will the certificate be used for IPsec IKE operations? = used as key for ipsec (empty)
Is this also a TLS web server certificate? (empty)
Will the certificate be used to sign CRLs? CRLs=Certificate Revocation List (no)
Will the certificate be used to sign code? automatic check of programs you offer under the cert (yes, why not)
Will the certificate be used to sign OCSP requests? Online Certificate Status Protocol (empty)
https://de.wikipedia.org/wiki/Online_Certificate_Status_Protocol

Will the certificate be used for time stamping? are signed contents valid if they are signed to a valid time but the certificate ran out; (yes) ;
InstantSSL: Timestamping ensures that code will not expire when certificate expires.
Enter the URI of the CRL distribution point:  revocation address is asked (URL to revocation list) (empty)

Caution: CA specific options aren’t included yet. I will improve this guide. And create a second part with a guide how to create and use a CA-cert.

Sorry, the documentation I found on the internet is not very good

Advertisements

2 thoughts on “ssl tutorial part1

    • first: sorry for my bad english, was one of my first English posts (and I was newbie)
      second: I forgot to update this post what I will do now

Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s