Shashank's linux log

MORE UPDATED VERSION OF THIS DOCUMENT CAN BE OBTAINED HERE

Some of the below information has been taken from

1. SSL certificates Howto

2. Bo

ok : Network Security with OpenSSL.

The following steps will be of great help.

Step1: Download and install the openssl software.

If you are on RH linux, just check if this software is installed using

#>rpm -qi openssl

(Most of the time it comes installed.. Most of the things that i have said below are applicable to rh 9.0)

Step2:

Openssl has a global configuration file that it uses. To find out the location of this file use

sshvpn@mia:~> openssl ca
Using configuration from /usr/share/ssl/openssl.cnf
---SNIP--

This file has some useful sections.. Take a look at it. Pretty much self explanatory.

Let us start making our own Certificate Authority.

Step3: Create the required directories first. You can create such directories anywhere.. I preferred to create my CA in

/etc/CertAuth

mia#> cd /etc

mia#> mkdir CertAuth; cd CertAuth

mia#> mkdir certs; mkdir private

mia#> chmod 700 private

mia#> echo '01' > serial

mia#> touch index.txt

Step 4: Copy the following file to /etc/CertAuth/openssl.cnf

#
# OpenSSL example configuration file.
#The original configuration file is in /usr/share/ssl/openssl.cnf
#

####################################################################
[ ca ]
default_ca = CA_default # The default ca section

####################################################################
[ CA_default ]

dir             = /etc/CertAuth         # Where everything is kept
certificate     = $dir/cacert.pem       # The CA certificate
database        = $dir/index.txt        # database index file.
new_certs_dir   = $dir/certs            # default place for new certs.
private_key     = $dir/private/cakey.pem# The private key
certs           = $dir/certs            # Where the issued certs are kept
serial          = $dir/serial           # The current serial number
crl_dir         = $dir/crl              # Where the issued crl are kept

default_days    = 700                   # how long to certify for
default_crl_days= 300                   # how long before next CRL
default_md      = md5                   # which md to use.

policy = CertAuthCA_policy
x509_extensions = certificate_extensions # The extentions to add to the cert

# For the CA policy
[ CertAuthCA_policy ]
commonName              = supplied
stateOrProvinceName     = supplied
countryName             = supplied
emailAddress            = supplied
organizationName        = supplied
organizationalUnitName = optional

[ certificate_extensions ]
basicConstraints=CA:FALSE

####################################################################
[ req ]
default_bits            = 2048
default_keyfile         = /etc/CertAuth/private/cakey.pem
defualt_md              = md5
prompt                  = no
distinguished_name      = root_ca_distinguished_name
x509_extensions         = root_ca_extensions

[ root_ca_distinguished_name ]
commonName              = Certificate Authority Created by Shashank Khanvilkar
stateOrProvinceName     = Illinois
countryName             = US
emailAddress            = shashank@evl.uic.edu
organizationName        = Root Certification Authority

[ root_ca_extensions ]
basicConstraints = CA:true

Step5: set the environment variable OPENSSL_CONF

You can put this variable permanently in the root's .tcshrc as

setenv OPENSSL /etc/CertAuth/openssl.cnf

------- OR -------

You can add the following on every openssl command line

-config /etc/CertAuth/openssl.cnf

I guess I will prefer the first method.

Step6: Create a root certificate.

use the follwing command:

mia#> openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 10000
Generating a 2048 bit RSA private key
..........................................................................................+++
................................................................................................................+++
writing new private key to '/etc/CertAuth/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----

If you are not sure about the above command use "man req" and it will tell you about all the options.However a few things need to be clarified. The "-x509" option is used to create a new certificate. While genrating a new certificate for oneself, it also generates a Private key (etc/CertAuth/private/cakey.pem) , encrypted by the passphrase and a publick key, which is placed at the bottom of cacert.pem. The "-days" option makes sure that the certificate will be valid for a long time.

Step 7: View the root certificate, to make sure that you are using the right config file, and the certificate remains

valid for a long time. NOTE: The actual cacert.pem file only contains the lines

However to read the contents of this certificate we need to issue the following command. U can see the Public key, and

other details...The "-text" option prints out everything.. The "-noout" option prevents openssl from printing the contents of the cacert.pem file again.

Some more specific options are

-serial         - print serial number value
-hash           - print hash value
-subject        - print subject DN
-issuer         - print issuer DN
-email          - print email address(es)
-startdate      - notBefore field
-enddate        - notAfter field
-purpose        - print out certificate purposes
-dates          - both Before and After dates
-modulus        - print the RSA key modulus
-pubkey         - output the public key
-fingerprint    - print the certificate fingerprint
-alias          - output certificate alias

mia#> openssl x509 -in cacert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: CN=Certificate Authority Created by Shashank Khanvilkar, ST=Illinois, C=US/emailAddress=shashank@evl.uic.edu, O=Root Certification Authority
        Validity
            Not Before: May 15 22:33:41 2003 GMT
            Not After : Sep 30 22:33:41 2030 GMT
        Subject: CN=Certificate Authority Created by Shashank Khanvilkar, ST=Illinois, C=US/emailAddress=shashank@evl.uic.edu, O=Root Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:e3:a6:75:8f:52:f8:39:e3:79:3c:81:ec:24:76:
                    be:09:f0:80:87:22:9f:a3:b3:60:91:9f:37:73:cf:
                    f9:76:25:13:69:95:bc:c1:7a:7c:6a:d0:89:dd:4c:
                    b3:26:55:e7:87:95:52:96:54:3c:a5:d8:50:91:84:
                    12:53:9e:ab:e1:c1:86:74:68:c3:ce:c7:74:07:a1:
                    be:39:7b:80:99:40:0d:38:55:59:31:18:f9:00:b7:
                    2a:ba:8c:f3:69:40:8d:f1:60:9a:68:31:6c:cc:ff:
                    5a:b4:ab:42:db:67:c4:11:56:cd:6b:bd:f5:01:2e:
                    9f:e8:71:5b:0c:24:e9:3f:9e:07:28:81:28:84:eb:
                    79:ae:95:85:fb:e1:f6:b6:ff:35:bd:81:73:ad:c1:
                    52:30:32:0e:49:cd:44:16:eb:97:a5:06:6a:33:b0:
                    de:b9:6d:df:8e:5d:6e:a9:ab:3e:dc:de:eb:3a:c2:
                    ab:19:97:a1:96:0b:c7:3e:cc:30:e5:9b:10:d8:df:
                    00:07:fb:02:19:82:be:1a:24:07:98:46:05:4f:24:
                    78:da:44:0c:fa:4b:93:20:ab:31:6d:08:e2:8c:eb:
                    f5:82:94:09:04:c3:0d:ba:a0:5b:f7:a7:53:8f:71:
                    5f:6d:b0:47:8b:e4:a2:ce:bf:79:6e:5c:4c:8a:23:
                    63:85
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:TRUE
    Signature Algorithm: md5WithRSAEncryption
        92:69:e7:3d:a8:a9:73:7a:f0:16:15:96:cf:69:1a:f6:14:e4:
        78:15:67:6d:a4:fb:85:3a:e7:ee:47:a6:24:b1:ab:10:80:06:
        15:40:e6:13:03:72:f6:55:d8:b7:fd:5c:7c:1c:31:bf:53:a1:
        82:fc:a7:9b:83:cc:f5:09:b9:ff:73:a5:07:2a:89:10:a3:f8:
        64:d0:3f:4f:6e:03:71:06:f2:af:5d:a0:8d:59:cd:5a:e1:08:
        bb:ca:15:c8:05:aa:6d:76:a6:89:d1:8b:6b:03:39:43:21:a4:
        be:21:95:54:33:5e:a7:71:8c:6a:81:c0:0b:91:83:70:32:5c:
        0c:96:1e:c8:71:ba:e7:22:b7:b7:fb:d0:40:8d:f9:62:bc:44:
        16:4e:37:1c:59:7a:a4:8d:29:db:c0:18:3a:f7:cc:89:03:f3:
        75:3b:af:ef:30:e8:4e:c8:d4:30:5a:65:5f:f4:47:04:d2:da:
        ac:a7:79:c1:b9:56:59:11:e7:f0:4a:86:f1:2e:05:a9:d2:fc:
        95:e2:e2:fb:61:dd:7d:bc:77:07:ba:4c:30:0e:46:b2:e6:0e:
        d7:07:4d:c6:9b:e3:79:5a:c0:32:08:33:c8:5e:ae:fa:df:3d:
        d5:08:38:b6:78:77:0a:e3:c9:a8:2f:9f:d0:c7:ad:53:8b:a5:
        77:12:ad:2c

Step8: Users generating a certificate request.

Now we have a certificate authority. But some user who wants to get his certificate signed from us, has to generate a certificate request. I will assume that I am user "sshvpn". here are the list of commands that i will follow...

Two files are created testkey.pem and testreq.pem

testkey.pem ==> private key generated for the user (protected by the pass phrase.. usually I will not provide a passphrase as i need to use this for automatic creation without user intervention)

testreq.pem ==> request to be sent to the CA for being accepted.

sshvpn@mia:~> openssl req -newkey rsa:1024 -keyout testkey.pem -keyform PEM -out testreq.pem -outform PEM
Generating a 1024 bit RSA private key
.........................++++++
.++++++
writing new private key to 'testkey.pem'
Enter PEM pass phrase: secretcode
Verifying - Enter PEM pass phrase: secretcode
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Illinois
Locality Name (eg, city) [Newbury]:Chicago
Organization Name (eg, company) [My Company Ltd]:UIC
Organizational Unit Name (eg, section) []:ECE
Common Name (eg, your name or your server's hostname) []:Shashank Khanvilkar
Email Address []:skhanv1@uic.edu

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:i am a good boy
An optional company name []: PRESS ENTER

We show below the testreq.pem file

sshvpn@mia:~> openssl req -in testreq.pem -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=Illinois, L=Chicago, O=UIC, OU=ECE, CN=Shashank Khanvilkar/emailAddress=skhanv1@uic.edu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b2:9b:8d:04:3c:21:54:6f:b1:99:9f:35:2b:79:
                    2b:72:cb:4c:4d:6a:fa:87:98:a3:dd:3c:fe:bd:c8:
                    38:42:f8:ef:c5:88:03:6e:0f:86:97:e2:51:bb:40:
                    f4:e8:95:f8:2b:2e:37:31:74:c1:ff:34:fd:5c:fe:
                    31:3b:ab:af:10:bf:9d:14:c0:41:99:6f:b7:44:af:
                    62:73:a9:da:d1:3b:01:9c:a2:06:80:e5:01:4d:ad:
                    ef:a1:0d:11:9f:64:6f:d0:c1:63:fe:44:f9:00:7a:
                    ff:a6:c0:8d:b4:56:05:d0:bf:73:92:aa:8c:71:da:
                    a4:a0:45:05:d0:37:db:af:85
                Exponent: 65537 (0x10001)
        Attributes:
            challengePassword        :i am a good boy
    Signature Algorithm: md5WithRSAEncryption
        a5:c1:6b:1d:fe:e6:3f:2a:ce:d7:b2:62:cd:1a:b7:d1:bc:9d:
        1b:c9:0b:f8:9b:c3:cf:71:72:b0:da:e8:d8:90:2a:ff:dd:64:
        3b:97:59:97:e8:a3:df:ba:9f:96:d8:4a:47:d8:0c:b4:f1:74:
        ee:aa:35:cf:67:d4:c1:0a:4c:af:fc:e7:c2:7e:1f:aa:5b:b5:
        8b:f9:ae:bd:e6:21:0e:af:09:b7:26:a6:71:4a:db:4a:d8:37:
        39:d5:28:96:b9:39:9f:39:ba:53:c7:df:30:e6:a4:37:ae:25:
        9e:69:21:a4:3a:ad:d6:88:05:d1:e1:8f:ad:a2:15:7f:46:83:
        78:12
-----BEGIN CERTIFICATE REQUEST-----
MIIB7TCCAVYCAQAwgYwxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pczEQ
MA4GA1UEBxMHQ2hpY2FnbzEMMAoGA1UEChMDVUlDMQwwCgYDVQQLEwNFQ0UxHDAa
BgNVBAMTE1NoYXNoYW5rIEtoYW52aWxrYXIxHjAcBgkqhkiG9w0BCQEWD3NraGFu
djFAdWljLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAspuNBDwhVG+x
mZ81K3krcstMTWr6h5ij3Tz+vcg4QvjvxYgDbg+Gl+JRu0D06JX4Ky43MXTB/zT9
XP4xO6uvEL+dFMBBmW+3RK9ic6na0TsBnKIGgOUBTa3voQ0Rn2Rv0MFj/kT5AHr/
psCNtFYF0L9zkqqMcdqkoEUF0Dfbr4UCAwEAAaAgMB4GCSqGSIb3DQEJBzEREw9p
IGFtIGEgZ29vZCBib3kwDQYJKoZIhvcNAQEEBQADgYEApcFrHf7mPyrO17JizRq3
0bydG8kL+JvDz3FysNro2JAq/91kO5dZl+ij37qflthKR9gMtPF07qo1z2fUwQpM
r/znwn4fqlu1i/muveYhDq8JtyamcUrbStg3OdUolrk5nzm6U8ffMOakN64lnmkh
pDqt1ogF0eGPraIVf0aDeBI=
-----END CERTIFICATE REQUEST-----

Send the testreq.pem file as an attachment in email to the CA ... (or just copy it to /etc/CertAuth)

Step9: Issuing the certificate.

The CA should verify that the certifiacte comes from the right person and issue it using the following command.

mia#> openssl ca -in testreq.pem
Using configuration from /etc/CertAuth/openssl.cnf
Enter pass phrase for /etc/CertAuth/private/cakey.pem:secretcode
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'Illinois'
localityName          :PRINTABLE:'Chicago'
organizationName      :PRINTABLE:'UIC'
organizationalUnitName:PRINTABLE:'ECE'
commonName            :PRINTABLE:'Shashank Khanvilkar'
emailAddress          :IA5STRING:'skhanv1@uic.edu'
Certificate is to be certified until Apr 14 22:54:31 2005 GMT (700 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: CN=Certificate Authority Created by Shashank Khanvilkar, ST=Illinois, C=US/emailAddress=shashank@evl.uic.edu, O=Root Certification Authority
        Validity
            Not Before: May 15 22:54:31 2003 GMT
            Not After : Apr 14 22:54:31 2005 GMT
        Subject: CN=Shashank Khanvilkar, ST=Illinois, C=US/emailAddress=skhanv1@uic.edu, O=UIC, OU=ECE
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b2:9b:8d:04:3c:21:54:6f:b1:99:9f:35:2b:79:
                    2b:72:cb:4c:4d:6a:fa:87:98:a3:dd:3c:fe:bd:c8:
                    38:42:f8:ef:c5:88:03:6e:0f:86:97:e2:51:bb:40:
                    f4:e8:95:f8:2b:2e:37:31:74:c1:ff:34:fd:5c:fe:
                    31:3b:ab:af:10:bf:9d:14:c0:41:99:6f:b7:44:af:
                    62:73:a9:da:d1:3b:01:9c:a2:06:80:e5:01:4d:ad:
                    ef:a1:0d:11:9f:64:6f:d0:c1:63:fe:44:f9:00:7a:
                    ff:a6:c0:8d:b4:56:05:d0:bf:73:92:aa:8c:71:da:
                    a4:a0:45:05:d0:37:db:af:85
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
    Signature Algorithm: md5WithRSAEncryption
        88:6a:e4:59:a1:7a:26:43:89:dc:03:73:1d:7f:04:05:42:82:
        c7:9b:6b:ad:6b:df:6d:86:ec:b1:fa:2e:5e:da:0d:89:84:bc:
        3e:a0:5d:3d:6f:9d:23:4d:e2:64:30:f2:fc:03:bc:8f:d9:39:
        84:0e:15:4e:47:c9:d5:a9:25:9d:8d:85:27:80:06:77:b0:c5:
        dc:45:af:08:09:8e:dc:88:56:be:69:b8:21:85:e1:0e:7b:71:
        f7:ce:9a:6f:66:c2:9f:55:bb:33:2f:98:12:10:6b:cc:a7:44:
        fe:e6:f5:78:54:13:5d:e5:51:5b:17:4b:07:9f:4c:6e:c8:95:
        10:1f:90:c0:57:fd:09:a8:1a:ae:e3:8a:8d:a5:87:72:5b:d4:
        0a:da:47:31:53:53:c0:98:1f:af:c8:58:ce:9b:fa:5b:a5:3a:
        71:6d:fe:91:1c:31:83:04:5a:0e:99:d2:a0:17:86:08:40:62:
        78:f5:0b:13:c5:5c:90:8e:d7:b3:fc:f5:96:89:32:21:ac:3c:
        48:bd:70:f4:4e:7e:01:bc:78:3d:05:14:d4:ca:6f:2e:ba:54:
        0a:d6:08:ef:d5:0f:da:bd:27:62:dc:6e:46:81:06:9a:c4:45:
        8d:b6:9d:c3:53:42:43:6d:51:56:6f:48:f4:47:aa:ab:83:01:
        2c:48:9c:b0
-----BEGIN CERTIFICATE-----
MIIDKjCCAhKgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBqzE9MDsGA1UEAxM0Q2Vy
dGlmaWNhdGUgQXV0aG9yaXR5IENyZWF0ZWQgYnkgU2hhc2hhbmsgS2hhbnZpbGth
cjERMA8GA1UECBMISWxsaW5vaXMxCzAJBgNVBAYTAlVTMSMwIQYJKoZIhvcNAQkB
FhRzaGFzaGFua0BldmwudWljLmVkdTElMCMGA1UEChMcUm9vdCBDZXJ0aWZpY2F0
aW9uIEF1dGhvcml0eTAeFw0wMzA1MTUyMjU0MzFaFw0wNTA0MTQyMjU0MzFaMHox
HDAaBgNVBAMTE1NoYXNoYW5rIEtoYW52aWxrYXIxETAPBgNVBAgTCElsbGlub2lz
MQswCQYDVQQGEwJVUzEeMBwGCSqGSIb3DQEJARYPc2toYW52MUB1aWMuZWR1MQww
CgYDVQQKEwNVSUMxDDAKBgNVBAsTA0VDRTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAspuNBDwhVG+xmZ81K3krcstMTWr6h5ij3Tz+vcg4QvjvxYgDbg+Gl+JR
u0D06JX4Ky43MXTB/zT9XP4xO6uvEL+dFMBBmW+3RK9ic6na0TsBnKIGgOUBTa3v
oQ0Rn2Rv0MFj/kT5AHr/psCNtFYF0L9zkqqMcdqkoEUF0Dfbr4UCAwEAAaMNMAsw
CQYDVR0TBAIwADANBgkqhkiG9w0BAQQFAAOCAQEAiGrkWaF6JkOJ3ANzHX8EBUKC
x5trrWvfbYbssfouXtoNiYS8PqBdPW+dI03iZDDy/AO8j9k5hA4VTkfJ1aklnY2F
J4AGd7DF3EWvCAmO3IhWvmm4IYXhDntx986ab2bCn1W7My+YEhBrzKdE/ub1eFQT
XeVRWxdLB59MbsiVEB+QwFf9CagaruOKjaWHclvUCtpHMVNTwJgfr8hYzpv6W6U6
cW3+kRwxgwRaDpnSoBeGCEBiePULE8VckI7Xs/z1lokyIaw8SL1w9E5+Abx4PQUU
1MpvLrpUCtYI79UP2r0nYtxuRoEGmsRFjbadw1NCQ21RVm9I9Eeqq4MBLEicsA==
-----END CERTIFICATE-----
Data Base Updated

It is recommended that u use the "-notext" and "-out testcert.pem" option. This will not print any output to stdout.. and make a copy of the certificate in the file testcert.pem in the current directory.. This way you will not have to serach the certs/ directory for the new certifcate.

Step10: Return the signed certificate to the owner.

The new signed certificate is created in /etc/CertAuth/certs/ directory, with the same name as "SerialNUmber".pem

In our case the "SerialNumber" (marked in red above) was 02. Hence we need to send the file /etc/CertAuth/certs/02.pem back to the owner.

STEP11:Revoking a certificate

(Too bored to write this stuff.. )

Regards
Shashank
http://mia.ece.uic.edu/~papers

:: [linux] Setting up your own Certification authority on your server. ::
HOME

[linux] Setting up your own Certification authority on your server.