Server Certificates for the Skopos Engine

This document covers the creation of certificates suitable for use by the Skopos Engine; both self-signed certificates and certificates signed by a CA (including your own private CA ) are covered.

If you plan to use your own CA certificate, see the Creating a Certificate Authority section in the 'Client Certificates' page.

Self-signed Certificate

NOTE: the engine can automatically create a self-signed certificate for its own use, see the description of the --autocert option in the Command Line Reference.

Use the procedure below only if you need to adjust the certificate's options to suit your needs.

The following template can be used to make a configuration file for a self-signed certificate (this is the exact template used by Skopos' own --autocert option). Replace the {} string with the hostname that will be used to access the engine (note it appears twice in the template and should be the same in both places).

[req]
distinguished_name=dn
x509_extensions=e
prompt=no

[e]
extendedKeyUsage=serverAuth
keyUsage=critical,digitalSignature,keyCertSign,keyEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
basicConstraints=critical,CA:FALSE
subjectAltName=DNS:{}

[dn]
O=Automatically Generated Certificate
CN={}

NOTES:

  • the CA:FALSE constraint appears to make the certificate 'invalid' (it is used to sign itself, so it must be a CA), however using 'CA:TRUE' causes the Crhome browser to reject it and not even give the option to add an exception for it (the variant with 'CA:FALSE' is also seen as 'invalid', but with a different error and allowes one to choose to add an exception and proceed to view the page).
  • the given example assumes that an RSA key will be used. If you choose ECDSA instead, add 'keyAgreement' to the 'keyUsage' line.
  • if you have no hostname and want to make a certificate for an IP address, place IP:your-host-address on the the subjectAltName line

Use the following command to create your self-signed certificate, note it saves both the new cert and a new (un-encrypted) private key in the same file, as required for use with the Skopos engine:

certfile=my-self-signed-cert.pem
openssl req -batch -nodes -newkey rsa:2048 -x509 -days 3650 -out $certfile -keyout $certfile -config my-cert.cfg

CA-Signed Certificate

Create a certificate-signing request using a configuration file from the following template (replace the {} string with the desired hostname, note it appears twice in the template):

[req]
distinguished_name=dn
req_extensions=e
prompt=no

[e]
extendedKeyUsage=serverAuth
keyUsage=critical,digitalSignature,keyEncipherment
subjectKeyIdentifier=hash
basicConstraints=critical,CA:FALSE
subjectAltName=DNS:{}

[dn]
O=Automatically Generated Certificate
CN={}

If you have no hostname and want to make a certificate for an IP address, place IP:your-host-address on the the subjectAltName line.

Create the cert. signing request with this command (change the file names as desired):

openssl req -batch -nodes -newkey rsa:2048 -days 3650 -out cert-srv.pem -keyout cert-srv.pem.key -config cert-server.cfg

If you are signing the certificate with your own CA using openssl, use this command (note you will need the same configuration file from the previous step, even though the CSR has all info embedded into it - this is a known bug in openssl):

openssl x509 -req -in cert-srv.pem -out cert-srv-signed.pem -CA ca.pem -CAkey ca.pem -CAcreateserial -days 3650 -extfile cert-server.cfg -extensions e

NOTE: if you are signing multiple certificates with the same CA certificate, always run the command from the same directory and be sure to preserve the ca.srl file that will be created on the first run. This file keeps the 'serial number' of your CA and ensures that each signed certificate has its own unique serial number.

Once you have a signed certificate PEM file, concatenate it with the private key (the same one used to create the signing request!), to make a file suitable for use with the Skopos engine:

cat  cat cert-srv.pem.key cert-srv-signed.pem >cert-srv-with-key.pem