Using Self-Signed Certificates for SSL with CL-HTTP

The procedures described here enable you to create the keys, certificates and Diffy-Helman parameter files necessary to run CL-HTTP with SSL using self-signed certificates.

Use of self-signed certificates is convenient for testing your secure Web site and practical for low-budget Web sites, but serious Web sites should obtain server certificates from an established certificate authority, like Verisign.

By following the procedures below, you will be acting as your own certificate authority. The next step after minting a certificate for your server is to also mint certificates for clients. The file http:examples;ssl;client-certificates.lisp defines a Web interface that enables users to mint client certificates using Mozilla, Firefox, or Netscape Communicator.

The shell commands described here work with OpenSSL under the UNIX family of operating systems. They have been tested under Mac OS X 10.4.6.

Windows users may need to make appropriate adjustments, but the overall sequence should work there as well.

Please report any corrections or improvements to this recipe to bug-cl-http@nospam.cl-http.org.

  1. Preparation

    1. Create a directory to contain the key and certificate files. 
        mkdir ~/desktop/certificate-authority/
  cd ~/desktop/certificate-authority/
    2. Obtain the shell script sign.sh from http://www.faqs.org/docs/securing/chap24sec195.html
      (sign.sh not available in OpenSSL distributions)
    3. Move it into the certificate-authority directory
    4. Set the permissions on sign.sh 
        chmod +x sign.sh

  2. Create Certificate Authority Key

    3.   openssl genrsa -des3 -out ca.key 2048

  3. Create a Self-Signed Certificate Authority (CA)

    4.   openssl req -new -x509 -days 365 -key ca.key -out ca.crt

         Enter pass phrase for ca.key:
     You are about to be asked to enter information that will be incorporated
     into your certificate request.
     What you are about to enter is what is called a Distinguished Name or a DN.
     There are quite a few fields but you can leave some blank
     For some fields there will be a default value,
     If you enter '.', the field will be left blank.
     -----
     Country Name (2 letter code) [AU]: US
     State or Province Name (full name) [Some-State]: Massachusetts
     Locality Name (eg, city) []: Cambridge
     Organization Name (eg, company) [Internet Widgits Pty Ltd]: CL-HTTP Consortium
     Organizational Unit Name (eg, section) []: Cambridge Research
     Common Name (eg, YOUR name) []: John C. Mallery
     Email Address []: Webmaster@nospam.cl-http.org

  4. Create Private Key For The SSL Server

    5. Here we create an RSA key, but DSA keys are also possible with OpenSSL.

      openssl genrsa -des3 -out www-cl-http-org.key 2048

  5. Create a Certificate Request (CSR) For The SSL Server

    6.   openssl req -new -key www-cl-http-org.key -out www-cl-http-org.csr

         Enter pass phrase for www-cl-http-org.key:
     You are about to be asked to enter information that will be incorporated
     into your certificate request.
     What you are about to enter is what is called a Distinguished Name or a DN.
     There are quite a few fields but you can leave some blank
     For some fields there will be a default value,
     If you enter '.', the field will be left blank.
     -----
     Country Name (2 letter code) [AU]: US
     State or Province Name (full name) [Some-State]: Massachusetts
     Locality Name (eg, city) []:Cambridge
     Organization Name (eg, company) [Internet Widgits Pty Ltd]: CL-HTTP Consortium
     Organizational Unit Name (eg, section) []: Cambridge Research
     Common Name (eg, YOUR name) []: www.cl-http.org
     Email Address []: Webmaster@nopsam.cl-http.org
     
     Please enter the following 'extra' attributes
     to be sent with your certificate request
     A challenge password []:
     An optional company name []:

  6. Sign The Certificate Request (CSR) Using Your Certificate Authority (CA)

    7.   ./sign.sh www-cl-http-org.csr

    CA signing: www-cl-http-org.csr -> www-cl-http-org.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'Massachusetts'
localityName          :PRINTABLE:'Cambridge'
organizationName      :PRINTABLE:'CL-HTTP Consortium'
organizationalUnitName:PRINTABLE:'Cambridge Research'
commonName            :PRINTABLE:'www.cl-http.org'
emailAddress          :IA5STRING:'Webmaster@nospam.cl-http.org'
Certificate is to be certified until Apr 11 16:49:39 2007 GMT (365 days)
Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y
 Write out database with 1 new entries
Data Base Updated
CA verifying: www-cl-http-org.crt <-> CA cert
www-cl-http-org.crt: OK

  7. Create a Diffy-Hellman Parameter File

    8. This step generates parameters used by SSL under LispWorks.The number of bits should agree with the length of keys and certificates. 2048 is a reasonable number, but it takes some time to compute. 1024 goes much faster. If you have already have a dhparam.pem file, you can use it to speed prime number generation by supplying the -in argument. If you have properly initialized the cl-http random seed and run the server a number of times, you can see the random generator with the random seed file from cl-http found in http:log;pw;random-seed.lisp by providing it with the argument -rand.

      openssl dhparam -outform PEM -out dhparams2048.pem 2048

  8. Copy The Certificate, Key and DH Parameters To HTTP:PW;SSL;

    1. Make sure the SSL directory exists by evaluating: 
        (http:pathname-create-directory-if-needed #p"http:pw;ssl;")
    2. Translate the logical pathname with: 
        (http:translated-pathname "http:pw;ssl;")
    3. Copy the key, certificate and DH parameters to HTTP:PW;SSL; 
        cp www-cl-http-org.key /cl-http/log/pw/ssl/
  cp www-cl-http-org.crt /cl-http/log/pw/ssl/
  cp dhparams2048.pem /cl-http/log/pw/ssl/

  9. Decrypt The Server Key To Avoid Start Up Prompts (Optional)

    10. A weakness with this approach is that the server key remains unencrypted on the file system. You should restrict read-write access to the server key file to only the uid under which the server runs.

    A better approach would leave the server key encrypted and access the decryption password from the operating system keychain in order to pass it to http:define-https-service.

    1. Change the working directory to HTTP:PW;SSL; 
        cd /cl-http/log/pw/ssl/
    2. Copy the original server key
      3.   cp www-cl-http-org.key www-cl-http-orgoriginal.key
    3. Decrypt the server key
      4.   openssl rsa -in www-cl-http-orgoriginal.key -out www-cl-http-org.key

  10. Define HTTPS Port Parameters

    11. Define the SSL parameters for the port serving HTTPS. If you are using no password with your server key, then provide the null string as the password.

      (define-https-service
   :port 8443
   :certificate #p"http:pw;ssl;www-cl-http-org.crt"
   :private-key #p"http:pw;ssl;www-cl-http-org.key"
   :password "********"
   :parameters #p"http:pw;ssl;dhparam2048.pem"
   :ciphers :export
   :ssl-version :ssl-default
   :enable-service-p t)

  11. Test HTTPS & SSL on the Selected Port

    12. If you are running the CL-HTTP demonstration Web site, you can export a few URLs and access them with your favorite Web browser to confirm that everything worked.

      (export-url #u("/cl-http/" :port 8443 :protocol :https)
              :directory
              :recursive-p t
              :pathname "http:www;cl-http;"
              :expiration `(:interval ,(* 15. 60.))
              :public t
              :language :en
              :keywords '(:cl-http :documentation))
  
  (export-url #u("favicon.ico" :port 8443 :protocol :https)
              :ico-image
              :pathname #p"http:www;cl-http;icons;lambda.ico"
              :public t :max-age #.(* 60 60 24) ;recache every day
              :keywords '(:cl-http :demo)
              :documentation "The Website URL icon.")

  12. Notes

    13. More examples of SSL configurations are available in http:examples;ssl;configuration.lisp

    File names for certificates and DH parameters need to be acceptable to OpenSSL as well as Common Lisp, or else you may encounter unexpected behaviors.

    Procecures for configuring Apache SSL are available at http://developer.apple.com/internet/serverside/modssl.html

Copyright 2006, CL-HTTP Consortium. All rights reserved.
M.I.T. Computer Science & Artificial Intelligence Laboratory