Scribd Logo
Upload

Welcome to Scribd!

  • PL03 Presentation

    Uploaded by

    Ivanildo Costa
    22 views16 pages
    PL03-Presentation

    Original Title

    PL03-Presentation

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    PL03-Presentation

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    22 views16 pages

    PL03 Presentation

    Uploaded by

    Ivanildo Costa
    PL03-Presentation

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    Criptografia e

    Fundamentos de
    Segurança
    2022

    Practical Exercise #2
    - Certification authorities using OpenSSL
    - Server and client authentication with Apache
    X.509 Certificates
    A X.509 certificate contains a public-key and also
    information about a real entity (Subject)
    Version
    Serial Number

    Algorithm Identifier
    - Algorithm
    - Parameters
    Distinguished Name
    Issuer +
    Public Key
    Period of Validity
    - Not Before Date
    - Not After Date
    Distinguished Name
    Subject +
    Public Key
    Subject’s Public Key
    - Algorithm
    - Parameters
    - Public Key

    Signature
    X.509 Certificates
    Information about the entity is stored as a DN
    (Distinguished Name)

    Common Name CN CN = Joao Luis


    Organization O O = UC
    Organizational Unit OU OU = DEI
    City / Location L L =Coimbra
    State / Province ST ST = Coimbra
    Country C C = PT
    Certification Authorities
    • Verification of CSR (Certificate Signing Request)
    • Public and Private CA (“self-signed”)

    www.verisign.com
    www.multicert.pt
    www.thawte.com
    Private CA

    Certificate
    Private Key
    Signing
    (RSA / DSA)
    Request (CSR)

    X.509
    certificate
    “self-signed”
    Creation of a X.509 certificate
    Certificate
    Private Key
    Signing
    (RSA / DSA)
    Request (CSR)

    Private Key
    of CA

    X.509
    certificate
    Authentication using X.509 certificates with Apache

    CA

    Server Authentication
    APACHE BROWSER

    Client Authentication
    OpenSSL usage examples
    #Step 1 - Creation of a 1024-bit private-key (RSA) encrypted with 3DES
    openssl genrsa -out xpto.key -des3
    #Step 2 - Creation of a CSR
    openssl req -new -key xpto.key -out xpto.csr
    #Step 3 - Creation of a “self-signed” certificate
    openssl x509 -req -days 365 -in xpto.csr -out xpto.crt -signkey xpto.key

    # Viewing the contents of a certificate


    openssl x509 -in xpto.crt -text
    # Creation of a x.509 certificate using an existing CA
    openssl ca -in cert.csr -cert ca.crt -keyfile ca.key -out cert.crt

    # Converting from PEM to PKCS#12


    openssl pkcs12 -export -clcerts -in xpto.crt -inkey xpto.key -out xpto.p12
    # Converting from PEM to DER
    openssl x509 -inform PEM -in xpto.crt -outform DER -out xpto.crt.der
    Practical Exercise
    Configuration of CA in /etc/ssl/openssl.cnf
    Set the dir in default_ca section to /etc/pki/CA (replace ./demoCA)

    Note:
    • you have to create /etc/pki/CA (folder in Debian)
    • the creation of certificates must be performed inside the /etc/pki/CA
    folder or subfolder, accordingly.
    Practical Exercise – Private CA creation
    Use triple DES as the encryption algorithm
    Steps:
    1. Create Private key
    2. Create Certificate Signing Request (CSR) (do not use
    extra features)
    3. Create Certificate
    Step 2
    Step 3
    Practical Exercise – Private CA and certificates
    database

    1. Create directory in /etc/pki/CA/newcerts (to store


    information of certificates that will be issued by CA
    2. Create index.txt file in /etc/pki/CA (map sequence
    number of cert with certificates issued/signed by CA)
    $sudo touch /etc/pki/CA/index.txt
    3. Create serial file with initial sequence number in
    /etc/pki/CA (number to identify certificates issues/signed
    by CA)
    $sudo echo 01 > /etc/pki/CA/serial
    Main configuration files (Apache, OpenSSL)
    OpenSSL configuration:
    /etc/ssl/openssl.cnf
    Apache with SSL (mod_ssl):
    /etc/apache2/sites-enabled/default-ssl.conf
    Useful Pointers: Debian Wiki, Apache SSL HowTo
    Manual pages: man openssl ca , man openssl
    Practical Exercise – Certificates for Apache
    Install apache with:
    $ sudo apt-get install apache2
    $ sudo a2enmod ssl
    Steps:
    1. Create and change to directory /etc/pki/CA/apache to
    hold certificate information for apache
    2. Create Private key
    3. Create Certificate Signing Request (CSR)
    4. Create Certificate using private CA
    5. Add name in CN in the /etc/hosts file
    Practical Exercise – Apache configuration
    Steps:
    1. Configure apache with certificates
    Edit /etc/apache2/sites-available/default-ssl.conf (or other, per
    your settings). Edit the following fields with the respective
    information:
    • SSLCertificateFile < certificate file location >
    • SSLCertificateKeyFile < certificate key file location >
    • SSLCACertificateFile < CA certificate file location >

    2. Enable site with SSL (on folder /etc/apache2/sites-


    available)
    # a2ensite default-ssl.conf (or the one you have configured)
    # systemctl reload apache2
    Practical Exercise – Apache configuration
    Steps:

    When starting Apache, it should be requested the passphrase


    information:

    1. Access to apache with the name of CN and that was


    configured in certificates and placed in /etc/hosts
    Practical Exercise – Apache with Client
    Authentication
    Install apache with:
    Enable it on Apache server (option SSLVerifyClient)

    You might also like