Customizing X.509 Certificate Fields - PowerPoint PPT Presentation

About This Presentation
Title:

Customizing X.509 Certificate Fields

Description:

openssl req -config certreq.cnf -x509 -newkey rsa:2048 keyout cakey.pem -out cacert.pem ... Server PHP Code !-- Display Client Certificate Fields -- head ... – PowerPoint PPT presentation

Number of Views:266
Avg rating:3.0/5.0
Slides: 23
Provided by: Chu8197
Learn more at: http://cs.uccs.edu
Category:

less

Transcript and Presenter's Notes

Title: Customizing X.509 Certificate Fields


1
Customizing X.509 Certificate Fields
  • Charles D. Short
  • CS526 S2008
  • University of Colorado, Colorado Springs
  • Dr. C. Edward Chow

2
Discussion
  • Project Goal
  • Background
  • OpenSSL
  • OpenSSL commands
  • openssl.cnf File
  • Project .cnf Files
  • Certificate Process
  • Install Server Certificate
  • Install Client Certificate
  • Client Certificate
  • Certificate challenge
  • Server Acknowledgement
  • Server Response
  • Lessons Learned
  • Future Research

3
Project Goal
  • Determine and detail how to insert custom field
    information into an X.509 certificate.

4
Background
  • An X.509 certificate can be used for
    authentication between a client and server to
    insure client identity but does not provide any
    additional fields for information which may be
    useful to custom applications running on the
    server.
  • This project will detail how to insert additional
    information into the client certificate which may
    then be used by a server based application to
    provide services based upon this information.

5
Test Environment
6
OpenSSL
  • Open source project
  • Based on SSLeay library developed by Eric A.
    Young and Tim J. Hudson
  • Provides cryptographic toolkit
  • Secure Sockets Layer (SSL)
  • Transport Layer Security (TLS)
  • General purpose cryptography library
  • http//www.openssl.org/

7
OpenSSL Commands
  • ca
  • Certificate Authority
  • Sign certificate requests
  • Generate Certificate Revocation List (CRL)
  • Maintain issued certificate database
  • req
  • Create and process certificate requests
  • Certificate request creation
  • Certificate signing
  • Certificate display
  • x509
  • Multi purpose certificate utility
  • Display certificate information
  • Convert certificates to various forms
  • Sign certificate requests
  • Edit certificate trust settings

8
openssl.cnf File
  • Divided into sections that begin with bracketed
    identifiers such as  ca 
  • Sections correspond to openssl commands ca, req,
    x509
  • Directives consist of ltattributegt ltvaluegt
  • Provides field values
  • Provides field defaults
  • Provides field attributes
  • Provides user prompts

9
openssl.cnf File (cont)
  • CA Section
  •  ca 
  •  CA_default 
  •  policy_match 
  •  policy_anything 
  • REQ Section
  •  req 
  •  req_distinguished_name 
  •  req_attributes 
  • X.509 EXTENSION DIRECTIVES
  •  usr_cert 
  •  v3_req 
  •  v3_ca 
  •  crl_ext 
  • http//www.technoids.org/openssl.cnf.html

10
Project .cnf Files
  • Certificate Authority
  • http//cs.uccs.edu/cdshort/cs526/certreq.txt
  • Server
  • http//cs.uccs.edu/cdshort/cs526/serverreq.txt
  • Client
  • http//cs.uccs.edu/cdshort/cs526/clientreq.txt

11
Certificate Creation Process
  • Create certificate authority
  • openssl req -config certreq.cnf -x509 -newkey
    rsa2048 keyout cakey.pem -out cacert.pem
  • Create server certificate request
  • openssl req -config serverreq.cnf -newkey
    rsa1024 keyout servertempkey.pem out
    serverreq.pem
  • Sign server certificate
  • openssl ca -config certreq.cnf -in serverreq.pem -
    out servercrt.pem
  • Create client certificate
  • openssl req -config clientreq.cnf -newkey
    rsa1024 -out clientreq.pem -keyout clientkey.pem
  • Sign client certificate
  • openssl ca -config certreq.cnf -in clientreq.pem
    -out clientcrt.pem

12
Install Server Certificate
  • Move Certificates and Keys
  • sudo cp servercrt.pem /etc/ssl/certs
  • sudo cp serverkey.pem /etc/ssl/private
  • sudo cp cacert .pem /etc/ssl/certs
  • Edit /etc/apache2/sites-available/default
  • SSLEngine on
  • SSLCertificateFile /etc/ssl/certs/servercrt.pem
  • SSLCertificateKeyFile
  • Edit /etc/apache2/ports.conf
  • Listen 443
  • Edit /etc/apache2/httpd.conf
  • SSLVerifyClient require
  • SSLVerifyDepth 1
  • SSLCACertificateFile /etc/ssl/certs
  • Enable SSL
  • sudo a2enmod ssl
  • Restart Web Server
  • sudo /etc/init.d/apache2 restart

13
Install Client Certificate
  • Combine client certificate and key
  • cat clientkey.pem clientcrt.pem gt
    clientcrtandkey.pem
  • Convert PEM to PFX
  • openssl pkcs12 -export -out clientcert.pfx -in
    clientcrtandkey.pem -name "UbuntuWS1 Client
    certificate
  • Import using Internet Explorer
  • tools/internet options/content/certificates/import

14
Client Certificate
15
Certificate Challenge
16
Server Acknowlegment
17
Server Response
18
Server PHP Code
  • lt!-- Display Client Certificate Fields --gt
  • ltheadgt
  • lttitlegtClient Certificate Subject Distinguished
    Name Fieldlt/titlegt
  • lt/headgt
  • ltbodygt
  • lth1gtltbgtClient Certificate Subject Distinguished
    Namelt/bgtlt/h1gt
  • lthrgt
  • lt?php
  • print("ClientSDN _SERVERSSL_CLIENT_S_DNltbr
    gtltbrgt")
  • ?gt

19
Lessons Learned
  • Documentation is scarce
  • Documentation is confusing
  • Certificate fields are obscure
  • Flexibility is limited

20
Future Research
  • Explore the addition of fields outside of the
    Distinguished Name (DN) section.
  • Explore the creation of a different certificate
    format.
  • Modify MOD_SSL code to process new certificate
    contents.
  • Modify Client browser to process new certificate
    contents.

21
References
  • http//www.openssl.org/
  • http//www.openssl.org/docs/apps/ca.html
  • http//www.openssl.org/docs/apps/req.html
  • http//www.openssl.org/docs/apps/x509.html
  • http//www.technoids.org/openssl.cnf.html
  • http//www.oid-info.com/standards.htm
  • http//www.zaphu.com/2007/08/21/ubuntu-lamp-server
    -guide-configure-apache-mysql-and-cgi-bin/
  • http//cs.uccs.edu/cs526/secureWebAccess/secureWe
    bAccess.htm
  • https//help.ubuntu.com/6.06/ubuntu/serverguide/C/
    httpd.html
  • http//www.modssl.org/docs/2.8/ssl_howto.htmlToC6

22
Questions?
Write a Comment
User Comments (0)
About PowerShow.com