4 Creating Certificates

Here we consider the creation of example certificates.

4.1  The openssl Command

The openssl command is a utility that comes with the OpenSSL distribution. It provides a variety of subcommands. Each subcommand is invoked as

      openssl subcmd <options and arguments>    

where subcmd denotes the subcommand in question.

We shall use the following subcommands to create certificates for the purpose of testing Erlang/OTP SSL:

  • req to create certificate requests and a self-signed certificates,
  • ca to create certificates from certificate requests.

We create the following certificates:

  • the erlangCA root certificate (a self-signed certificate),
  • the otpCA certificate signed by the erlangCA,
  • a client certificate signed by the otpCA, and
  • a server certificate signed by the otpCA.

The openssl configuration file

An openssl configuration file consist of a number of sections, where each section starts with one line containing [ section_name ], where section_name is the name of the section. The first section of the file is either unnamed, or is named [ default ]. For further details see the OpenSSL config(5) manual page.

The required sections for the subcommands we are going to use are as follows:

subcommand required/default section override command line option configuration file option
req [req] - -config FILE
ca [ca] -name section -config FILE
Table 4.1:   openssl subcommands to use

Creating the Erlang root CA

The Erlang root CA is created with the command

\011openssl req -new -x509 -config /some/path/req.cnf \\
\011    -keyout /some/path/key.pem -out /some/path/cert.pem      

where the option -new indicates that we want to create a new certificate request and the option -x509 implies that a self-signed certificate is created.

Creating the OTP CA

The OTP CA is created by first creating a certificate request with the command

\011openssl req -new -config /some/path/req.cnf \\
\011    -keyout /some/path/key.pem -out /some/path/req.pem      

and the ask the Erlang CA to sign it:

\011openssl ca -batch -notext -config /some/path/req.cnf \\
\011   -extensions ca_cert -in /some/path/req.pem -out /some/path/cert.pem      

where the option -extensions refers to a section in the configuration file saying that it should create a CA certificate, and not a plain user certificate.

The client and server certificates are created similarly, except that the option -extensions then has the value user_cert.

4.2  An Example

The following module create_certs is used by the Erlang/OTP SSL application for generating certificates to be used in tests. The source code is also found in ssl-X.Y.Z/examples/certs/src.

The purpose of the create_certs:all/1 function is to make it possible to provide from the erl command line, the full path name of the openssl command.

Note that the module creates temporary OpenSSL configuration files for the req and ca subcommands.