Introduction
Task
How it works
Accepted formats
OpenSSL: Create a public/private key file pair
OpenSSL: Create a certificate
PuTTYgen: Create a public/private key file pair
More information

Introduction

Iguana only supports OpenSSL SSH-2 private keys and certificates in PEM format, these must not be password protected. Iguana accepts the older “Traditional” (or “SSLeay”) PKCS#5 format (as defined in RFC2890) or in the newer PKCS#8 format (as defined in RFC5958).

Note: For production systems you will need to get SSL certificates from a Certificate Authority, see Using SSL security, certificates and verify peer etc for more information.

Task [top]

How to create self-certified SSL certificate and public/private key files.

Accepted formats [top]

If you are in hurry (and don’t need explanations), then you can just skip this section.

However if you are having a problem with Iguana not accepting your private key, then you should open the key file in a text editor and check if it matches one of two accepted formats.

Iguana will accept these two PKCS formats:

The older “Traditional” (or “SSLeay”) PKCS#5 format for private keys and certificates (as defined in RFC2890) in unencrypted form (= no passphrase).
These files can be recognized by their specific headers and footers:
The newer PKCS#8 format for private keys (as defined in RFC5958), in unencrypted form (= no passphrase).
These files can be recognized by their specific headers and footers:

Note: Iguana will not accept SSH format defined in RFC4716, even though the format looks similar:

OpenSSL: Create a public/private key file pair [top]

This section shows you how to create a public/private key file using OpenSSL.

To generate a public/private key file on a Windows system:

You will need to have OpenSSL installed.
Create a new directory on your C drive and give it an appropriate name (i.e., Test).
Open a Command Prompt window and go to the new directory. For example:
```
C:>cd Test

C:Test>
```

Type the path of the OpenSSL install directory, followed by the RSA key algorithm. For example:

C:Test>c:openssl\bin\openssl genrsa -out privkey.pem 4096
Loading 'screen' into random state - done
Generating RSA private key, 4096 bit long modulus
.................................+++
...........................................+++
e is 65537 (0x10001)

Then run this command to split the generated file into separate private and public key files
```
C:Test>c:openssl\bin\openssl rsa -in privkey.pem -out pubkey.pem -pubout -outform PEM
```

To generate a public/private key file on a POSIX system:

Use the ssh-keygen utility which is included as part of most POSIX systems.
Create a new directory and give it an appropriate name (i.e., Test).
Open a Command Prompt window and go to the new directory. For example:
```
cd Test
```
Use the rsa option to create a public private key pair (using your email as a comment):
```
ssh-keygen -t rsa -b 4096 -C "your_email@example.com" -m PEM
```
Tip: Iguana requires PEM format keys. The ssh-keygen utility recently changed to using the (more secure) openssh private key format by default – whereas previously the default was PEM format. To generate PEM format we added the “-m PEM” option to the old command.

The public & private key files are saved in the new directory you created earlier. An example of a private key file is shown below:

You can copy the key from above. This key is to be used for testing purposes only.

Note: In this example, the 4096 parameter to the openssl genrsa command indicates that the generated key is 4096 bits long. A key that is 4096 bits or longer is considered more secure. A shorter key will be less secure, but will require less computation to use.

OpenSSL: Create a certificate [top]

This section shows you how to create a self-signed certificate file using OpenSSL.

Note: Iguana offers support for x509 compatible certificates in pem format, certificates must not be password protected.

To generate a self-signed certificate file on a Windows system:

You will need to have OpenSSL installed.
Open a command prompt window and go to the directory you created earlier for the public/private key file. For example:
```
C:>cd Test

C:Test>
```
Enter the path of the OpenSSL install directory, followed by the self-signed certificate algorithm. For example:
```
C:Test>c:openssl\bin\openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
```

Follow the instructions that appear in the screen. For example:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:iNTERFACEWARE
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

To generate a self-signed certificate file on a POSIX system:

You will need to have OpenSSL installed.
Open a command prompt window and go to the directory you created earlier for the public/private key file. For example:
```
cd Test
```
Enter the path of the OpenSSL install directory, followed by the self-signed certificate algorithm. For example:
```
/<path to openssl>/openssl/bin/openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
```

Follow the instructions that appear in the screen. For example:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Toronto
Organization Name (eg, company) [Internet Widgits Pty Ltd]:iNTERFACEWARE
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

The self-signed certificate file is created and saved in the directory you specified earlier. An example of the certificate format is shown below:

You can copy the certificate from above. This certificate is to be used for testing purposes only.

Note: Remember that this newly created certificate file should be used for test purposes only. Normally, you would need to create a certificate request and send it to a certificate authority (CA). The CA would then sign the certificate and give it back to you upon payment, thus providing you with authentication according to their outlined policies.

PuTTYgen: Create a public/private key file pair [top]

These instructions use screenshots from Windows 7, but the process is the same in other Windows versions.

To generate a public/private key file:

Open puttygen.exe by double clicking on it:
The standard install of puttygen.exe is in C:\Program Files\PuTTY — but it is a standalone executable and can be run from anywhere.
Click the Generate button, and move the mouse around to generate randomness:
PuTTYgen defaults to the desired RSA (SSH-2 RSA) key.
Use Conversions>Export OpenSSL key to export the private key as a “Traditional fortmat” OpenSSL SSH-2 file:
Other key formats like the “ssh.com” export format is not compatible with Iguana.
Copy the OpenSSH format key for use with Github, Bitbucket and other Git hosts:
Make sure to scroll down to ensure you get the whole key.

How it works [top]

In order to enable HTTPS support for use with Iguana, you must first generate valid public key/private key certificates. These digital certificates are used to authenticate the sender. Keys are typically generated in pairs, with one being public and the other being private. The private key must be kept secret to ensure security. It is used to encrypt outgoing messages and decrypt incoming messages. A public key is the one that is released to the public. It allows anyone to use it for encrypting messages to be sent to the user, as well as for decrypting messages received from the user.

f you use OpenSSL to generate certificates, the private key will contain public key information, therefore the public key does not have to be generated separately. You will need to have OpenSSL installed on your machine. You can download OpenSSL for Windows or Linux from: http://www.openssl.org.

On Windows you can use the PuTTYgen program to generate public and private keys, however it does not generate certificates. You can download PuTTYgen for Windows: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.

In addition to having a public/private key certificate, you must also obtain a certificate file from a certificate authority (CA), such as Verisign, which issues digital certificates for use by other parties. There are many commercial CAs that charge for their services, while other institutions may have their own CAs. To ensure that the web server (with HTTPS support enabled) functions as expected, you can create a self-signed certificate for use during the initial testing phase.

Iguana Documentation

How to create self-certified SSL certificate and public/private key files