Generating an x.509 certificate


An x.509 is required if you want to use HTTP over TLS (HTTPS) in any capacity. This is obviously running SwiperProxy towards clients with HTTPS support, but also connecting to destination servers required an x.509 certificate.

Generating one is easily done with OpenSSL. First, you should make sure you have somewhere to store certificate signing requests:
$ mkdir /etc/ssl/csr

Next, generate a private key and CSR:
$ openssl req -new -newkey rsa:4096 -nodes -sha512 -out /etc/ssl/csr/proxy.example.org.csr -keyout /etc/ssl/private/proxy.example.org.key

You will be prompted to fill in the information that will be embedded in your CSR. It is highly recommended that you fill this in truthfully. Using a period . inputs NULL, e.g. if you do not have an organisation. For example:
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:ACT
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:proxy.example.org
Email Address []:hostmaster@example.org

It is recommended you do not use a challenge password. Company name is as stated, optional.

You may want to get your certificate signed by a trusted CA. In this case, you will need to submit the CSR you just generated to your CA. You will be returned a certificate that you should place in /etc/ssl/certs.

If you want to self-sign your certificate:
$ openssl x509 -req -sha512 -days 365 -in /etc/ssl/csr/proxy.example.org.csr -signkey /etc/ssl/private/proxy.example.org.key -out /etc/ssl/certs/proxy.example.org.pem

Either way, to use the certificate, it must be readable by the SwiperProxy user, and in a format that SwiperProxy will understand. To do this, concatenate the private key, certificate and any intermediate certificates (in signing order) and make the file readable by the SwiperProxy user. For example:
$ cp /etc/ssl/private/proxy.example.org.key /opt/SwiperProxy/swiperproxy/certificate.pem
$ cat /etc/ssl/certs/proxy.example.org.pem >> /opt/SwiperProxy/swiperproxy/certificate.pem
$ cat /etc/ssl/certs/ca.intermediate.cert.pem >> /opt/SwiperProxy/swiperproxy/certificate.pem
$ chown swiperproxy:swiperproxy /opt/SwiperProxy/swiperproxy/certificate.pem
$ chmod 400 /opt/SwiperProxy/swiperproxy/certificate.pem

See man openssl for more information.