KB NO. 2723: CREATE A CERTIFICATE FOR SSL DECRYPTION UNDER LINUX
How to create self-signed certificates with the XCA tool and install them on Olfeo for SSL decryption.
Objective
Create the certificates needed to run the SSL decryption component under Linux.
STEPS
- Run the following command to create a self-signed certificate valid, for example, for 365 days:
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout myKey.pem -out myCA.pemNB: Please note the limitations set by Apple for MacOS and iOS: the validity period of a certificate must be less than 825 days.
source : https://support.apple.com/en-us/HT210176
- Explanations of the different options:
- The req command creates and processes certificate requests.
- The -new parameter corresponds to a request to create a new certificate. The user will then be asked to provide the necessary field values.
- The -newkey parameter creates a new certificate request and a new private key. It is associated with the value rsa:2048, which corresponds to the size of the private key.
- When the -x509 option is used, the -days parameter specifies the number of days for which the certificate will be certified.
- The -node parameter allows you not to encode the private key.
- The -keyout parameter is used to specify the file name where the created private key will be written.
- The parameter -out is used to specify the name of the file to which the created certificate will be written.
For other options, OpenSSL relies on the values specified in the configuration file: /etc/ssl/openssl.cnf
For example, the default signature algorithm (sha256) is specified in this configuration file:
- When executing this command, the administrator must provide the information that will be included in the characteristics of the generated certificate:
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) :
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) :
Common Name (eg, YOUR name) :
Email Address []:Example:
See full OpenSSL documentation : https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html
-
Repatriate the certificate and key (*.pem files) to your machine, via WinSCP for example.
-
In the Olfeo administration interface, import the certificate and key into the SSL decryption configuration.
- On the client side, import the certificate into the certificate stores. This operation can be performed by GPO or locally :
Firefox: Be sure to select the Authorities tab:
Then check Confirm this CA to identify websites.
Internet Explorer / Chrome / Edge: Tools > Internet Options > Content > Certificates, then Trusted Certification Authorities tab:
VALIDATION
Launch Internet Explorer or Firefox, then connect to an HTTPS site. In the access.log, you'll see a CONNECT to the HTTPS site, followed by a GET to the same site: