Professional Documents
Culture Documents
text.
respond.
protocol.
So, before we jump to the practical part, we need to discuss first some things so that we
come to know why we need PKI set up. So, let’s start with some basics.
What is Cryptography?
The word cryptography comes with two words, Crypto and graphy, Crypto means
hidden/secure and graphy means writing. The whole meaning is secure writing. So,
cryptography is a way through which we can secure the communication between client
and server. Through cryptography, we can do authentication also, and cryptography is
The data you write or comes from the network which is readable and easily
understandable is known as plain text. If you convert your data in some other format that
stored on a Hard disk that is not currently used is called Data at rest.
If you convert/lock your plain/precise text data in some other format with the help of
some keys, then this process is known as encryption. After encryption, if you want to
read, and analyze data then you again need to convert data cipher text to normal plain
Encryption and encoding both have the same moto to convert data in some other format,
but in encryption we use keys and in encoding, we convert data in some other format
request, the server serves something to the client. the whole conclusion is data is
transferred but if we use HTTP protocol then the data go via a network in a clear text that
is understandable. but if you use HTTPS then your data via the network with the
encrypted format.
How?
To lock/unlock your data with the help of keys is known as encryption, here the key we
can use is a symmetric or asymmetric key. In a symmetric key we use one key only for
In asymmetric key, we have 2 keys one is the public key, and one is the private key, the
public key we mostly used for encryption and the private key always use for decryption.
We can use the asymmetric key for encryption and decryption. But this is not the actual
The first server generates a private key, then from the private key one public
key is also generated, now the server has 2 keys Spub, and Spriv (Asymmetric
key encryption).
The client first sends a request to the server. then the server sends its Spub
key to the client, then the client generates a symmetric key that is locked by
the Spub key and transfers over the network to the server, now both client and
server have the symmetric key, so they start communicating and data also is
in an encrypted format. and this process follows per session wise (per data
So actually, the Symmetric key and asymmetric key work together, both we
can use for encryption and decryption, but the real purpose of the
keys.
And in encryption and decryption, there are some algorithms used behind scenes DSA,
RSA, etc.
In this process, If the client requests the server, then the server sends its public key to the
client and in the middle hacker does some attacks like IP spoofing and MITM(Men in the
middle) attack and gets the server's public key or get client’s symmetric key then they can
How the client comes to know and verify that the key comes from the real
signing request)
Now, this request comes to CA and CA check this document and sign this
certificate (CSR) to convert it into one certificate CRT (Same document with
One more Challenge is: - We have only 10–12 ca companies but nowadays we have
Here CA has one more capability they can make other CA by signing their certificate, so
these other ca’s can sign the server’s certificates, These CAs signed by CA are known as
Sub CA, and the top-level CA who make these Sub CA is known as root CA. And We can
create multiple Sub-CA's how now these Sub CA make others to make
public key, which give the entire CA, Here in client-side To send the request to
the server, the client needs some program(software) here is a browser, after
CA comes to browser, They auto check company info and signature of the
certificate.
You don’t need to get all certificates from other sources or from another network, Your
How to Check?
Go to browser -> settings -> Search security -> Manage certificates ->
Checklist.
Now the browser checks the certificate in their internal databases if matches
This entire infrastructure we set up for transferring the server public key to the client is
known as PKI(Public key Infrastructure). And why we need this because this setup solves
the above challenge. Send server public key client, and the client can also verify that this
is a real server.
Now if a hacker tries to create a fake CA, and asks the CA company to sign, the first CA
company checks in their CA, Is this certificate we already signed How? By checking the
Hostname(Unique in the world) in the certificate. If they check that record exists already
In the above setup, we use the certificate to authenticate the client and server this
certificate is equal to the SSL certificate. And this process of using the public, and private
keys to send the client’s symmetric key to the server, this step/process is called SSL/TLS
Sign the root CA certificate on your own called the Self-signed certificate.
Create the certificate for the Sub CA which is signed by the root CA.
I think this article go much longer, So discuss this live hands-on practical in our next
article.
Highly recommend it, Please read this article carefully before jumping directly to
practical.
Thanks for reading this article, I hope this information might helpful to you.
Setup Entire PKI
Infrastructure and Access
web server (HTTPD) via
HTTPS (Part 2)
https://medium.com/@prashantsde/setup-entire-pki-infrastructure-and-access-web-server-httpd-via-
https-part-2-326e1a8fb5c1
In the previous article Part 1, We discussed some basics of cryptography, what is CA,
certificate.
Create the certificate for the Sub CA which is signed by the root CA.
Step 1:- Create a private key, and create the CSR certificate for the
root CA.
Here we create a separate folder for the whole pki setup where we put all things, then
create a separate folder for root ca where we keep all info of root ca.
Create 4096 bytes with aes256(Key algorithm) and store the output in roots.key file Then
Now you need to create CSR first, You need to use some configuration file of
CA.
Root ca duty is to sign other SubCA certificates, But they can sign server certificates also.
Now, whenever any certificate is signed by CA, they store it in some folder so
Now open the configuration file and update the folder's path.
revoked, They put in $dir/crl path. You can see it in the configuration file.
Whenever root CA signs the sub-CA or any server certificate, To make a
Whenever you signed the final certificate this will store in the certs folder, So
And when any certificate creates or signed, every certificate has a unique
number for verification called a serial number. So create one temporary file
Step 2:- Now create the CSR certificate, OR here we can directly
create the certificate and get signed, So no meaning in creating CSR.
So create CRT direct.
openssl req -config openssl.cnf -key private/rootca.key -new -days 3650 -sha256 -x509
1 year, we use sha256 algo, And to tell This request to convert your CSR to CRT and for
Now give some information about the company name, country, and
hostname(Important).
Here you can see also CA: True means you have the power to sign the certificate and
Step 3:- Create the certificate for the Sub CA which is signed by the
root CA.
Now create a separate folder for sub ca, but first, come out to the root ca
folder first.
Same way, first create a private key and give the password, but first create one
folder also.
Root CA decides, how long you can create the chain, this is decided by length
Path length: 1 — Root CA says, that you can make 1 sub-CA, then signed certificate only,
and Can’t create more than 1 CA. We can control the chain.
In this extension we create a root CA sign sub-CSR to make a Sub CA. Update key file
check :-
check the Serial file updated to 02.
When CA signs any certificate, the copy of the certificate into the newcerts
folder.
Pathlen:0 — Chaining stops, You can’t create more subCA but you can sign server
certificates.
Now Copy the configuration file for subca also and update some entries according to the
path.
Save and create some files like serial, index.txt, etc.
Step 4:- Set up and configure the Apache httpd web server.
Install web server apache httpd, Put some pages in /var/www/html directory,
Step 5:- Create a certificate for the server which is signed by SubCA.
Go to /pki/ create a separate folder for the server and create a private key,
host name.
v3_req extension is used to create the certificate only for the server.
-out /pki/server/server.crt
Check certificate is signed and the database and serial file are updated.
Note:- The certificate contains a Public key of the server, Company information, The
Validity of the server certificate, and most important is the hostname(Unique in the
world).
Sometimes folder looks confusing which file is in which folder, So to check the entire
structure of the folder in Linux use the tree command.
Now let’s create a dummy server and check our server.
openssl s_server -accept 443 -www -key private/server.key -cert server.crt -CAfile
/pki/subca/certs/subca.crt
In Linux, all certificates are stored in /etc/pki/tls/certs, Now append the root CA
Now Check:-
but trying to use -k option with curl means don’t verify the certificate, Just get the public
By, default httpd doesn’t support SSL, To enable we need mod_ssl software.
Go to ssl. conf and change something in this file.
Check port number 443 is active. Now you can access the web server with https also.
Working fantastic. To do the same thing in windows. You have to configure local DNS.
But this works when you upload the root certificate in windows also.
also.
Working fine.
So this is how you can set up the whole PKI setup and enable https in apache httpd.