Search code examples
c++sslboostopensslssl-certificate

Create OpenSSL certificates signed by myself

I'm using boost ssl for server and client, and I have a model for server/client program in my mind, and I'm not sure it's gonna work.

The model I have in my mind is to be the only authority for certificates of my program. My main question is: How can I do that?

In my server program, I define keys as follows:

    context_.use_certificate_chain_file("../sslkeys/server.crt");
    context_.use_private_key_file("../sslkeys/server.key", boost::asio::ssl::context::pem);
    context_.use_tmp_dh_file("../sslkeys/dh512.pem");

I create/sign those keys/certificates using:

$ openssl genrsa -des3 -out server.key 2048
$ openssl req -new -key server.key -out server.csr
$ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
$ cp server.key server.key.secure
$ openssl rsa -in server.key.secure -out server.key
$ openssl dhparam -out dh512.pem 512

For my client program, I would like to create a certificate and sign it by my "server.key", because I think (and I could be wrong, please correct me if I'm) that's the way to do it. The client program requires a key using the command:

ctx.load_verify_file("../sslkeys/client.csr");

So I created a key, which I signed using the server key, with the following commands:

$ openssl genrsa -des3 -out client.key 2048
$ openssl req -new -key client.key -out client.csr
$ openssl x509 -req -days 3650 -in client.csr -signkey ../sslkeys/server.key -out client.crt

Now when I run my client and try to connect the server, I get the error: Handshake failed: certificate verify failed

What is wrong in what I'm doing? And how can I achieve the model I mentioned?

If you require any additional information, please ask.

Thanks for any efforts.

Solution

  • Your signing certificate has no rights to sign, because it has not the CA flag set. Signing will still work, but verification will fail. Since there are already lots of guides on the internet which will show in detail how to do it right so you might just look here or here for more details.

    Also, using only a 512 bit Diffie-Hellman reduces the security of the key exchange to 512 bit, which is exploitable today (see also Logjam attack). The 2048 RSA key does not help here. And using 512 bit might not even work if you use the latest version of OpenSSL which just increased the minimal size to 768 bits for security reasons.