Welcome to the Open Secure Sockets Layer 🔑
- Introduction
- Configuration of AC1
- Configuration of AC2
- Generation of AC2’s certificate by AC1
- Generation of keys for entity A
- Generation of A certificate by AC2
- Verification of A certificate
- Joining the certificate and the private key
- Use of A’s private key to sign a document
- Questions
- Summary
The objective of this practice is to understand the concepts underlying a public key infrastructure based on the hierarchical trust model. Specifically, the objectives are the following:
- Understand required steps in order to create a mini PKI
- Understand required steps in order to an Authority issuing a certificate
- Understand what the certificate role is regarding the signing and verifying of documents
To achieve these objectives each student (or student group) becomes a ROOT CERTIFICATION AUTHORITY (equal to the role of Fábrica Nacional de Moneda y Timbre in the real world). Such Authority (AC1), according to organizational reasons (for example, to have a local office in all different districts), has some SUBORDINATE CERTIFICATION AUTHORITIES (AC2, AC3,…ACn). Moreover, these last Authorities are in charge of issuing public key certificates to people (A, B, C…).
The group of all the Authorities composes a Public Key Infrastructure (PKI).
We will apply the following commands: ca, req, x509 and verify.
The ca command is a minimal Certification Authority application. It can be used to sign certificate requests in a variety of forms. Its characteristics can be established by means of the file openssl.cnf. Moreover, we must prepare the working environment as a specific directory structure.
The req command primarily creates and processes certificate requests. It can additionally create self signed certificates for use as root CAs for example.
Command x509 can be used to display certificate information, convert certificates to various forms, and sign certificate requests.
Verify command verifies certificate chains.
- Generate the directory structure necessary for AC1 and initialize the files
serialandindex.txt.
mkdir -p A
cd AC1
mkdir requests crls newcerts private
echo '01' > serial
touch index.txt
cd ..- Generate the RSA key-pair and the self signed certificate for AC1. Analyze the output.
cd AC1
openssl req -x509 -newkey rsa:2048 -days 360 -out ac1cert.pem -outform PEM -config openssl_AC1.cnf
cd ..The command requests a passphrase to generate AC1 private key. Remember it when you want to use this key.
cd AC1
openssl x509 -in ac1cert.pem -text -noout
cd ..- Generate the directory structure necessary for AC2 and initialize the files
serialandindex.txt.
cd AC2
mkdir requests crls newcerts private
echo '01' > serial
touch index.txt
cd ..- Generate the RSA key-pair for AC2 and the certificate request which will be sent to AC1 and 'send' it to AC1. Analyze the results.
cd AC2
openssl req -newkey rsa:2048 -days 360 -out ac2req.pem -outform PEM -config openssl_AC2.cnf
cd ..The command requests a passphrase to generate AC2 private key. Remember it when you want to use this key.
cd AC2
openssl req -in ac2req.pem -text -noout
cp ac2req.pem ../AC1/requests
cd ..- Verify the request sent by AC2.
cd AC1
openssl req -in ./requests/ac2req.pem -text -noout
cd ..- Generate the corresponding certificate for AC2 and send it back to AC2. Rename
01.pemintoac2cert.pem, because AC2 has this name in its configuration file.
cd AC1
openssl ca -in ./requests/ac2req.pem -notext -extensions v3_subca -config openssl_AC1.cnf
cd ..AC1 needs its private key to generate AC2 certificate. AC1 passphrase is requested
cd AC1
cp ./newcerts/01.pem ../AC2/ac2cert.pem
cd ..- For entity A, generate an RSA key-pair as well as a certificate request and send it to AC2 (when generating the certificate requests, fill in ALL the requested fields and indicate
ESas country,MADRIDas province, UC3M as organization, and any common name (eg, one NIA) and the email is your student email.
cd A
openssl req -newkey rsa:1024 -days 360 -sha1 -keyout Akey.pem -out Areq.pem
cd ..The command requests a passphrase to generate A private key. Remember it when you want to use this key.
cd A
openssl req -in Areq.pem -text -noout
cp Areq.pem ../AC2requests/
cd ..- Verify the request sent by A.
cd AC2
openssl req -in ./requests/Areq.pem -text -noout
cd ..- Generate certificate for A and send it back to this entity.
cd AC2
openssl ca -in ./requests/Areq.pem -notext -config ./openssl_AC2.cnf
cd ..AC2 needs its private key to generate A certificate. AC2 passphrase is request
cd AC2
cp ./newcerts/01.pem ../A/Acert.pem
cd ..- Analyze changes in AC2 directory and check the resulting certificate:
cd A
openssl x509 -in Acert.pem -text -noout
cd ..- Obtain a copy of the public key certificates of AC1 and AC2 and verify (you need to concatenate both AC1 and AC2 certificates in a single file).
cd A
cp ../AC1/ac1cert.pem ./
cp ../AC2/ac2cert.pem ./
cat ac1cert.pem ac2cert.pem > certs.pem
openssl verify -CAfile certs.pem Acert.pem
cd ..- Export the certificate of entity A, its private key and both AC1 and AC2 certificates (file certs.pem) to PKCS12 format.
cd A
openssl pkcs12 -export -in Acert.pem -inkey Akey.pem -certfile certs.pem -out Acert.p12
cd ..A passphrase is request to export A private key, and a new passphrase is request for Acert.p12
- Create a Microsoft Word Office document and sign it electronically signed using A private key. In order to do that, you have to import
Acert.p12in the browser (Tools > Internet options > Content > Certificates > Import...) and, then, using Microsoft Word make use ofOffice button > Prepare > Add digital signature....
- What is the file serial used for?
- What is the file index used for?
- Could AC2 create a certificate applying step 2 of this script?
- If you or your lab group become a Certification Authority, explain and justify (i.e., advantages, disadvantages, alternatives…) the values you would use to configure the following parameters:
default_days,default_crl_days,countryName - When you open the Word document, once signed, you may notice that a it gives a Verification error. Why does it happen? How can it be solved?
That was fun!
March 7th, 2022