- Introduction
- Task
- How it works
- Accepted formats
- OpenSSL: Create a public/private key file pair
- OpenSSL: Create a certificate
- PuTTYgen: Create a public/private key file pair
- More information
Iguana only supportsOpenSSL SSH-2 private keys and certificates in PEM format, these must not be password protected. Iguana accepts the older “Traditional” (or “SSLeay”) PKCS#5 format (as defined in RFC2890) or in the newer PKCS#8 format (as defined in RFC5958).
Note: For production systems you will need to get SSL certificates from a Certificate Authority, see Using SSL security, certificates and verify peer etc for more information.
How to create self-certified SSL certificate and public/private key files.
If you are in hurry (and don’t need explanations), then you can just skip this section.
However if you are having a problem with Iguana not accepting your private key, then you should open the key file in a text editor and check if it matches one of two accepted formats.
Iguana will accept these two PKCS formats:
- The older “Traditional” (or “SSLeay”) PKCS#5 format for private keys and certificates (as defined in RFC2890) in unencrypted form (= no passphrase).
These files can be recognized by their specific headers and footers:
- The newer PKCS#8 format for private keys (as defined in RFC5958), in unencrypted form (= no passphrase).
These files can be recognized by their specific headers and footers:
Note: Iguana will not accept SSH format defined in RFC4716, even though the format looks similar:
This section shows you how to create a public/private key file using OpenSSL.
To generate a public/private key file on a Windows system:
- You will need to have OpenSSL installed.
- Create a new directory on your C drive and give it an appropriate name (i.e., Test).
- Open a Command Prompt window and go to the new directory. For example:
C:>cd TestC:Test>
- Type the path of the OpenSSL install directory, followed by the RSA key algorithm. For example:
C:Test>c:openssl\bin\openssl genrsa -out privkey.pem 4096Loading 'screen' into random state - doneGenerating RSA private key, 4096 bit long modulus.................................+++...........................................+++e is 65537 (0x10001)
- Then run this command to split the generated file into separate private and public key files
C:Test>c:openssl\bin\openssl rsa -in privkey.pem -out pubkey.pem -pubout -outform PEM
To generate a public/private key file on a POSIX system:
- Use the ssh-keygen utility which is included as part of most POSIX systems.
- Create a new directory and give it an appropriate name (i.e., Test).
- Open a Command Prompt window and go to the new directory. For example:
cd Test
- Use the rsa option to create a public private key pair (using your email as a comment):
ssh-keygen -t rsa -b 4096 -C "[email protected]" -m PEMTip: Iguana requires PEM format keys. The ssh-keygen utility recently changed to using the (more secure) openssh private key format by default – whereas previously the default was PEM format. To generate PEM format we added the “-m PEM” option to the old command.
The public & private key files are saved in the new directory you created earlier. An example of a private key file is shown below:
-----BEGIN RSA PRIVATE KEY-----MIIEpgIBAAKCAQEA6pwxy6uJ33RbkrsR0qNLzOD28gmAiwbp9bleH3UHb50Epa2i20EDEseOAfsCQoGD+H9hS3vToZZTWeeYuE1qXyrva5i+aqubjQbxBFArjSShBEBrXrFmo+nFZsRRIzmXWtwo+Usu/fPEr/KQ45Q7uL6gb0q87LEiBF8uoI6vqSu7gXkpJWFoJWJ048HUthfyMLgmrarCuwH6fpdO0eqHxJ4/cvm0tBBM+/i2/fc5ruHvsADSJklflvK3ybKVxjHdghqejBIPk3tTQm5fg7uRu7SAMdKqe8VeIpP/ujXawF28gynhtZfBDuUACIAUg3gjj243HAmBDNezRfHmFpYlbwIDAQABAoIBAQCP4/p6gxwNi+z6Inf866B66OMscX2AR15JEkbTHlDQOMp33vYKaWY8J15Ggq/RIGRTjbSbujeDXJKEipHVP83kzo2HPWhUPioqJb6+uXjsmTGUTPpNWpqsH52tuOxWoWTeGjebJmyM3uycSTZqDilO1sPJXlpfBQjrC4GqgbjlFLugOKX4VviGvECcvsThL+7F+SKRJ6lekea2LXK5Cj1W5w2/Kke62+rnZTUrbGGxm9Flxuy0PVSA/S0KI3fCE1bCi7NTXRstOAAzvZCyb7Z0gI29/0c2lyDTd6J3jxGEEpDQ37FB4pbWnUkX0ZVbMy6Y2VTeBZE0R3O4SY6/ZIv5AoGBAP26AT9/u2XwKduIb2YtG5W6cX37FmBwzI5pditi0k4ngG21f9xooye/c3BUoyF9TQ3jgWObZSPYocljJ8rzEkdfHJ8QhCYlVTmdInRjVRffgKOrHDjF9FNK1ggXGLVwGmMbUUeIKXQRw4tKfPpLG0Qcgilx3y69aYHSP6qMVfcTAoGBAOy2Vy5xzjq6U8RL1I1FncArJgB94ae0H2PkPYgmQnFCI87vuG7pv3wZvTK8P0RtFVtB3n+CJZFVby1eTcqHPJkcmeeED323bCftMNW7tf/a7CBaH56k3dqh4h4v6+0P4pyosqldHb3bqTsvc5o7KWTXDH+lx9zKlsuVDHR1rVe1AoGBAMFK3b6JSbN8BfdX9j3p6VTkx6dJDKAF7uAjWcHts/eUQlPR7Il2Ma2LPZ966xgNRBFrm1vNu3xWgdJRNrR2/xreS4imZXZGBKoymlf+gIoCXBbTuVlK/TojDfD1334B3ChaXE5ZXfMtwUGxSorHgwsdiM+YD4WlCOa8zIHaDXd/AoGBAJN7B9ZoEZWFgatLk6JxPVf9ii/EPlO+ZdBW4/9v1vW5v5WuxbpU6HjpkHeL0d9QF35EC9xlugJSuHILz2vf1mGO8FTOcthg74Hwxfxkd4BxZazCefDdx1vwgHFOai/JNedlM+tRmLYxpb66UcxGEARD+AWPxHZLwqgUtS3aI6YBAoGBAKrnyHc3RN/kgyLvyngJUMuqDrbr2sS7TMm0fDoezunv6e7mtG6+GExKDefmpvxmk2vsFU7feQSqiNBicDgOaiV8G1byvA3SauGmNhtRAXpgQMzAaJDIvT86Y0QyLeoUNcW+i8FNqEBpJiWqHnCe3FI6WmF+ISDP6MNHmjLJRG84-----END RSA PRIVATE KEY-----
You can copy the key from above. This key is to be used for testing purposes only.
Note: In this example, the 4096 parameter to the openssl genrsa command indicates that the generated key is 4096 bits long. A key that is 4096 bits or longer is considered more secure. A shorter key will be less secure, but will require less computation to use.
This section shows you how to create a self-signed certificate file using OpenSSL.
Note: Iguana offers support for x509 compatible certificates in pem format, certificates must not be password protected.
To generate a self-signed certificate file on a Windows system:
- You will need to have OpenSSL installed.
- Open a command prompt window and go to the directory you created earlier for the public/private key file. For example:
C:>cd TestC:Test>
- Enter the path of the OpenSSL install directory, followed by the self-signed certificate algorithm. For example:
C:Test>c:openssl\bin\openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 - Follow the instructions that appear in the screen. For example:
You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:CAState or Province Name (full name) [Some-State]:OntarioLocality Name (eg, city) []:TorontoOrganization Name (eg, company) [Internet Widgits Pty Ltd]:iNTERFACEWAREOrganizational Unit Name (eg, section) []:Common Name (eg, YOUR name) []:Email Address []:
To generate a self-signed certificate file on a POSIX system:
- You will need to have OpenSSL installed.
- Open a command prompt window and go to the directory you created earlier for the public/private key file. For example:
cd Test
- Enter the path of the OpenSSL install directory, followed by the self-signed certificate algorithm. For example:
/<path to openssl>/openssl/bin/openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 - Follow the instructions that appear in the screen. For example:
You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:CAState or Province Name (full name) [Some-State]:OntarioLocality Name (eg, city) []:TorontoOrganization Name (eg, company) [Internet Widgits Pty Ltd]:iNTERFACEWAREOrganizational Unit Name (eg, section) []:Common Name (eg, YOUR name) []:Email Address []:
The self-signed certificate file is created and saved in the directory you specified earlier. An example of the certificate format is shown below:
-----BEGIN CERTIFICATE-----MIIDwTCCAqmgAwIBAgIJALZW4cduwiJ0MA0GCSqGSIb3DQEBBQUAMEkxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdUb3JvbnRvMRYwFAYDVQQKEw1pTlRf*ckZBQ0VXQVJFMB4XDTA4MTIxNjE1MjMzNFoXDTExMTIxNjE1MjMzNFowSTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xEDAOBgNVBAcTB1Rvcm9udG8xFjAUBgNVBAoTDWlOVEVSRkFDRVdBUkUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqnDHLq4nfdFuSuxHSo0vM4PbyCYCLBun1uV4fdQdvnQSlraLbQQMSx44B+wJCgYP4f2FLe9OhllNZ55i4TWpfKu9rmL5qq5uNBvEEUCuNJKEEQGtesWaj6cVmxFEjOZda3Cj5Sy7988Sv8pDjlDu4vqBvSrzssSIEXy6gjq+pK7uBeSklYWglYnTjwdS2F/IwuCatqsK7Afp+l07R6ofEnj9y+bS0EEz7+Lb99zmu4e+wANImSV+W8rfJspXGMd2CGp6MEg+Te1NCbl+Du5G7tIAx0qp7xV4ik/+6NdrAXbyDKeG1l8EO5QAIgBSDeCOPbjccCYEM17NF8eYWliVvAgMBAAGjgaswgagwHQYDVR0OBBYEFGD7SIq57+klnVi8TF7ypr9PpDC/MHkGA1UdIwRyMHCAFGD7SIq57+klnVi8TF7ypr9PpDC/oU2kSzBJMQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQMA4GA1UEBxMHVG9yb250bzEWMBQGA1UEChMNaU5URVJGQUNFV0FSRYIJALZW4cduwiJ0MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAOg+0M8BTZNT6CNT7GFVxtDYGGAFiQEpmbcJlLdFsH5snxbH8OvVp5RkpaQlFesyX2LldnJbSEyKH5TzYxCqAUIw1awBvsl7QNW8/O3Cv9iDtCL02aBDB4VH4bUF6HD3TMjntYC7Hax8JiL0RW8RXBezgy260A/mP/EupdWs2n+HKe5z3BSMdVXJDTc8m9R9D3bvtP0IzvQQIPpruHBP3u9tAigAE/BofSWi68uCLyZQnIQnHtak2seFf8N1r3cHrPu7GBgodBDdlXNw7s2wsTAeyDGcmhbJF/nzGqdKhnvOFrsBdiWPKCcECD2oGj/ISNoXimqdmhQfjvn2mzG7Jpk=-----END CERTIFICATE-----
You can copy the certificate from above. This certificate is to be used for testing purposes only.
Note: Remember that this newly created certificate file should be used for test purposes only. Normally, you would need to create a certificate request and send it to a certificate authority (CA). The CA would then sign the certificate and give it back to you upon payment, thus providing you with authentication according to their outlined policies.
These instructions use screenshots from Windows 7, but the process is the same in other Windows versions.
To generate a public/private key file:
- Open puttygen.exe by double clicking on it:
The standard install of puttygen.exe is in C:\Program Files\PuTTY — but it is a standalone executable and can be run from anywhere.
- Click the Generate button, and move the mouse around to generate randomness:
PuTTYgen defaults to the desired RSA (SSH-2 RSA) key.
- Use Conversions>ExportOpenSSL key to export the private key as a “Traditional fortmat” OpenSSL SSH-2 file:
Other key formats like the “ssh.com” export format is not compatible with Iguana.
- Copy the OpenSSH format key for use with Github, Bitbucket and other Git hosts:
Make sure to scroll down to ensure you get the whole key.
In order to enable HTTPS support for use with Iguana, you must first generate valid public key/private key certificates. These digital certificates are used to authenticate the sender. Keys are typically generated in pairs, with one being public and the other being private. The private key must be kept secret to ensure security. It is used to encrypt outgoing messages and decrypt incoming messages. A public key is the one that is released to the public. It allows anyone to use it for encrypting messages to be sent to the user, as well as for decrypting messages received from the user.
f you use OpenSSL to generate certificates, the private key will contain public key information, therefore the public key does not have to be generated separately. You will need to have OpenSSL installed on your machine. You can download OpenSSL for Windows or Linux from: http://www.openssl.org.
On Windows you can use the PuTTYgen program to generate public and private keys, however it does not generate certificates. You can download PuTTYgen for Windows: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.
In addition to having a public/private key certificate, you must also obtain a certificate file from a certificate authority (CA), such as Verisign, which issues digital certificates for use by other parties. There are many commercial CAs that charge for their services, while other institutions may have their own CAs. To ensure that the web server (with HTTPS support enabled) functions as expected, you can create a self-signed certificate for use during the initial testing phase.
- Using SSL security, certificates and verify peer etc
- Download PuTTYgen
- PuTTYgen program
- Iguana 6.1 SSL Enhancements
- How do I work with secure SSL web services?
- Verisign
- OpenSSL
As an expert in the field of secure SSL communication and key management, I can provide valuable insights into the concepts covered in the article. My expertise is backed by a comprehensive understanding of public-key cryptography, SSL/TLS protocols, and the tools mentioned, such as OpenSSL and PuTTYgen. Let's delve into the key concepts covered in the article:
-
Public/Private Key Pairs and Certificate Generation:
- The article emphasizes the importance of generating public/private key pairs for secure communication.
- It introduces the concept of self-signed certificates using OpenSSL on both Windows and POSIX systems.
-
Accepted Key Formats for Iguana:
- Iguana supports OpenSSL SSH-2 private keys and certificates in PEM format, specifically without a password.
- Two accepted PKCS formats are mentioned: the older "Traditional" (or "SSLeay") PKCS#5 format and the newer PKCS#8 format.
-
Key Generation with OpenSSL (Windows):
- The article provides step-by-step instructions for generating a public/private key pair using OpenSSL on a Windows system.
- It highlights the need to install OpenSSL, create a directory, and use specific commands to generate the key pair.
-
Key Generation with OpenSSL (POSIX):
- For POSIX systems, the article recommends using the ssh-keygen utility to create a key pair.
- It notes the importance of using the PEM format and introduces the "-m PEM" option for compatibility with Iguana.
-
Self-Signed Certificate Generation with OpenSSL:
- The article explains the process of creating a self-signed certificate using OpenSSL on both Windows and POSIX systems.
- It covers the necessary steps, including providing information for the Distinguished Name (DN) during the certificate request.
-
Key Generation with PuTTYgen:
- PuTTYgen is introduced as a tool for generating public and private keys, specifically for SSH.
- The article explains how to use PuTTYgen to export the private key in the OpenSSL SSH-2 format.
-
HTTPS Support and Certificate Authority (CA):
- To enable HTTPS support, the article stresses the need to generate valid public/private key certificates.
- It mentions the role of a Certificate Authority (CA) in issuing digital certificates and recommends obtaining a certificate file from a CA.
-
Security Best Practices:
- The article touches upon security considerations, such as the length of the generated key for enhanced security.
- It advises that the provided certificate and key examples are for testing purposes only, emphasizing the importance of obtaining certificates from a trusted CA for production systems.
By following these instructions and understanding the underlying concepts, users can effectively generate secure key pairs and certificates for their applications, ensuring a robust foundation for encrypted communication.
