Creating certificates with OpenSSL

Complete these steps to create certificates with OpenSSL.

Important: Ask your security expert to review and run these steps. The steps can differ on different platforms. Complete the steps at your own risk.

The following settings are adapted for IBM® Safer Payments.

  1. Create a configuration file.

    The caconfig.cnf file is the default config file for the certificate authority (CA). It has the following content:

    
    #..................................
    [ ca ]
    default_ca = CA_default
    [ CA_default ]
    dir = .
    certs = $dir/certs
    crl_dir = $dir/crl
    database = $dir/index.txt
    new_certs_dir = $dir/newcerts
    certificate = $dir/certs/cacert.pem
    serial = $dir/serial
    crl = $dir/crl/crl.pem
    private_key = $dir/private/cakey.pem
    #RANDFILE = $dir/private/.rand
    x509_extensions = usr_cert
    crl_extensions = crl_ext
    default_days = 365
    #default_startdate = YYMMDDHHMMSSZ
    #default_enddate = YYMMDDHHMMSSZ
    default_crl_days = 183
    #default_crl_hours = 24
    default_md = sha256
    preserve = no
    #msie_hack
    policy = policy_match
    
    [ policy_match ]
    countryName = match
    #stateOrProvinceName = match
    #localityName = match
    organizationName = match
    commonName = supplied
    emailAddress = optional
    
    [ req ]
    default_bits = 4096 # Size of keys
    default_keyfile = key.pem # name of generated keys
    distinguished_name = req_distinguished_name
    default_md = sha256 # message digest algorithm
    attributes = req_attributes
    x509_extensions = v3_ca
    #input_password
    #output_password
    string_mask = nombstr # permitted characters
    req_extensions = v3_req
    
    [ req_distinguished_name ]
    countryName = Country Name (2 letter code)
    countryName_default = DE
    countryName_min = 2
    countryName_max = 2
    #stateOrProvinceName = State or Province Name (full name)
    #stateOrProvinceName_default = RLP
    #localityName = Locality Name (city, district)
    #localityName_default = Coblence
    organizationName = Organization Name (company)
    organizationName_default = IRIS
    organizationalUnitName = Organizational Unit Name (department, division)
    organizationalUnitName_default = Fraud Prevention
    commonName = Common Name (hostname, IP, or user name)
    commonName_max = 64
    commonName_default = 192.168.1.1
    emailAddress = Email Address
    emailAddress_max = 40
    emailAddress_default = support@iris.de
    
    [ req_attributes ]
    #challengePassword = A challenege password
    #challengePassword_min = 4
    #challengePassword_max = 20
    #unstructuredName = An optional company name
    
    [ usr_cert ]
    basicConstraints= CA:FALSE
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid,issuer:always
    #nsComment = ''OpenSSL Generated Certificate''
    #nsCertType = client, email, objsign for ''everything including object signing''
    subjectAltName=email:copy
    issuerAltName=issuer:copy
    #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
    #nsBaseUrl = 
    #nsRenewalUrl = 
    #nsCaPolicyUrl = 
    #nsSslServerName = 
    
    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    
    [ v3_ca ]
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always,issuer:always
    basicConstraints = CA:TRUE
    #keyUsage = cRLSign, keyCertSign
    #nsCertType = sslCA, emailCA
    #subjectAltName=email:copy
    #issuerAltName=issuer:copy
    #obj=DER:02:03
    
    [ crl_ext ]
    #issuerAltName=issuer:copy
    authorityKeyIdentifier=keyid:always,issuer:always
    #..................................
    
  2. Create Diffie-Hellman files.
    $ openssl dhparam -out dh2048.pem 2048 
  3. Create CA.
    $ mkdir ~/myca
    $ cd ~/myca
    $ mkdir private certs newcerts conf export crl
    $ echo "01" > serial
    $ touch index.txt
    $ vim conf/caconfig.cnf (Step 1)
    $ openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out 
    certs/cacert.pem -days 365 -config conf/caconfig.cnf
       → PW: xxxxxxxx
    
    Note: Create a strong password and distribute it only to entitled people.
  4. Create signed server certificate and private server key.

    You need one certificate/key for each IBM Safer Payments instance. Run the following commands one time for each instance and replace SERVER_IP with the IP address or hostname of the server.

    
    $ openssl req -new -nodes -config conf/caconfig.cnf -out SERVER_IP.req.pem 
    -keyout private/SERVER_IP.key.pem
       → CN: SERVER_IP
    $ openssl ca -config conf/caconfig.cnf -out newcerts/SERVER_IP.cert.pem 
    -infiles SERVER_IP.req.pem
    
  5. Create signed client certificate and private client key.

    For MCI and ECI, you need at least one client certificate for each instance. Run the command twice per instance with unique file names and make sure that you enter unique common names when prompted.

    If you want to use multi-factor authentication by using API client validation, you might want to create one extra client certificate per user. For these certificates, make sure that the common name matches the users login.

    
    $ openssl req -new -nodes -out filename.req.pem -keyout private/filename.key.pem 
    -days 365 -config conf/caconfig.cnf
    (for MCI) -> CN: CLIENT_IP_OR_NAME
    (for ECI) -> CN: IRIS_SERVER_NAME
    (for Browser) -> CN: LOGIN
    $ openssl ca -out newcerts/filename.cert.pem -days 365 -config conf/caconfig.cnf 
    -infiles filename.req.pem
    
  6. Encrypt certificates.
    To encrypt certificates for secure storage on the IBM Safer Payments instances, run the following command:
    openssl rsa -des3 -in private/<filename>.key.pem -out private/<filename>.enc.key.pem
    It is a best practice to do this for both client and server certificates.
  7. Create a certificate revocation list.
    
    vim certs/ca.crl
    vim crl.confg
    
    The following code is the content of crl.config:
    
    
       [ ca ]  
       default_ca       = CA_default                   # the default ca section
    
       [ CA_default ]  
       dir              = ./                           # where everything is kept
       database         = $dir/index.txt               # database index file.
       certificate      = $dir/certs/cacert.pem        # the CA certificate
       crl              = $dir/certs/ca.crl            # the current CRL
       private_key      = $dir/private/cakey.pem       # the private key
       default_crl_days = 183   
     
    $ openssl ca -config conf/caconfig.cnf -gencrl -out crl/crl.pem
    
  8. Configure client-side certificates in web browsers.
    Use the following command to convert pem certificate to p12:
    openssl pkcs12 -export -out newcerts/filename.cert.p12 -inkey private/filename.key.pem 
    -in newcerts/filename.cert.pem -certfile certs/cacert.pem
    Next, import the client-side certificates in your browser.