Scribd
Upload
40 views

PL03 Presentation

This document discusses X.509 certificates and how to set up a private certification authority for issuing certificates. It provides steps to create a private key, certificate signing request, and self-signed certificate for the CA. It also describes how to set up a certificate database and issue certificates for Apache signed by the private CA. The practical exercise outlines configuring Apache to use the certificates for server authentication and enabling client authentication.

Uploaded by

Ivanildo Costa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
40 views

PL03 Presentation

This document discusses X.509 certificates and how to set up a private certification authority for issuing certificates. It provides steps to create a private key, certificate signing request, and self-signed certificate for the CA. It also describes how to set up a certificate database and issue certificates for Apache signed by the private CA. The practical exercise outlines configuring Apache to use the certificates for server authentication and enabling client authentication.

Uploaded by

Ivanildo Costa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Criptografia e

Fundamentos de
Segurança
2022

Practical Exercise #2
- Certification authorities using OpenSSL
- Server and client authentication with Apache
X.509 Certificates
A X.509 certificate contains a public-key and also
information about a real entity (Subject)
Version
Serial Number

Algorithm Identifier
- Algorithm
- Parameters
Distinguished Name
Issuer +
Public Key
Period of Validity
- Not Before Date
- Not After Date
Distinguished Name
Subject +
Public Key
Subject’s Public Key
- Algorithm
- Parameters
- Public Key

Signature
X.509 Certificates
Information about the entity is stored as a DN
(Distinguished Name)

Common Name CN CN = Joao Luis


Organization O O = UC
Organizational Unit OU OU = DEI
City / Location L L =Coimbra
State / Province ST ST = Coimbra
Country C C = PT
Certification Authorities
• Verification of CSR (Certificate Signing Request)
• Public and Private CA (“self-signed”)

www.verisign.com
www.multicert.pt
www.thawte.com
Private CA

Certificate
Private Key
Signing
(RSA / DSA)
Request (CSR)

X.509
certificate
“self-signed”
Creation of a X.509 certificate
Certificate
Private Key
Signing
(RSA / DSA)
Request (CSR)

Private Key
of CA

X.509
certificate
Authentication using X.509 certificates with Apache

CA

Server Authentication
APACHE BROWSER

Client Authentication
OpenSSL usage examples
#Step 1 - Creation of a 1024-bit private-key (RSA) encrypted with 3DES
openssl genrsa -out xpto.key -des3
#Step 2 - Creation of a CSR
openssl req -new -key xpto.key -out xpto.csr
#Step 3 - Creation of a “self-signed” certificate
openssl x509 -req -days 365 -in xpto.csr -out xpto.crt -signkey xpto.key

# Viewing the contents of a certificate


openssl x509 -in xpto.crt -text
# Creation of a x.509 certificate using an existing CA
openssl ca -in cert.csr -cert ca.crt -keyfile ca.key -out cert.crt

# Converting from PEM to PKCS#12


openssl pkcs12 -export -clcerts -in xpto.crt -inkey xpto.key -out xpto.p12
# Converting from PEM to DER
openssl x509 -inform PEM -in xpto.crt -outform DER -out xpto.crt.der
Practical Exercise
Configuration of CA in /etc/ssl/openssl.cnf
Set the dir in default_ca section to /etc/pki/CA (replace ./demoCA)

Note:
• you have to create /etc/pki/CA (folder in Debian)
• the creation of certificates must be performed inside the /etc/pki/CA
folder or subfolder, accordingly.
Practical Exercise – Private CA creation
Use triple DES as the encryption algorithm
Steps:
1. Create Private key
2. Create Certificate Signing Request (CSR) (do not use
extra features)
3. Create Certificate
Step 2
Step 3
Practical Exercise – Private CA and certificates
database

1. Create directory in /etc/pki/CA/newcerts (to store


information of certificates that will be issued by CA
2. Create index.txt file in /etc/pki/CA (map sequence
number of cert with certificates issued/signed by CA)
$sudo touch /etc/pki/CA/index.txt
3. Create serial file with initial sequence number in
/etc/pki/CA (number to identify certificates issues/signed
by CA)
$sudo echo 01 > /etc/pki/CA/serial
Main configuration files (Apache, OpenSSL)
OpenSSL configuration:
/etc/ssl/openssl.cnf
Apache with SSL (mod_ssl):
/etc/apache2/sites-enabled/default-ssl.conf
Useful Pointers: Debian Wiki, Apache SSL HowTo
Manual pages: man openssl ca , man openssl
Practical Exercise – Certificates for Apache
Install apache with:
$ sudo apt-get install apache2
$ sudo a2enmod ssl
Steps:
1. Create and change to directory /etc/pki/CA/apache to
hold certificate information for apache
2. Create Private key
3. Create Certificate Signing Request (CSR)
4. Create Certificate using private CA
5. Add name in CN in the /etc/hosts file
Practical Exercise – Apache configuration
Steps:
1. Configure apache with certificates
Edit /etc/apache2/sites-available/default-ssl.conf (or other, per
your settings). Edit the following fields with the respective
information:
• SSLCertificateFile < certificate file location >
• SSLCertificateKeyFile < certificate key file location >
• SSLCACertificateFile < CA certificate file location >

2. Enable site with SSL (on folder /etc/apache2/sites-


available)
# a2ensite default-ssl.conf (or the one you have configured)
# systemctl reload apache2
Practical Exercise – Apache configuration
Steps:

When starting Apache, it should be requested the passphrase


information:

1. Access to apache with the name of CN and that was


configured in certificates and placed in /etc/hosts
Practical Exercise – Apache with Client
Authentication
Install apache with:
Enable it on Apache server (option SSLVerifyClient)

You might also like