4 Creating Certificates
Here we consider the creation of example certificates.
The openssl command is a utility that comes with the OpenSSL distribution. It provides a variety of subcommands. Each subcommand is invoked as
openssl subcmd <options and arguments>
where subcmd denotes the subcommand in question.
We shall use the following subcommands to create certificates for the purpose of testing Erlang/OTP SSL:
- req to create certificate requests and a self-signed certificates,
- ca to create certificates from certificate requests.
We create the following certificates:
- the erlangCA root certificate (a self-signed certificate),
- the otpCA certificate signed by the erlangCA,
- a client certificate signed by the otpCA, and
- a server certificate signed by the otpCA.
The openssl configuration file
An openssl configuration file consist of a number of sections, where each section starts with one line containing [ section_name ], where section_name is the name of the section. The first section of the file is either unnamed, or is named [ default ]. For further details see the OpenSSL config(5) manual page.
The required sections for the subcommands we are going to use are as follows:
|subcommand||required/default section||override command line option||configuration file option|
|ca||[ca]||-name section||-config FILE|
Creating the Erlang root CA
The Erlang root CA is created with the command
openssl req -new -x509 -config /some/path/req.cnf \\ -keyout /some/path/key.pem -out /some/path/cert.pem
where the option -new indicates that we want to create a new certificate request and the option -x509 implies that a self-signed certificate is created.
Creating the OTP CA
The OTP CA is created by first creating a certificate request with the command
openssl req -new -config /some/path/req.cnf \\ -keyout /some/path/key.pem -out /some/path/req.pem
and the ask the Erlang CA to sign it:
openssl ca -batch -notext -config /some/path/req.cnf \\ -extensions ca_cert -in /some/path/req.pem -out /some/path/cert.pem
where the option -extensions refers to a section in the configuration file saying that it should create a CA certificate, and not a plain user certificate.
The client and server certificates are created similarly, except that the option -extensions then has the value user_cert.
The following module create_certs is used by the Erlang/OTP SSL application for generating certificates to be used in tests. The source code is also found in ssl-X.Y.Z/examples/certs/src.
The purpose of the create_certs:all/1 function is to make it possible to provide from the erl command line, the full path name of the openssl command.
Note that the module creates temporary OpenSSL configuration files for the req and ca subcommands.