OpenSSL-based ca establishment and certificate issuance

Transferred from:

Http://rhythm-zju.blog.163.com/blog/static/310042008015115718637/

All rights reserved. If you need to reprint it, please indicate the source

I have studied SSL/TLS some time ago and read the English version of Eric rescorla's SSL and TLS-designing and building secure systems (for the severity of the Chinese version, I wrote a previous article
Blog has been severely criticized ). The author of this book follows the idea of Steven s in his role of TCP/IP authentication strated: using network sniffing for protocol demonstration. The difference is that the author does not use
Tcpdump, but uses the self-compiled SSL/TLS Communication
Ssldump. To test and confirm some content in the book, I decided to use ssldump for some experiments. However, for SSL/TLS communication, at least one certificate issued by the CA is required to complete the process. Just to do an experiment, I will naturally not buy a certificate at a daily price, so I decided to create my own CA to issue the certificate.

However, so far, I have not been able to use ssldump to sniff out an SSL/TLS communication package. Why? Only for use
The process of establishing a CA to issue a certificate in OpenSSL is so troublesome that I barely created a CA after being busy for a long time, and then delayed the ssldump experiment due to other issues, as a result, the following information has not been found.

What? Is there a free certificate from a well-known Ca? Cough ...... This is what I learned later ...... However, the process of using OpenSSL to establish a CA and self-issuing a certificate is worth writing. The CA command of OpenSSL is really difficult to use. It is no wonder that the manpage of Ca (1) is written as follows:

Warnings

The CA command is quirky and at times downright unfriendly.

The CA utility was originally meant as an example of how to do things in a ca.
It was not supposed to be used as a full blown ca itself: nevertheless some people are using it for this purpose.

The CA command is too tively a single user command: no locking is done on the varous files and attempts to run more than one ca command on the same database can have unpredictable results.

It seems that we have to use OpenSSL for CA. However, although the OpenSSL user interface is prohibitive, its function is probably the most complete one of the various FOSS products. In addition, it is easy to obtain and can be directly used in Debian.
Aptitude install OpenSSL can be installed. If Win32 is used, it can be conveniently obtained from the official cygwin image website. As a beginner in information security, I do not know anything about other related products. Therefore, the man manual of OpenSSL is still squashed. After two or three days of leisure time, with the help of kghost, I finally mastered the key points. The CA establishment and certificate issuance process based on OpenSSL are detailed below.

Create a caCreate ca directory structure

Follow the default OpenSSL configuration to create a ca. You need to create a directory structure in the file system. The configuration content is generally located
/Usr/SSL/OpenSSL. CNF. For more information, see config (1 ). Use the following command in the terminal to create a directory structure:

$ Mkdir-P./democa/{private, newcerts}
$ Touch./democa/index.txt
$ Echo 01>./democa/serial

The generated directory structure is as follows:

.
'-- Democa/
| -- Index.txt
| -- Newcerts/
| -- Private/
'-- Serial

Generate an RSA key pair for the CA certificate

First, we need to establish an RSA key pair for the CA. Open the terminal and run the following command to generate an RSA key pair:

$ OpenSSL genrsa-des3-out./democa/private/cakey. pem 2048

Parameter description

Genrsa

OpenSSL command used to generate an RSA key pair.

-Des3

Use the 3-des symmetric encryption algorithm to encrypt the key pair. This parameter requires you to enter a password during key generation for encryption. When using this key pair in the future, you need to enter the corresponding password. If this option is not added, the key is not encrypted.

-Out./democa/private/cakey. pem

Save the generated key pair to the file./democa/private/cakey. pem.

2048

Number of RSA modulus, which represents the key strength to a certain extent.

The command output is as follows. You should enter your own key password and confirm it:

Generating RSA private key, 2048 bit long modulus................................................+++.........................+++e is 65537 (0x10001)Enter pass phrase for ./demoCA/private/cakey.pem:<enter your pass-phrase>Verifying - Enter pass phrase for ./demoCA/private/cakey.pem:<re-enter your pass-phrase>

Generate CA certificate request

To obtain a CA root certificate, we need to make a certificate request first. The previously generated ca key pair is used to sign the certificate request.

$ OpenSSL req-New-days 365-key./democa/private/cakey. pem-out careq. pem

Parameter description

REQ

The OpenSSL command used to generate a certificate request.

-New

Generate a new certificate request. This parameter requires the user to fill in some corresponding fields during the certificate request generation process.

-Days 365

The validity period of the certificate is 365 days from the time of generation.

-Key./democa/private/cakey. pem

Specify./democa/private/cakey. pem as the key pair file used by the certificate.

-Out careq. pem

Save the generated certificate request to the file careq. pem.

This command prompts the user to enter the key password and enter the certificate information field. The output is as follows:

Enter pass phrase for./democa/private/cakey. pem:<Enter you pass-phrase>
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a distinguished name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country name (2 letter code) [au]:CN
State or province name (full name) [some-State]:ZJ
Locality name (eg, city) []:Hz
Organization Name (eg, company) [Internet widgits Pty Ltd]:Some Ltd. Corp.
Organizational unit name (eg, section) []:Some Unit
Common name (eg, your name) []:Someone
Email Address []:Some@email.com

Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:

Sign CA certificate requests

In practical applications, you can apply for a certificate by submitting a certificate request to a well-known Ca. But here, we need to create a Root CA. We can only sign the certificate request by ourselves. Therefore, we asked OpenSSL to sign the request using the key attached to the certificate request, that is, the so-called "Self sign ":

$ OpenSSL ca-selfsign-In careq. pem-out cacert. pem

Parameter description

CA

OpenSSL commands used to execute ca-related operations.

-Selfsign

Use the key pair signed for the certificate request to issue the certificate.

-In careq. pem

Specify careq. pem as the certificate request file.

-Out./democa/cacert. pem

Specify./democa/cacert. pem as the output certificate.

This command requires the user to enter the key password and output the relevant certificate information, and request the user to confirm:

Using configuration from/usr/lib/SSL/OpenSSL. CNF
Enter pass phrase for./democa/private/cakey. pem:<Enter your pass-phrase>
Check that the request matches the signature
Signature OK
Certificate details:
Serial number: 2 (0x2)
Validity
Not before: Jan 16 13:05:09 2008 GMT
Not after: Jan 15 13:05:09 2009 GMT
Subject:
Countryname = Cn
Stateorprovincename = ZJ
Organizationname = Some Ltd. Corp.
Organizationalunitname = some unit
CommonName = someone
Emailaddress = some@email.com
X509v3 extensions:
X509v3 basic constraints:
CA: false
Netscape comment:
OpenSSL generated Certificate
X509v3 Subject Key Identifier:
75: F5: 3C: CC: C1: 5E: 6d: C3: 8B: 46: A8: 08: E6: Ea: 29: E8: 22: 7e: 70: 03
X509v3 Authority Key Identifier:
Keyid: 75: F5: 3C: CC: C1: 5E: 6d: C3: 8B: 46: A8: 08: E6: Ea: 29: E8: 22: 7e: 70: 03

Certificate is to be certified until Jan 15 13:05:09 2009 GMT (365 days)
Sign the certificate? [Y/n]:Y

1 out of 1 certificate requests certified, commit? [Y/n]Y
Write out database with 1 new entries
Data Base updated

Complete CA certificate request generation and signature in one step

The preceding two steps can be combined into one. Using the CA command
-X509 parameters: run the following command to generate and sign a certificate request to generate a CA root certificate:

$ OpenSSL req-New-X509-days 365-key./democa/private/cakey. pem-out./democa/cacert. pem

Parameter description

REQ

The OpenSSL command used to generate a certificate request.

-New

Generate a new certificate request. This parameter requires the user to fill in some corresponding fields during the certificate request generation process.

-X509

Generate an X.509 Certificate.

-Days 365

The validity period of the certificate is 365 days from the time of generation.

-Key./democa/private/cakey. pem

Specify cakey. pem as the key pair file used by the certificate.

-Out./democa/cacert. pem

Save the generated certificate to the file./democa/cacert. pem.

The command output is as follows. You should enter the corresponding fields:

Enter pass phrase for./democa/private/cakey. pem:
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a distinguished name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country name (2 letter code) [au]:CN
State or province name (full name) [some-State]:ZJ
Locality name (eg, city) []:Hz
Organization Name (eg, company) [Internet widgits Pty Ltd]:Some Ltd. Corp.
Organizational unit name (eg, section) []:Some Unit
Common name (eg, your name) []:Someone
Email Address []:Some@email.com

So far, we have successfully established a private Root CA. In this process, we obtained a ca key pair file.
./Democa/private/cakey. PEM and a CA root certificate file signed by this key pair
./Democa/cacert. pem. The ca directory structure is as follows:

.
| -- Careq. pem
'-- Democa/
| -- Cacert. pem
| -- Index.txt
| -- Index.txt. ATTR
| -- Index.txt. Old
| -- Newcerts/
| '-- 01.pem
| -- Private/
| '-- Cakey. pem
| -- Serial
'-- Serial. Old

Note: If the certificate request generation step is skipped during ca establishment, no
Careq. pem file.

Issue certificate

Now we can use the established CA to issue the certificate.

Generate a user certificate RSA key pair

Use the following command to generate a new key pair based on the RSA key pair generation process of CA:

$ OpenSSL genrsa-des3-out userkey. pem
Generating RSA private key, 512 bit long Modulus
... ++
... ++
E is 65537 (0x10001)
Enter pass phrase for userkey. pem:<Enter your pass-phrase>
Verifying-enter pass phrase for userkey. pem:<Re-enter your pass-phrase>

Generate user certificate request

Refer to the CA certificate request generation process and use the following command to generate a new certificate request:

$ OpenSSL req-New-days 365-key userkey. pem-out userreq. pem
Enter pass phrase for userkey. pem: <enter your pass-phrase>
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a distinguished name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country name (2 letter code) [au]: CN
State or province name (full name) [some-State]: ZJ
Locality name (eg, city) []: Hz
Organization Name (eg, company) [Internet widgits Pty Ltd]: Some Ltd. Corp.
Organizational unit name (eg, section) []: some other unit
Common name (eg, your name) []: Another
Email Address []: another@email.com

Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:

Issue user certificate

Now, we can use a previously created CA to sign a user's certificate request to issue a certificate for the user. Run the following command:

$ OpenSSL ca-In userreq. pem-out usercert. pem

Parameter description

CA

OpenSSL commands used to execute ca-related operations.

-In userreq. pem

Specify the user certificate request file as userreq. pem.

-Out usercert. pem

Specify the output User Certificate file as usercert. pem.

This command requires the user to enter the key password and output the relevant certificate information, and request the user to confirm:

Using configuration from/usr/lib/SSL/OpenSSL. CNF
Enter pass phrase for./democa/private/cakey. pem: <enter your pass-phrase>
Check that the request matches the signature
Signature OK
Certificate details:
Serial number: 2 (0x2)
Validity
Not before: Jan 16 14:50:22 2008 GMT
Not after: Jan 15 14:50:22 2009 GMT
Subject:
Countryname = Cn
Stateorprovincename = ZJ
Organizationname = Some Ltd. Corp.
Organizationalunitname = some other unit
CommonName = another
Emailaddress = another@email.com
X509v3 extensions:
X509v3 basic constraints:
CA: false
Netscape comment:
OpenSSL generated Certificate
X509v3 Subject Key Identifier:
97: E7: 8e: 84: B1: 45: 27: 83: 94: A0: DC: 24: 79: 7b: 83: 97: 99: 0b: 36: A9
X509v3 Authority Key Identifier:
Keyid: D9: 87: 12: 94: B2: 20: C7: 22: AB: D4: D5: DF: 33: DB: 84: F3: B0: 4A: EC: a2

Certificate is to be certified until Jan 15 14:50:22 2009 GMT (365 days)
Sign the certificate? [Y/n]: Y

1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base updated

So far, we have completed the establishment of Ca and the issuance of User Certificates. Let's take a look at all the shell commands together:

# Create a ca directory structure
Mkdir-P./democa/{private, newcerts}
Touch./democa/index.txt
Echo 01>./democa/serial

# Generate a ca RSA key pair
OpenSSL genrsa-des3-out./democa/private/cakey. pem 2048

# Generate a CA certificate request
OpenSSL req-New-days 365-key./democa/private/cakey. pem-out careq. pem

# Self-issuing CA certificates
OpenSSL ca-selfsign-In careq. pem-out./democa/cacert. pem

# The preceding two steps can be combined into one
OpenSSL req-New-X509-days 365-key./democa/private/cakey. pem-out./democa/cacert. pem

# Generate your RSA key pair
OpenSSL genrsa-des3-out userkey. pem

# Generate a user certificate request
OpenSSL req-New-days 365-key userkey. pem-out userreq. pem

# Use CA to issue User Certificates
OpenSSL ca-In userreq. pem-out usercert. pem

After learning about these basic steps, you can automate these tasks through scripts or makefiles.
CA. pl and Ca. Sh are simple encapsulation of Ca-related functions of OpenSSL. After OpenSSL is installed in the Debian system
Find the two files in the/usr/lib/SSL/MISC/directory. The makefile solution can be found here.