Professional Documents
Culture Documents
Fundamentos de
Segurança
2022
Practical Exercise #2
- Certification authorities using OpenSSL
- Server and client authentication with Apache
X.509 Certificates
A X.509 certificate contains a public-key and also
information about a real entity (Subject)
Version
Serial Number
Algorithm Identifier
- Algorithm
- Parameters
Distinguished Name
Issuer +
Public Key
Period of Validity
- Not Before Date
- Not After Date
Distinguished Name
Subject +
Public Key
Subject’s Public Key
- Algorithm
- Parameters
- Public Key
Signature
X.509 Certificates
Information about the entity is stored as a DN
(Distinguished Name)
www.verisign.com
www.multicert.pt
www.thawte.com
Private CA
Certificate
Private Key
Signing
(RSA / DSA)
Request (CSR)
X.509
certificate
“self-signed”
Creation of a X.509 certificate
Certificate
Private Key
Signing
(RSA / DSA)
Request (CSR)
Private Key
of CA
X.509
certificate
Authentication using X.509 certificates with Apache
CA
Server Authentication
APACHE BROWSER
Client Authentication
OpenSSL usage examples
#Step 1 - Creation of a 1024-bit private-key (RSA) encrypted with 3DES
openssl genrsa -out xpto.key -des3
#Step 2 - Creation of a CSR
openssl req -new -key xpto.key -out xpto.csr
#Step 3 - Creation of a “self-signed” certificate
openssl x509 -req -days 365 -in xpto.csr -out xpto.crt -signkey xpto.key
Note:
• you have to create /etc/pki/CA (folder in Debian)
• the creation of certificates must be performed inside the /etc/pki/CA
folder or subfolder, accordingly.
Practical Exercise – Private CA creation
Use triple DES as the encryption algorithm
Steps:
1. Create Private key
2. Create Certificate Signing Request (CSR) (do not use
extra features)
3. Create Certificate
Step 2
Step 3
Practical Exercise – Private CA and certificates
database