Up: Howtos   [Contents][Index]

8.1 Creating a TLS server certificate

Here is a brief run up on how to create a server certificate. It has actually been done this way to get a certificate from CAcert to be used on a real server. It has only been tested with this CA, but there shouldn’t be any problem to run this against any other CA.

Before you start, make sure that gpg-agent is running. As there is no need for a configuration file, you may simply enter:

  $ gpgsm-gencert.sh >a.p10
  Key type
   [1] RSA
   [2] Existing key
   [3] Direct from card
  Your selection: 1
  You selected: RSA

I opted for creating a new RSA key. The other option is to use an already existing key, by selecting 2 and entering the so-called keygrip. Running the command ‘gpgsm --dump-secret-key USERID’ shows you this keygrip. Using 3 offers another menu to create a certificate directly from a smart card based key.

Let’s continue:

  Key length
   [1] 1024
   [2] 2048
  Your selection: 1
  You selected: 1024

The script offers two common key sizes. With the current setup of CAcert, it does not make much sense to use a 2k key; their policies need to be revised anyway (a CA root key valid for 30 years is not really serious).

  Key usage
   [1] sign, encrypt
   [2] sign
   [3] encrypt
  Your selection: 1
  You selected: sign, encrypt

We want to sign and encrypt using this key. This is just a suggestion and the CA may actually assign other key capabilities.

Now for some real data:

  Name (DN)
  > CN=kerckhoffs.g10code.com

This is the most important value for a server certificate. Enter here the canonical name of your server machine. You may add other virtual server names later.

  E-Mail addresses (end with an empty line)

We don’t need email addresses in a server certificate and CAcert would anyway ignore such a request. Thus just hit enter.

If you want to create a client certificate for email encryption, this would be the place to enter your mail address (e.g. joe@example.org). You may enter as many addresses as you like, however the CA may not accept them all or reject the entire request.

  DNS Names (optional; end with an empty line)
  > www.g10code.com
  DNS Names (optional; end with an empty line)
  > ftp.g10code.com
  DNS Names (optional; end with an empty line)

Here I entered the names of the servers which actually run on the machine given in the DN above. The browser will accept a certificate for any of these names. As usual the CA must approve all of these names.

  URIs (optional; end with an empty line)

It is possible to insert arbitrary URIs into a certificate; for a server certificate this does not make sense.

We have now entered all required information and gpgsm will display what it has gathered and ask whether to create the certificate request:

  Parameters for certificate request to create:
       1	Key-Type: RSA
       2	Key-Length: 1024
       3	Key-Usage: sign, encrypt
       4	Name-DN: CN=kerckhoffs.g10code.com
       5	Name-DNS: www.g10code.com
       6	Name-DNS: ftp.g10code.com
  Really create such a CSR?
   [1] yes
   [2] no
  Your selection: 1
  You selected: yes

gpgsm will now start working on creating the request. As this includes the creation of an RSA key it may take a while. During this time you will be asked 3 times for a passphrase to protect the created private key on your system. A pop up window will appear to ask for it. The first two prompts are for the new passphrase and for re-entering it; the third one is required to actually create the certificate signing request.

When it is ready, you should see the final notice:

  gpgsm: certificate request created

Now, you may look at the created request:

  $ cat a.p10

You may now proceed by logging into your account at the CAcert website, choose Server Certificates - New, check sign by class 3 root certificate, paste the above request block into the text field and click on Submit.

If everything works out fine, a certificate will be shown. Now run

$ gpgsm --import

and paste the certificate from the CAcert page into your terminal followed by a Ctrl-D

  gpgsm: issuer certificate (#/CN=CAcert Class 3 Ro[...]) not found
  gpgsm: certificate imported
  gpgsm: total number processed: 1
  gpgsm:               imported: 1

gpgsm tells you that it has imported the certificate. It is now associated with the key you used when creating the request. The root certificate has not been found, so you may want to import it from the CACert website.

To see the content of your certificate, you may now enter:

  $ gpgsm -K kerckhoffs.g10code.com
  Serial number: 4C
         Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.[...]
        Subject: /CN=kerckhoffs.g10code.com
            aka: (dns-name www.g10code.com)
            aka: (dns-name ftp.g10code.com)
       validity: 2005-10-28 16:20:51 through 2007-10-28 16:20:51
       key type: 1024 bit RSA
      key usage: digitalSignature keyEncipherment
  ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
    fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:19:D8:E9:65:B9:BD:4F:B1:98:CC:57

I used -K above because this will only list certificates for which a private key is available. To see more details, you may use --dump-secret-keys instead of -K.

To make actual use of the certificate you need to install it on your server. Server software usually expects a PKCS\#12 file with key and certificate. To create such a file, run:

  $ gpgsm --export-secret-key-p12 -a >kerckhoffs-cert.pem

You will be asked for the passphrase as well as for a new passphrase to be used to protect the PKCS\#12 file. The file now contains the certificate as well as the private key:

  $ cat kerckhoffs-cert.pem
  Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CA[...]
  Serial ...: 4C
  Subject ..: /CN=kerckhoffs.g10code.com
      aka ..: (dns-name www.g10code.com)
      aka ..: (dns-name ftp.g10code.com)
  -----BEGIN PKCS12-----
  [...many more lines...]
  -----END PKCS12-----

Copy this file in a secure way to the server, install it there and delete the file then. You may export the file again at any time as long as it is available in GnuPG’s private key database.

Up: Howtos   [Contents][Index]