CIS5930 Internet Computing

1
CIS5930Internet Computing

• Internet Security - Part 2
• Prof. Robert van Engelen

2
OpenSSL

• Get a copy of Network Securitywith OpenSSL
  from OReilly
• Download code examples version 1.3
  fromhttp//www.opensslbook.com/code.htmland
  unpack
• Download scripts fromhttp//www.cs.fsu.edu/engel
  en/sslscripts.tar.gzcreate a new CA dir
  somewhere and unpack files into it

3
Creating a Self-Signed Root CA Certificate

• After unpacking sslscripts.tar.gz in CA, modify
  the openssl.cnf file in the req_distinguished_nam
  e section for the following itemscountryName_d
  efault USstateOrProvinceName_defaul
  t Your-StatelocalityName_default
  Your-City0.organizationName_default
  Your-Company-NameemailAddress_default
  your-email_at_address
• If you are going to use only one configuration
  file, usesetenv OPENSSL_CONF HOME//CA/openssl.
  cnf

4
Creating a Self-Signed Root CA Certificate

• Run the root.sh script
• When prompted enter a passphrase to lock the
  private key of the CA
• Keep the root.pem key and the passphrase in a
  safe place
• You can distribute the cacert.pem CA certificate
• The script executes the following commands
• Create an RSA key and a certificate signing
  request for the RSA keyopenssl req -newkey
  rsa1024 -sha1 -keyout rootkey.pem -out
  rootreq.pem
• Sign the public key with the private key to
  create a self-signed certificateopenssl x509
  -req -in rootreq.pem -sha1 -extfile
  openssl.cnf -extensions v3_ca -signkey
  rootkey.pem -out cacert.pem -days 1095
• Keep the certificate and the private key in one
  file (root.pem)cat cacert.pem rootkey.pem gt
  root.pem
• Display the X509 certificate subject, issuer, and
  datesopenssl x509 -subject -issuer -dates
  -noout -in root.pem
• To display the entire X509 certificateopenssl
  x509 -text -in root.pem

5
Using the CA Private Key to Sign Certificates

• Recall that the CA is the trusted third party,
  which means
• The CA private key is used to sign certificates
• The CA public key (in the CA certificate) is used
  to verify certificates
• To create a new private/public key pair and sign
  the public key with the CA to create a
  certificate, run cert.sh name
• Enter a password when prompted and enter the host
  or localhost of the domain of the networked
  application as the common name
• The password is used to lock the private key (it
  will be needed by your application to unlock the
  private key to establish secure communications)
• Use the root CAs passphrase when prompted to
  sign the certificate

6
Using the CA Private Key to Sign Certificates

• The cert.sh script executes the following
  commands on command-line argument name (e.g. use
  server for name to create server.pem)
• Create new keys and a certificate signing
  requestopenssl req -newkey rsa1024 -sha1
  -keyout namekey.pem -out namereq.pem
• Sign the certificate with the root CA
  keyopenssl x509 -req -in namereq.pem
  -sha1 -extfile openssl.cnf -extensions usr_cert
  -CA root.pem -CAkey root.pem -CAcreateserial
  -out namecert.pem -days 365
• Put everything into one PEM file (including the
  CA certificate)cat namecert.pem namekey.pem
  cacert.pem gt name.pem
• Display the certificate subject, issuer, and
  datesopenssl x509 -subject -issuer -dates
  -noout -in name.pem
• To display the entire X509 certificateopenssl
  x509 -text -in name.pem

7
Client and Server Examples

• We will review the NSwO-1.3/ssl examples
• The BIO objects and functions
• The SSL objects and functions
• The CRYPTO functions
• The ERR functions
• Use man pages and Web resources when necessary