Certificate Generation & Checking with OpenSSL

CS 463 Lecture, Dr. Lawlor

OpenSSL is a neat little command line tool for generating and verifying certificates.

Verify a Certificate

Hit the lock icon in your browser, get info, and save the https certificate to a Base64 .pem file.  You can dump this to the screen with:
openssl x509 -in somewhere.pem -noout -text
You can verify the certificate against your system's disturbingly long trusted certificate lists (/usr/share/ca-certificates/mozilla/ or /etc/ssl/certs/ on my machine) using:
openssl verify googleIA.pem
googleIA.pem: OK

Generate Server Certificate

OpenSSL's "req" command can generate "self-signed" certificates.  These provide no protection against man-in-the-middle attacks (anybody could just sign their own certificate to impersonate the server), but are secure against eavesdroppers who don't modify your traffic.
openssl req \
-x509 -nodes -days 9999 \
-subj '/C=US/ST=Alaska/L=Fairbanks/O=University of Alaska Fairbanks/OU=Really Dr. Lawlor/CN=netrun.cs.uaf.edu' \
-newkey rsa:2048 -keyout mycert.key -out mycert.crt
You can dump the info to the screen as before:
openssl x509 -in mycert.crt -noout -text
You can even start a simple demo HTTPS server using that certificate:
openssl s_server -cert mycert.crt -key mycert.key -www
Now you can visit https://localhost:4433 and talk to the server.  You'll get a warning about the self-signed certificate.  It doesn't have any content, just info about the ciphers used, but it is HTTPS!

The same certificate could be used with a real web server, like Apache, using mod_ssl.  The config lines are:
SSLEngine  on
SSLCertificateFile /etc/apache/ssl.crt/mycert.crt
SSLCertificateKeyFile /etc/apache/ssl.key/mycert.key
I really aught to do this for NetRun!