Customizing X.509 Certificate Fields

1
Customizing X.509 Certificate Fields

• Charles D. Short
• CS526 S2008
• University of Colorado, Colorado Springs
• Dr. C. Edward Chow

2
Discussion

• Project Goal
• Background
• OpenSSL
• OpenSSL commands
• openssl.cnf File
• Project .cnf Files
• Certificate Process
• Install Server Certificate

• Install Client Certificate
• Client Certificate
• Certificate challenge
• Server Acknowledgement
• Server Response
• Lessons Learned
• Future Research

3
Project Goal

• Determine and detail how to insert custom field
  information into an X.509 certificate.

4
Background

• An X.509 certificate can be used for
  authentication between a client and server to
  insure client identity but does not provide any
  additional fields for information which may be
  useful to custom applications running on the
  server.
• This project will detail how to insert additional
  information into the client certificate which may
  then be used by a server based application to
  provide services based upon this information.

5
Test Environment
6
OpenSSL

• Open source project
• Based on SSLeay library developed by Eric A.
  Young and Tim J. Hudson
• Provides cryptographic toolkit
• Secure Sockets Layer (SSL)
• Transport Layer Security (TLS)
• General purpose cryptography library
• http//www.openssl.org/

7
OpenSSL Commands

• ca
• Certificate Authority
• Sign certificate requests
• Generate Certificate Revocation List (CRL)
• Maintain issued certificate database
• req
• Create and process certificate requests
• Certificate request creation
• Certificate signing
• Certificate display
• x509
• Multi purpose certificate utility
• Display certificate information
• Convert certificates to various forms
• Sign certificate requests
• Edit certificate trust settings

8
openssl.cnf File

• Divided into sections that begin with bracketed
  identifiers such as  ca 
• Sections correspond to openssl commands ca, req,
  x509
• Directives consist of ltattributegt ltvaluegt
• Provides field values
• Provides field defaults
• Provides field attributes
• Provides user prompts

9
openssl.cnf File (cont)

• CA Section
•  ca 
•  CA_default 
•  policy_match 
•  policy_anything 
• REQ Section
•  req 
•  req_distinguished_name 
•  req_attributes 
• X.509 EXTENSION DIRECTIVES
•  usr_cert 
•  v3_req 
•  v3_ca 
•  crl_ext 
• http//www.technoids.org/openssl.cnf.html

10
Project .cnf Files

• Certificate Authority
• http//cs.uccs.edu/cdshort/cs526/certreq.txt
• Server
• http//cs.uccs.edu/cdshort/cs526/serverreq.txt
• Client
• http//cs.uccs.edu/cdshort/cs526/clientreq.txt

11
Certificate Creation Process

• Create certificate authority
• openssl req -config certreq.cnf -x509 -newkey
  rsa2048 keyout cakey.pem -out cacert.pem
• Create server certificate request
• openssl req -config serverreq.cnf -newkey
  rsa1024 keyout servertempkey.pem out
  serverreq.pem
• Sign server certificate
• openssl ca -config certreq.cnf -in serverreq.pem -
  out servercrt.pem
• Create client certificate
• openssl req -config clientreq.cnf -newkey
  rsa1024 -out clientreq.pem -keyout clientkey.pem
• Sign client certificate
• openssl ca -config certreq.cnf -in clientreq.pem
  -out clientcrt.pem

12
Install Server Certificate

• Move Certificates and Keys
• sudo cp servercrt.pem /etc/ssl/certs
• sudo cp serverkey.pem /etc/ssl/private
• sudo cp cacert .pem /etc/ssl/certs
• Edit /etc/apache2/sites-available/default
• SSLEngine on
• SSLCertificateFile /etc/ssl/certs/servercrt.pem
• SSLCertificateKeyFile
• Edit /etc/apache2/ports.conf
• Listen 443
• Edit /etc/apache2/httpd.conf
• SSLVerifyClient require
• SSLVerifyDepth 1
• SSLCACertificateFile /etc/ssl/certs
• Enable SSL
• sudo a2enmod ssl
• Restart Web Server
• sudo /etc/init.d/apache2 restart

13
Install Client Certificate

• Combine client certificate and key
• cat clientkey.pem clientcrt.pem gt
  clientcrtandkey.pem
• Convert PEM to PFX
• openssl pkcs12 -export -out clientcert.pfx -in
  clientcrtandkey.pem -name "UbuntuWS1 Client
  certificate
• Import using Internet Explorer
• tools/internet options/content/certificates/import

14
Client Certificate
15
Certificate Challenge
16
Server Acknowlegment
17
Server Response
18
Server PHP Code

• lt!-- Display Client Certificate Fields --gt
• ltheadgt
• lttitlegtClient Certificate Subject Distinguished
  Name Fieldlt/titlegt
• lt/headgt
• ltbodygt
• lth1gtltbgtClient Certificate Subject Distinguished
  Namelt/bgtlt/h1gt
• lthrgt
• lt?php
• print("ClientSDN _SERVERSSL_CLIENT_S_DNltbr
  gtltbrgt")
• ?gt

19
Lessons Learned

• Documentation is scarce
• Documentation is confusing
• Certificate fields are obscure
• Flexibility is limited

20
Future Research

• Explore the addition of fields outside of the
  Distinguished Name (DN) section.
• Explore the creation of a different certificate
  format.
• Modify MOD_SSL code to process new certificate
  contents.
• Modify Client browser to process new certificate
  contents.

21
References

• http//www.openssl.org/
• http//www.openssl.org/docs/apps/ca.html
• http//www.openssl.org/docs/apps/req.html
• http//www.openssl.org/docs/apps/x509.html
• http//www.technoids.org/openssl.cnf.html
• http//www.oid-info.com/standards.htm
• http//www.zaphu.com/2007/08/21/ubuntu-lamp-server
  -guide-configure-apache-mysql-and-cgi-bin/
• http//cs.uccs.edu/cs526/secureWebAccess/secureWe
  bAccess.htm
• https//help.ubuntu.com/6.06/ubuntu/serverguide/C/
  httpd.html
• http//www.modssl.org/docs/2.8/ssl_howto.htmlToC6
  

22
Questions?