Generating private keys with openssl

Keys are the basis of public key algorithms and PKI. Keys usually come in pairs, with one half being the public key and the other half being the private key. With OpenSSL, the private key contains the public key information as well, so a public key doesn’t need to be generated separately.

Public keys come in several flavors, using different cryptographic algorithms. The most popular ones associated with certificates are RSA and DSA, and this  article will show how to generate each of them.

Generating an RSA key

A RSA key can be used both for encryption and for signing and generating a key is quite easy, all you have to do is the following:

  openssl genrsa -des3 -out privkey.pem 2048

That will generate a private key with is password protected (it will prompt you for the password during generation). If you don’t want it password protected (usually for server side use) then leave the -des3 parameter out, i.e.:

  openssl genrsa -out privkey.pem 2048
 The number 2048 is the size of the key, in bits. Today, 2048 or higher is recommended for RSA keys, as fewer amount of bits is considered insecure.

Generating a DSA key

A DSA key can be used for signing only. This is important to keep in mind to know what kind of purposes a certificate request with a DSA key can really be used for.

Generating a key for the DSA algorithm is a two-step process. First, you have to generate parameters from which to generate the key then to generate the key itself.

  openssl dsaparam -out dsaparam.pem 2048
  openssl gendsa -des3 -out privkey.pem dsaparam.pem

Again like RSA, 2048 is the size of the key, in bits with anything smaller than 2048 being insecure in todays standards.

Also the -des3 parameter will prompt you for a pass phrase – for server use leave it out:

  openssl dsaparam -out dsaparam.pem 2048
  openssl gendsa -out privkey.pem dsaparam.pem

Installing the latest Firefox on Linux Mint

This probably applies to Ubuntu as well, but on my Linux Mint 10 install it was stuck on Firefox 3.5 with the occasional updates so how do you get the latest Firefox to install with updates?

Well it’s pretty simple, first make sure FireFox isn’t running then:

 sudo add-apt-repository ppa:mozillateam/firefox-stable
 sudo apt-get update
 sudo apt-get install firefox ubufox

Thats all thats needed.

Installing latest mercurial when Ubuntu or Linux Mint repos don’t have it

Ah I just hit an interesting problem with Mercurial. I had a repository which had been created with a recent version however I had to restore it from a backup onto another machine however I couldn’t commit to it as it’s format wasn’t supported:

$ hg st
abort: requirement ‘dotencode’ not supported!

The reason is that the dotencode format was only introduced into mercurial in version 1.7 so if you’re running an earlier version then you’ll get this error. Ok so upgrade – problem is that according to apt I had the latest version – 1.6.3 – erm nope thats not the latest.

Thankfully the fix is simple, all you need is to ass the correct repository first before installing the latest version

sudo add-apt-repository ppa:mercurial-ppa/releases
sudo apt-get update
sudo apt-get install mercurial

Once you’ve done that then you’ll find mercurial will work again as expected.

Configure a VPN under Linux

Although NetworkManager on Ubuntu supports VPN’s, it doesn’t always work so this article describes how to setup a PPTP VPN under linux. Although it’s Ubuntu specific (this works with 9.10 and 10.04), this should work for most distributions.

What you need

You need to know:

  • The remote IP address of the vpn server
  • The remote network address range
  • A remote name to give to this connection
  • remote username and password

What we’ll use for this article:

  • remote Server Ip –
  • remote network address range –
  • remote Name – myvpn
  • name – peter
  • password – password


First you need to install pptpd:

peter@kira:~$ sudo apt-get install pptp-linux ppp pptpd


Now as root create/etc/ppp/peers/myvpn with the following content – replace the example values listed above with your ones:

peter@kira:~$ sudo vi /etc/ppp/peers/myvpn
pty "pptp --nolaunchpppd"
#logfd 2
ipparam myvpn
remotename myvpn
name peter

Next edit /etc/ppp/chap-secrets and add the following line:

peter@kira:~$ sudo vi /etc/ppp/chap-secrets
peter  myvpn  password *

Now edit (create if missing) /etc/ppp/ip-up.d/add-subnet with the following:

peter@kira:~$ sudo vi /etc/ppp/ip-up.d/add-subnet
if [ "$PPP_IPPARAM" = "myvpn" ]
    route add -net dev $PPP_IFACE

If you created the add-subnet script then:

peter@kira:~$ chmod +x /etc/ppp/ip-up.d/add-subnet

Running the VPN Connection

Now if you have configured everything correctly you’ll be able to start the vpn with

peter@kira:~$ sudo pon myvpn

To stop the vpn:

peter@kira:~$ sudo poff myvpn

If it does not work first time you can uncomment the three lines of /etc/ppp/peers/myvpn. When you do the pon command will not return but it will log what it’s doing.

You may also have to tweek the other parameters in that file so it’s specific to your vpn.

Name resolution

The above will get you up and running with the actual connection but does nothing with configuring dns.

What you can do is either:

  • Manually edit /etc/resolv.conf each time with the remote dns
  • Edit /etc/ppp/ip-up.d/add-subnet to edit resolv.conf when it connects
  • Add hosts directly into your local /etc/hosts file
  • Use a local bind nameserver to use the remote dns server

I actually use the latter with a local bind nameserver.

Configuring bind9 on Ubuntu 10.04

Some of the applications on Ubuntu 10.04 like Gwibber can fail if they don’t get responses quickly enough from a DNS so one solution is to run a local copy of Bind9.

This article covers how to install bind9 on Ubuntu 10.04 to act as a local dns server speeding up dns queries, configuring bind with your local network, adding slaves and how to use bind with remote servers over a vpn.

Some of the applications on Ubuntu 10.04 like Gwibber can fail if they don’t get responses quickly enough from a DNS so one solution is to run a local copy of Bind9 which will handle the requests locally. This will not only solve some of the problems but would also speed up dns lookups in general.

A simple installation

First you need to install bind:

peter@kira:~$ sudo apt-get update
peter@kira:~$ sudo apt-get install bind9 dnsutils

Configure local networking

Next you need to configure networking to always use your local bind. Now this depends on if you are using static IP’s or DHCP.

For static IP’s simply replace the dns server addresses with that of your server, either or it’s own IP address on your network.

For DHCP, you need to tell it to ignore the dns settings. To do this:

  1. right click the network icon in the tool bar and select Edit Connections
  2. select the interface you want to use the dns server like Auto eth0 and press Edit
  3. Select the IPv4 Settings tab and change the method from Automatic (DHCP) to Automatic (DHCP) addresses only.
  4. Apply everything and you should be set.

Common problems to look out for

The following are common problems you should be aware of before you setup bind9.

IPv4 or IPv6

Ubuntu comes with both IPv4 and IPv6 enabled, however if you are not using IPv6 – or quite probably your ISP is still not supporting it either you may notice bind is a bit slow. This is because it’s trying to do lookups using IPv6 first, timing out so it then uses IPv4 which works.

To fix this you need to turn off IPv6 within bind.

peter@kira:~$ sudo vi /etc/default/bind9

Find the line starting with OPTIONS= and add -4 to it. Here’s what mine looks like.

# run resolvconf?

# startup options for the server
OPTIONS="-4 -u bind"

Once you have done that, when you next start/restart bind9 it will use IPv4 only.

Installing bind9 with dnsmasq already installed

If you already have dnsmasq installed you must either uninstall it first or, if you want to keep it as your DHCP server, disable it’s DNS server first otherwise the installation will fail as both cannot use the same port.

Now with dnsmasq you can’t actually do this but you can trick it by getting it to run on a different port. Simply edit /etc/dnsmasq.conf and add the following line near the top of the file:


Once you have done that then restart dnsmasq then you’ll be able to install bind.

Next we’ll cover how to create zone files defining your local network

Enable Network Address Translation (NAT) on Linux

Enabling Network Address Translation on Linux is pretty simple. I use it to enable my local network to use a Mobile Broadband stick connected to an old laptop, but this will work for any interface, not just for Mobile Broadband.

Enabling Network Address Translation on Linux is pretty simple. I use it to enable my local network to use a Mobile Broadband stick connected to an old laptop, but this will work for any interface, not just for Mobile Broadband.

What I have is a simple bash script stored in root’s home directory. Then when I first connect to the net I run this script (as root) which configures NAT and the rest of the network can then access the net.

Note: The script only needs to be run once per reboot, and the net connection needs to be up when it’s run. However if the net connection is restarted, as long as the machine has not been rebooted, the Linux kernel keeps the settings.

Here’s the script:


iptables -t nat -A POSTROUTING -s $NET -o $INT -j MASQUERADE
iptables -A FORWARD -s $NET -o $INT -j ACCEPT
iptables -A FORWARD -d $NET -m state --state ESTABLISHED,RELATED -i $INT -j ACCEPT
echo 1 >/proc/sys/net/ipv4/ip_forward

echo "Network $NET is now natted over $INT"

For this to work on your local machine, you simply need to edit the first two lines:

  • INT= the network interface to run Network Address Translation. hso0 here is for the Option modem I’m using on this specific laptop, but it could easily be ppp0 etc.
  • NET= the local network you want to allow access to the NAT.

If you don’t know what to use for INT, simply run ifconfig both before and after you connect to the net using your broadband, and the additional interface is more than likely the port to use.

Upgrading Ubuntu to 10.04 quickly

Ubuntu provides a fairly fool proof way to upgrade from one version to the next but it can take literally hours – when I upgraded my netbook from 9.10 it took just over 4 hours.

The reason for this is that ubuntu’s update-manager downloads everything. What’s worse is if you want to upgrade from a version earlier than 9.10 you must upgrade one release at a time.

Now I’ve got one machine that’s running 8.10, so I’ve got to upgrade to 9.04 first, then 9.10 before I can upgrade to 10.04. If it’s going to take 4 hours a piece then that’s 12 hours at least.

So how can you speed things up if you have either a slow connection or if you have to do multiple upgrades?

Well there’s two ways, the first is to upgrade from scratch – however that’s not viable if you are upgrading a configured machine that gets heavy usage.

The other is to use the alternative iso’s and upgrade from there.

So for that machine running 8.10, I need to download the 9.04, 9.10 and 10.04 alternative iso’s, in this case the for the i386 platform.

Here’s some links to those iso’s:

Version alternate iso
Homepage i386 amd64
9.04 ubuntu-9.04-alternate-i386.iso ubuntu-9.04-alternate-amd64.iso
9.10 ubuntu-9.10-alternate-i386.iso ubuntu-9.10-alternate-amd64.iso
10.04 ubuntu-10.04-alternate-i386.iso ubuntu-10.04-alternate-amd64.iso

Now for the upgrade process. Either burn each iso to disk, or mount it locally and run the upgrade.

peter@kodos:~$ sudo mount -o loop ubuntu-9.04-alternate-i386.iso /media/cdrom0

Ubuntu should show the upgrade dialog, however if it doesn’t – or you are doing this over an ssh connection then you can start it manually – just remember to use -Y with the ssh command 😉

peter@kang:~$ ssh -Y kodos
peter@kodos:~$ sudo mount -o loop ubuntu-9.04-alternate-i386.iso /media/cdrom0
peter@kodos:~$ gksu "sh /cdrom/cdromupgrade"

You must do this for each step and you can’t skip any of them.

Tip: It will prompt you to check for updates during the procedure. Unless you are upgrading to the latest version, or the intermediate steps (9.04, 9.10 etc) you can safely say no here. This will actually save you a lot of time downloading updates only to wipe them out with the next upgrade.

I found that going from 8.10 to 9.04 took about an hour, but 9.04 to 9.10 just half an hour – a big saving.

Update 2010-05-05: If you are remotely updating a server (i.e. does not have desktop installed) then you can’t use gksu as above. Instead use:

peter@kang:~$ ssh kodos
peter@kodos:~$ sudo mount -o loop ubuntu-9.04-alternate-i386.iso /media/cdrom0
peter@kodos:~$ sudo /cdrom/cdromupgrade