SSL Certification
Please complete all the steps as highlighted in the Lab Document:
Create a document by taking a screenshot of each step in the Lab document
As a part of the submission zip all the files in your "ca" directory along with the Lab document and submit it.
OpenSSL Certification Authority (CA) on
Ubuntu Server
Having Trouble Meeting Your Deadline?
Get your assignment on SSL Certification completed on time. avoid delay and – ORDER NOW
Root CA
The first thing we have to do is to create a root CA. This consists of a private key and root
certificate. These two items are the “identity” of our CA.
1. Let’s switch to the root user:
$ sudo su
2. We will create a new folder which stores all keys and certificates:
# mkdir /root/ca
3. In this new folder we have to create some additional sub-folders:
# cd /root/ca
# mkdir newcerts certs crl private requests
4. We also require two files. The first one is called “index.txt”. This is where OpenSSL keeps track of all signed certificates:
# touch index.txt
The second file is called “serial”. Each signed certificate will have a serial number. I will
start with number 1234:
# echo '1234' > serial
5. Let’s generate the root private key:
# openssl genrsa -aes256 -out private/cakey.pem 4096
Generating RSA private key, 4096 bit long modulus
..++
………………++
e is 65537 (0x10001)
Enter pass phrase for private/cakey.pem:
Verifying – Enter pass phrase for private/cakey.pem:
The root private key generated is 4096 bit and uses AES 256 bit encryption. It is stored in the
private folder using the “cakey.pem” filename.
Anyone that has the root private key will be able to create trusted certificates. This files needs to
be kept securely
6. Use the root private key to create the root certificate:
# openssl req -new -x509 -key /root/ca/private/cakey.pem -out
cacert.pem -days 3650 -set_serial 0
Enter pass phrase for /root/ca/private/cakey.pem:
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or
a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Missouri
Locality Name (eg, city) []:St. Louis
Organization Name (eg, company) [Internet Widgits Pty Ltd]:UMSL
Organizational Unit Name (eg, section) []:IST
Common Name (e.g. server FQDN or YOUR name) []:cyber.umsl.edu
Email Address []:[email protected]
The root certificate will be saved as the “cacert.pem” filename and is valid for 10 years.
7. Convert the pem file into a readable format:
# openssl x509 -in cacert.pem -text > cert.txt
Open the text file with an editor and verify the contents:
# gedit cert.txt&
The five things to check are:
a. Serial Number: 0 (0x0) b. Issuer: C = US, ST = Missouri, L = St. Louis, O = UMSL, OU = IST, CN =
cyber.umsl.edu, emailAddress = [email protected]
c. Subject: C = US, ST = Missouri, L = St. Louis, O = UMSL, OU = IST, CN = cyber.umsl.edu, emailAddress = [email protected] (Notice that the issuer and
the subject is the same in a Self Signed Certificate)
d. Validity – verify it is 10 years e. CA:TRUE
Create a certificate
Our root CA is now up and running. Normally when you want to install a certificate on a device
(a web server for example), then the device will generate a CSR (Certificate Signing
Request). This CSR is created by using the private key of the device.
Generate a private key, CSR and then sign the certificate…everything “on behalf” of the device.
1. Change directory to requests folder for this:
# cd /root/ca/requests/
2. First, we have to generate a private key:
# openssl genrsa -aes256 -out some_serverkey.pem 2048
Generating RSA private key, 2048 bit long modulus
…………………………+++
….+++
e is 65537 (0x10001)
Enter pass phrase for some_server.pem:
Verifying – Enter pass phrase for some_server.pem:
The private key will be 2048 bit and uses AES 256 bit encryption.
3. With the private key, we can create a CSR:
root@ca:~/ca/requests# openssl req -new -key some_serverkey.pem -out
some_server.csr
Enter pass phrase for some_serverkey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Missouri
Locality Name (eg, city) []:St. Louis
Organization Name (eg, company) [Internet Widgits Pty Ltd]:UMSL
Organizational Unit Name (eg, section) []:Cyber
Common Name (e.g. server FQDN or YOUR name) []:cybersec.umsl.edu
Email Address []:[email protected]
4. We have to edit some configuration files to make sure that openssl is looking at the right folder for all the certificates:
root@ubuntu:~/ca/requests# gedit /usr/lib/ssl/openssl.cnf&
on line 46 and 330 change
./demoCA to /root/ca
Save the file and get to the console.
5. Now we can sign the CSR that we just created. The output will be similar to the following:
root@ubuntu:~/ca/requests# openssl ca -in some_server.csr -out
some_server.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for /root/ca/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4660 (0x1234)
Validity
Not Before: Feb 18 07:38:06 2021 GMT
Not After : Feb 18 07:38:06 2022 GMT
Subject:
countryName = US
stateOrProvinceName = Missouri
organizationName = UMSL
organizationalUnitName = Cyber
commonName = cybersec.umsl.edu
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
21:BC:03:FA:71:34:B6:A5:A7:31:D7:D6:30:1C:74:B0:5B:81:26:BF
X509v3 Authority Key Identifier:
keyid:25:B5:20:D1:EF:D7:9A:5B:1A:D0:A8:18:8D:9B:23:A3:83:D5:F7:A4
Certificate is to be certified until Feb 18 07:38:06 2022 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
6. Convert the pem file into a readable format: root@ubuntu:~/ca/requests# openssl x509 -in some_server.pem -text >
some.txt
Open the text file with an editor and verify the contents:
# gedit some.txt&
The five things to check are:
a. Serial Number: 4660 (0x1234) (Note the serial number starts at hex 1234 as embedded in root CA step 4)
b. Issuer: C = US, ST = Missouri, L = St. Louis, O = UMSL, OU = IST, CN = cyber.umsl.edu, emailAddress = [email protected]
c. Subject: C = US, ST = Missouri, O = UMSL, OU = Cyber, CN = cybersec.umsl.edu, emailAddress = [email protected] (Notice the difference from Self Signed
Certificate)
d. Validity – verify it is 1 year e. CA: FALSE
7. The “some_server.pem” file is the signed digital certificate for our web server. If you want you can delete the CSR, move the private key to the “private” folder, and move the
new certificate to the “certs” folder:
# rm some_server.csr
# mv some_serverkey.pem /root/ca/private/
# mv some_server.pem /root/ca/certs/
# rm some.txt
The “some_server.pem” certificate can now be installed on your web server.
Security
Protect your root CA folder
# cd /root/ca
# chmod -R 600 /root/ca
Verification
We created some private keys and generated some certificates. Let’s take a closer look at some
of our work.
1. Check the index.txt file:
# cat /root/ca/index.txt
The empty file will have some content with serial number 1234
2. Check for increment in the serial file
# cat /root/ca/serial
1235
