[edit] Secure Authentication

[edit] Terminology

• Public Key Encryption: Secure data transport utilizing public and private keys.

• Private Key: Decrypts. Contains the public key data, First step before a certificate or certificate request is generated. File.

• Public Key: Encrypts. Derived from the private key. Generally does not need to be generated separately. File.

• Certificate Authority: A trusted third-party entity that issues and/or revokes digital certificates.

• Root Certificate Authority: The top of a chain of certificate authorities. A trusted third-party entity that issues and/or revokes digital certificates.

• Sub-CA Certificate Authority: A child certificate authority created by a parent certificate authority. A trusted third-party entity that issues and/or revokes digital certificates.

• Root CA Certificate: A digital certificate granted to one certification authority (CA) by another certification authority. The root ca certificate will always be self-signed.

• CA Certificate: A digital certificate granted to one certification authority (CA) by another certification authority.

• Certificate: Certificate which has been authorized. Should contain the public key. Data may be encoded (pkcs7 or pkcs12, etc.). File.

• Certificate Signing Request (CSR): A request for certificate. Certificate authority signs the request and hands it back as authentic certificate. File.

[edit] openSSL Commands and Utilities

Generate Private Key (RSA ):

$ openssl genrsa -out <filename> 2048

Generate Self-Signed Certificate From Private Key:

$ openssl req -new -x509 -days 365 -key <filename> -out <filename>

Generate Private Key and Self-Signed Certificate:

$ openssl req -new -x509 -days 365 -nodes -keyout <filename> -out <filename>

Generate Certificate Signing Request From Private Key:

$ openssl req -new -key <filename> -out <filename>

Generate Private Key and Certificate Signing Request:

$ openssl req -new -nodes -keyout <filename> -out <filename>

Generate Signed Certificate From Signing Request:

$ openssl x509 -req -days 365 -CA <filename> -CAkey <filename> -CAcreateserial -in <filename> -out <filename>

View Details of Certificate:

$ openssl x509 -text -in <filename>

[edit] Bongo

[edit] Self-signed certificates

[edit] Prerequisite

• openSSL

The following example will generate 2 files, a cert file (-out) and a key file (-keyout) valid for 365 days:

$ openssl req -new -x509 -days 365 -nodes -keyout <filename> -out <filename>

[edit] Interactive Q/A

The process of generating self-signed certificates leads you through a series of questions. The "Common Name" will be of most importance; it represents the host you are associating with.

[edit] FQDN example answers:

• Country Name: <US>
• State or Province Name: <Utah>
• Locality Name: <Springville>
• Organization Name: <Unified Functions>
• Organizational Unit Name: <IT>
• Common Name: <www.unifiedfunctions.com>
• Email Address: <admin@unifiedfunctions.com>

[edit] Wildcard example answers:

• Country Name: <US>
• State or Province Name: <Utah>
• Locality Name: <Springville>
• Organization Name: <Unified Functions>
• Organizational Unit Name: <IT>
• Common Name: <*.unifiedfunctions.com>
• Email Address: <admin@unifiedfunctions.com>

[edit] For Bongo

Bongo looks for the following files in the specified location. To replace the default certs, either replace the files with your own (retaining the same file names) or replace the contents of each file.

• replace contents of <install location>/var/bongo/dbf/osslcert.pem with the generated cert

• replace contents of <install location>/var/bongo/dbf/osslpriv.pem with the generated key

[edit] Mail Clients

[edit] Thunderbird

I am not sure yet if Thunderbird 3 likes wildcard certs!