<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns:fn="http://www.w3.org/2005/02/xpath-functions">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link rel="stylesheet" href="../../../../doc/otp_doc.css" type="text/css">
<title>Erlang -- Creating Certificates</title>
</head>
<body bgcolor="white" text="#000000" link="#0000ff" vlink="#ff00ff" alink="#ff0000"><div id="container">
<script id="js" type="text/javascript" language="JavaScript" src="../../../../doc/js/flipmenu/flipmenu.js"></script><script id="js2" type="text/javascript" src="../../../../doc/js/erlresolvelinks.js"></script><script language="JavaScript" type="text/javascript">
<!--
function getWinHeight() {
var myHeight = 0;
if( typeof( window.innerHeight ) == 'number' ) {
//Non-IE
myHeight = window.innerHeight;
} else if( document.documentElement && ( document.documentElement.clientWidth ||
document.documentElement.clientHeight ) ) {
//IE 6+ in 'standards compliant mode'
myHeight = document.documentElement.clientHeight;
} else if( document.body && ( document.body.clientWidth || document.body.clientHeight ) ) {
//IE 4 compatible
myHeight = document.body.clientHeight;
}
return myHeight;
}
function setscrollpos() {
var objf=document.getElementById('loadscrollpos');
document.getElementById("leftnav").scrollTop = objf.offsetTop - getWinHeight()/2;
}
function addEvent(obj, evType, fn){
if (obj.addEventListener){
obj.addEventListener(evType, fn, true);
return true;
} else if (obj.attachEvent){
var r = obj.attachEvent("on"+evType, fn);
return r;
} else {
return false;
}
}
addEvent(window, 'load', setscrollpos);
//--></script><div id="leftnav"><div class="innertube">
<img alt="Erlang logo" src="../../../../doc/erlang-logo.png"><br><small><a href="users_guide.html">User's Guide</a><br><a href="index.html">Reference Manual</a><br><a href="release_notes.html">Release Notes</a><br><a href="../pdf/ssl-3.10.8.pdf">PDF</a><br><a href="../../../../doc/index.html">Top</a></small><p><strong>Secure Socket Layer </strong><br><strong>User's Guide</strong><br><small>Version 3.10.8</small></p>
<br><a href="javascript:openAllFlips()">Expand All</a><br><a href="javascript:closeAllFlips()">Contract All</a><p><small><strong>Chapters</strong></small></p>
<ul class="flipMenu" imagepath="../../../../doc/js/flipmenu">
<li id="no" title="The SSL Protocol" expanded="false">The SSL Protocol<ul>
<li><a href="ssl_protocol.html">
Top of chapter
</a></li>
<li title="SSL Connections"><a href="ssl_protocol.html#id2254451">SSL Connections</a></li>
<li title="Certificates"><a href="ssl_protocol.html#id2251968">Certificates</a></li>
<li title="Encryption Algorithms"><a href="ssl_protocol.html#id2259644">Encryption Algorithms</a></li>
<li title="SSL Handshake"><a href="ssl_protocol.html#id2252047">SSL Handshake</a></li>
<li title="Authentication"><a href="ssl_protocol.html#id2259261">Authentication</a></li>
</ul>
</li>
<li id="no" title="Using the SSL application" expanded="false">Using the SSL application<ul>
<li><a href="using_ssl.html">
Top of chapter
</a></li>
<li title="The ssl Module"><a href="using_ssl.html#id2255101">The ssl Module</a></li>
<li title="A Client-Server Example"><a href="using_ssl.html#id2258745">A Client-Server Example</a></li>
</ul>
</li>
<li id="no" title="PKIX Certificates" expanded="false">PKIX Certificates<ul>
<li><a href="pkix_certs.html">
Top of chapter
</a></li>
<li title="Introduction to Certificates"><a href="pkix_certs.html#id2251860">Introduction to Certificates</a></li>
<li title="PKIX Certificates"><a href="pkix_certs.html#id2252755">PKIX Certificates</a></li>
</ul>
</li>
<li id="loadscrollpos" title="Creating Certificates" expanded="true">Creating Certificates<ul>
<li><a href="create_certs.html">
Top of chapter
</a></li>
<li title="The openssl Command"><a href="create_certs.html#id2259452">The openssl Command</a></li>
<li title="An Example"><a href="create_certs.html#id2254962">An Example</a></li>
</ul>
</li>
<li id="no" title="Using SSL for Erlang Distribution" expanded="false">Using SSL for Erlang Distribution<ul>
<li><a href="ssl_distribution.html">
Top of chapter
</a></li>
<li title="Introduction"><a href="ssl_distribution.html#id2252297">Introduction</a></li>
<li title="Building boot scripts including the SSL application"><a href="ssl_distribution.html#id2252373">Building boot scripts including the SSL application</a></li>
<li title="Specifying distribution module for net_kernel"><a href="ssl_distribution.html#id2252502">Specifying distribution module for net_kernel</a></li>
<li title="Specifying security options and other SSL options"><a href="ssl_distribution.html#id2257266">Specifying security options and other SSL options</a></li>
<li title="Setting up environment to always use SSL"><a href="ssl_distribution.html#id2257363">Setting up environment to always use SSL</a></li>
</ul>
</li>
<li id="no" title="Licenses" expanded="false">Licenses<ul>
<li><a href="licenses.html">
Top of chapter
</a></li>
<li title="OpenSSL License"><a href="licenses.html#id2257489">OpenSSL License</a></li>
<li title="SSLeay License"><a href="licenses.html#id2257546">SSLeay License</a></li>
</ul>
</li>
</ul>
</div></div>
<div id="content">
<div class="innertube">
<h1>4 Creating Certificates</h1>
<p>Here we consider the creation of example certificates.
</p>
<h3><a name="id2259452">4.1
The openssl Command</a></h3>
<p>The <span class="code">openssl</span> command is a utility that comes with the
OpenSSL distribution. It provides a variety of subcommands. Each
subcommand is invoked as</p>
<div class="example"><pre>
openssl subcmd <options and arguments> </pre></div>
<p>where <span class="code">subcmd</span> denotes the subcommand in question.
</p>
<p>We shall use the following subcommands to create certificates for
the purpose of testing Erlang/OTP SSL:
</p>
<ul>
<li>
<strong>req</strong> to create certificate requests and a
self-signed certificates,
</li>
<li>
<strong>ca</strong> to create certificates from certificate requests.</li>
</ul>
<p>We create the following certificates:
</p>
<ul>
<li>the <strong>erlangCA</strong> root certificate (a self-signed
certificate), </li>
<li>the <strong>otpCA</strong> certificate signed by the <strong>erlangCA</strong>, </li>
<li>a client certificate signed by the <strong>otpCA</strong>, and</li>
<li>a server certificate signed by the <strong>otpCA</strong>.</li>
</ul>
<h4>The openssl configuration file</h4>
<p>An <span class="code">openssl</span> configuration file consist of a number of
sections, where each section starts with one line containing
<span class="code">[ section_name ]</span>, where <span class="code">section_name</span> is the name
of the section. The first section of the file is either
unnamed, or is named <span class="code">[ default ]</span>. For further details
see the OpenSSL config(5) manual page.
</p>
<p>The required sections for the subcommands we are going to
use are as follows:
</p>
<table border="1" cellpadding="2" cellspacing="0">
<tr>
<td align="left" valign="middle">subcommand</td>
<td align="left" valign="middle">required/default section</td>
<td align="left" valign="middle">override command line option</td>
<td align="left" valign="middle">configuration file option</td>
</tr>
<tr>
<td align="left" valign="middle">req</td>
<td align="left" valign="middle">[req]</td>
<td align="left" valign="middle">-</td>
<td align="left" valign="middle"><span class="code">-config FILE</span></td>
</tr>
<tr>
<td align="left" valign="middle">ca</td>
<td align="left" valign="middle">[ca]</td>
<td align="left" valign="middle"><span class="code">-name section</span></td>
<td align="left" valign="middle"><span class="code">-config FILE</span></td>
</tr>
</table>
<em>Table
4.1:
openssl subcommands to use</em>
<h4>Creating the Erlang root CA</h4>
<p>The Erlang root CA is created with the command</p>
<div class="example"><pre>
openssl req -new -x509 -config /some/path/req.cnf \\
-keyout /some/path/key.pem -out /some/path/cert.pem </pre></div>
<p>where the option <span class="code">-new</span> indicates that we want to create
a new certificate request and the option <span class="code">-x509</span> implies
that a self-signed certificate is created.
</p>
<h4>Creating the OTP CA</h4>
<p>The OTP CA is created by first creating a certificate request
with the command</p>
<div class="example"><pre>
openssl req -new -config /some/path/req.cnf \\
-keyout /some/path/key.pem -out /some/path/req.pem </pre></div>
<p>and the ask the Erlang CA to sign it:</p>
<div class="example"><pre>
openssl ca -batch -notext -config /some/path/req.cnf \\
-extensions ca_cert -in /some/path/req.pem -out /some/path/cert.pem </pre></div>
<p>where the option <span class="code">-extensions</span> refers to a section in the
configuration file saying that it should create a CA certificate,
and not a plain user certificate.
</p>
<p>The <span class="code">client</span> and <span class="code">server</span> certificates are created
similarly, except that the option <span class="code">-extensions</span> then has the
value <span class="code">user_cert</span>.
</p>
<h3><a name="id2254962">4.2
An Example</a></h3>
<p>The following module <span class="code">create_certs</span> is used by the Erlang/OTP
SSL application for generating certificates to be used in tests. The
source code is also found in <span class="code">ssl-X.Y.Z/examples/certs/src</span>.
</p>
<p>The purpose of the <span class="code">create_certs:all/1</span> function is to make
it possible to provide from the <span class="code">erl</span> command line, the
full path name of the <span class="code">openssl</span> command.
</p>
<p>Note that the module creates temporary OpenSSL configuration files
for the <span class="code">req</span> and <span class="code">ca</span> subcommands.
</p>
</div>
<div class="footer">
<hr>
<p>Copyright © 1999-2010 Ericsson AB. All Rights Reserved.</p>
</div>
</div>
</div></body>
</html>
distrib
>
Fedora
>
13
>
i386
>
media
>
os
>
by-pkgid
>
f806c0f24240b25bde21a53f71766070
>
files
>
1397
