Creating certificates with OpenSSL
Complete these steps to create certificates with OpenSSL.
The following settings are adapted for IBM® Safer Payments.
- Create a configuration file.
The caconfig.cnf file is the default config file for the certificate authority (CA). It has the following content:
#.................................. [ ca ] default_ca = CA_default [ CA_default ] dir = . certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/certs/cacert.pem serial = $dir/serial crl = $dir/crl/crl.pem private_key = $dir/private/cakey.pem #RANDFILE = $dir/private/.rand x509_extensions = usr_cert crl_extensions = crl_ext default_days = 365 #default_startdate = YYMMDDHHMMSSZ #default_enddate = YYMMDDHHMMSSZ default_crl_days = 183 #default_crl_hours = 24 default_md = sha256 preserve = no #msie_hack policy = policy_match [ policy_match ] countryName = match #stateOrProvinceName = match #localityName = match organizationName = match commonName = supplied emailAddress = optional [ req ] default_bits = 4096 # Size of keys default_keyfile = key.pem # name of generated keys distinguished_name = req_distinguished_name default_md = sha256 # message digest algorithm attributes = req_attributes x509_extensions = v3_ca #input_password #output_password string_mask = nombstr # permitted characters req_extensions = v3_req [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = DE countryName_min = 2 countryName_max = 2 #stateOrProvinceName = State or Province Name (full name) #stateOrProvinceName_default = RLP #localityName = Locality Name (city, district) #localityName_default = Coblence organizationName = Organization Name (company) organizationName_default = IRIS organizationalUnitName = Organizational Unit Name (department, division) organizationalUnitName_default = Fraud Prevention commonName = Common Name (hostname, IP, or user name) commonName_max = 64 commonName_default = 192.168.1.1 emailAddress = Email Address emailAddress_max = 40 emailAddress_default = support@iris.de [ req_attributes ] #challengePassword = A challenege password #challengePassword_min = 4 #challengePassword_max = 20 #unstructuredName = An optional company name [ usr_cert ] basicConstraints= CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always #nsComment = ''OpenSSL Generated Certificate'' #nsCertType = client, email, objsign for ''everything including object signing'' subjectAltName=email:copy issuerAltName=issuer:copy #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl = #nsRenewalUrl = #nsCaPolicyUrl = #nsSslServerName = [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:TRUE #keyUsage = cRLSign, keyCertSign #nsCertType = sslCA, emailCA #subjectAltName=email:copy #issuerAltName=issuer:copy #obj=DER:02:03 [ crl_ext ] #issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always #..................................
- Create Diffie-Hellman files.
$ openssl dhparam -out dh2048.pem 2048
- Create CA.
$ mkdir ~/myca $ cd ~/myca $ mkdir private certs newcerts conf export crl $ echo "01" > serial $ touch index.txt $ vim conf/caconfig.cnf (Step 1) $ openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out certs/cacert.pem -days 365 -config conf/caconfig.cnf → PW: xxxxxxxx
Note: Create a strong password and distribute it only to entitled people. - Create signed server certificate and private server key.
You need one certificate/key for each IBM Safer Payments instance. Run the following commands one time for each instance and replace SERVER_IP with the IP address or hostname of the server.
$ openssl req -new -nodes -config conf/caconfig.cnf -out SERVER_IP.req.pem -keyout private/SERVER_IP.key.pem → CN: SERVER_IP $ openssl ca -config conf/caconfig.cnf -out newcerts/SERVER_IP.cert.pem -infiles SERVER_IP.req.pem
- Create signed client certificate and private client key.
For MCI and ECI, you need at least one client certificate for each instance. Run the command twice per instance with unique file names and make sure that you enter unique common names when prompted.
If you want to use multi-factor authentication by using API client validation, you might want to create one extra client certificate per user. For these certificates, make sure that the common name matches the users login.
$ openssl req -new -nodes -out filename.req.pem -keyout private/filename.key.pem -days 365 -config conf/caconfig.cnf (for MCI) -> CN: CLIENT_IP_OR_NAME (for ECI) -> CN: IRIS_SERVER_NAME (for Browser) -> CN: LOGIN $ openssl ca -out newcerts/filename.cert.pem -days 365 -config conf/caconfig.cnf -infiles filename.req.pem
- Encrypt certificates. To encrypt certificates for secure storage on the IBM Safer Payments instances, run the following command:
It is a best practice to do this for both client and server certificates.openssl rsa -des3 -in private/<filename>.key.pem -out private/<filename>.enc.key.pem
- Create a certificate revocation list.
The following code is the content of crl.config:vim certs/ca.crl vim crl.confg
[ ca ] default_ca = CA_default # the default ca section [ CA_default ] dir = ./ # where everything is kept database = $dir/index.txt # database index file. certificate = $dir/certs/cacert.pem # the CA certificate crl = $dir/certs/ca.crl # the current CRL private_key = $dir/private/cakey.pem # the private key default_crl_days = 183
$ openssl ca -config conf/caconfig.cnf -gencrl -out crl/crl.pem
- Configure client-side certificates in web browsers.Use the following command to convert pem certificate to p12:Next, import the client-side certificates in your browser.
openssl pkcs12 -export -out newcerts/filename.cert.p12 -inkey private/filename.key.pem -in newcerts/filename.cert.pem -certfile certs/cacert.pem