Setup Entire PKI

Infrastructure and Access

web server (HTTPD) via
HTTPS (Part 1)
https://medium.com/@prashantsde/setup-entire-pki-infrastructure-and-access-web-server-httpd-via-
https-part-1-2c57f9ff60f8

In this article, we are going to discuss how to do the following things: -

 Basics of cryptography, Encryption, Decryption, Plain, and Cipher

text.

 Symmetric key, Asymmetric key real use case.

  client-server model.

 Working behind clients and servers on how to request and

respond.

 What is CA and why do we need it?

 Create own CA, sub ca, and chaining.

 What is PKI and Why do we need PKI setup?

 What is SSL/TLS Handshaking?

 Set up your own PKI (Public key infrastructure).

 Set up Web server Apache Httpd and access via HTTPS safe

protocol.

So, before we jump to the practical part, we need to discuss first some things so that we

come to know why we need PKI set up. So, let’s start with some basics.

What is Cryptography?

The word cryptography comes with two words, Crypto and graphy, Crypto means

hidden/secure and graphy means writing. The whole meaning is secure writing. So,

cryptography is a way through which we can secure the communication between client
and server. Through cryptography, we can do authentication also, and cryptography is

also known as cryptology or cryptosystem.

What is Plain and cipher text?

The data you write or comes from the network which is readable and easily

understandable is known as plain text. If you convert your data in some other format that

is not understood this data is known as cipher text.

Note:- The data which comes/go over the network is known as Data in transit, and data

stored on a Hard disk that is not currently used is called Data at rest.

What are Encryption and Decryption?

If you convert/lock your plain/precise text data in some other format with the help of

some keys, then this process is known as encryption. After encryption, if you want to

read, and analyze data then you again need to convert data cipher text to normal plain

text with help of a key this process is known as decryption.

One question can come to your mind: -

What is the difference between encryption and

encoding?

Encryption and encoding both have the same moto to convert data in some other format,

but in encryption we use keys and in encoding, we convert data in some other format

without keys. same difference in decryption and decoding.

What is a client-server model and how do they

communicate?
client first sends a request to the server to get some data, then according to the client's

request, the server serves something to the client. the whole conclusion is data is

transferred but if we use HTTP protocol then the data go via a network in a clear text that

is understandable. but if you use HTTPS then your data via the network with the

encrypted format.

How?

Before we discuss this further, let’s discuss something about keys.

What is a Symmetric key?

To lock/unlock your data with the help of keys is known as encryption, here the key we

can use is a symmetric or asymmetric key. In a symmetric key we use one key only for

encryption and decryption

What is an Asymmetric key?

In asymmetric key, we have 2 keys one is the public key, and one is the private key, the
public key we mostly used for encryption and the private key always use for decryption.

We can use the asymmetric key for encryption and decryption. But this is not the actual

use case of the asymmetric key.

How do clients and servers

communicate/transfer data securely?
This process has some steps: -

 The first server generates a private key, then from the private key one public

key is also generated, now the server has 2 keys Spub, and Spriv (Asymmetric

key encryption).

 The client first sends a request to the server. then the server sends its Spub

key to the client, then the client generates a symmetric key that is locked by

the Spub key and transfers over the network to the server, now both client and

server have the symmetric key, so they start communicating and data also is

in an encrypted format. and this process follows per session wise (per data

transfer between client and server).

 So actually, the Symmetric key and asymmetric key work together, both we

can use for encryption and decryption, but the real purpose of the

asymmetric key is to transfer the client's symmetric key to the server.

asymmetric key not meant for encryption and decryption purposes.

This is actually, client and server communication goes behind the scenes with the help of

keys.

And in encryption and decryption, there are some algorithms used behind scenes DSA,

RSA, etc.

Challenge in the above client and server

communication is: -

In this process, If the client requests the server, then the server sends its public key to the

client and in the middle hacker does some attacks like IP spoofing and MITM(Men in the

middle) attack and gets the server's public key or get client’s symmetric key then they can

break all communication.

The challenge here is:-

 How the client comes to know and verify that the key comes from the real

server or from the hacker system?

 How to transfer the symmetric key of the client to the real server.

What are CA, CSR, and CRT?

Here we have to take help and trust from some third-party companies
called CA(Certificate authority); nowadays we have a total of 10–12 CA
companies worldwide. They can help you to share the public keys with
clients. How? What these companies say:-
  The server creates 1 document(put some information like
company name, Country, Organization name,
state, Hostname(Important), and server public key. this
document is known as a certificate, and then the server sends
this document to CA and asks to sign/stamp this certificate.
this document we send a request to CA to sign is known as CSR(certificate

signing request)

 Now, this request comes to CA and CA check this document and sign this
certificate (CSR) to convert it into one certificate CRT (Same document with

some signature/stamp by CA company).

One more Challenge is: - We have only 10–12 ca companies but nowadays we have

millions of websites, so how do they sign these many certificates?

The solution is Chaining.

What are Chaining, Sub CA, and Root CA?

Here CA has one more capability they can make other CA by signing their certificate, so
these other ca’s can sign the server’s certificates, These CAs signed by CA are known as

Sub CA, and the top-level CA who make these Sub CA is known as root CA. And We can
create multiple Sub-CA's how now these Sub CA make others to make

Sub CA. This process of making Sub CA is known as Chaining.

What is PKI, Working, and why do we need it?

  As the client sends a request to the server, Instead server replies with its

public key, which give the entire CA, Here in client-side To send the request to

the server, the client needs some program(software) here is a browser, after

CA comes to browser, They auto check company info and signature of the

certificate.

How Browser check certificate comes from the server?

You don’t need to get all certificates from other sources or from another network, Your

browser has these certificates pre-installed.

How to Check?

Go to browser -> settings -> Search security -> Manage certificates ->
Checklist.
  Now the browser checks the certificate in their internal databases if matches

then This is the actual certificate the same communication goes.

This entire infrastructure we set up for transferring the server public key to the client is

known as PKI(Public key Infrastructure). And why we need this because this setup solves

the above challenge. Send server public key client, and the client can also verify that this

is a real server.

Now if a hacker tries to create a fake CA, and asks the CA company to sign, the first CA

company checks in their CA, Is this certificate we already signed How? By checking the

Hostname(Unique in the world) in the certificate. If they check that record exists already

then they deny the request.

What is SSL/TLS Handshaking?

In the above setup, we use the certificate to authenticate the client and server this

certificate is equal to the SSL certificate. And this process of using the public, and private

keys to send the client’s symmetric key to the server, this step/process is called SSL/TLS

handshaking. Nowadays we use the word TLS(newer) and SSL(older). SSL/TLS

handshaking means how the client sends the symmetric key to the server.

Asymmetric real purpose:-

 Securely transfer the client's symmetric key to the server.

 Data validation (Sign and verify)

How to Set up your own PKI (Public key

infrastructure)
Now we have to perform the following steps to setup PKI:-

 Create the certificate for the root CA.

 Sign the root CA certificate on your own called the Self-signed certificate.

 Create the certificate for the Sub CA which is signed by the root CA.

 Set up and configure the Apache httpd web server.

 Create a certificate for the server which is signed by SubCA.

 Make Apache httpd support HTTPS(Secure Communication).

I think this article go much longer, So discuss this live hands-on practical in our next

article.

Highly recommend it, Please read this article carefully before jumping directly to

practical.

Thanks for reading this article, I hope this information might helpful to you.
Setup Entire PKI
Infrastructure and Access
web server (HTTPD) via
HTTPS (Part 2)
https://medium.com/@prashantsde/setup-entire-pki-infrastructure-and-access-web-server-httpd-via-
https-part-2-326e1a8fb5c1

In the previous article Part 1, We discussed some basics of cryptography, what is CA,

SubCA, Chaining, PKI, Why we need and much more things.

Now today let’s jump to the practical part.

So We need to follow some steps:-

  Create a private key, and create the CSR certificate for the root CA.

 Sign the root CA certificate on your own called the Self-signed

certificate.

 Create the certificate for the Sub CA which is signed by the root CA.

 Set up and configure the Apache httpd web server.

 Create a certificate for the server which is signed by SubCA.

 Make Apache httpd support HTTPS(Secure Communication).

In my case, I am using Redhat 8.4 Linux for this practical.

Step 1:- Create a private key, and create the CSR certificate for the
root CA.

 Create a separate folder for some purposes.

Here we create a separate folder for the whole pki setup where we put all things, then

create a separate folder for root ca where we keep all info of root ca.

Now we need the OpenSSL command, Install first.

  we create a private key first for the root ca.

openssl genrsa -aes256 -out rootca.key 4096

Create 4096 bytes with aes256(Key algorithm) and store the output in roots.key file Then

gives some password and remember them.

 Now you need to create CSR first, You need to use some configuration file of

CA.

Root ca duty is to sign other SubCA certificates, But they can sign server certificates also.
  Now, whenever any certificate is signed by CA, they store it in some folder so

let’s create one workspace.

 And root CA keeps its own certificate in a folder, So create a workspace.

 Now open the configuration file and update the folder's path.

Now save and exit via Press esc -> :wq

Some certificates may be stolen/Hacked, so root CA has the authority to make CA

revoked, They put in $dir/crl path. You can see it in the configuration file.
  Whenever root CA signs the sub-CA or any server certificate, To make a

record you need to create a database file.

 Whenever you signed the final certificate this will store in the certs folder, So

give the full path with the file name.

 And when any certificate creates or signed, every certificate has a unique

number for verification called a serial number. So create one temporary file

and store temporary value.

Step 2:- Now create the CSR certificate, OR here we can directly
create the certificate and get signed, So no meaning in creating CSR.
So create CRT direct.

openssl req -config openssl.cnf -key private/rootca.key -new -days 3650 -sha256 -x509

-extensions v3_ca -out certs/rootca.crt

Here we use configuration file openssl.cnf to tell path and other info, certificate validity is

1 year, we use sha256 algo, And to tell This request to convert your CSR to CRT and for

self-signing also, We use extension v3_ca.

 Now give some information about the company name, country, and
hostname(Important).

 Now check the certificate created in the certs folder.

 To decode the certificate.

openssl x509 -in certs/rootca.crt -text

Note:- About extensions.

v3_ca — This means you become sub-CA.

v3_req — The server can’t sign any certificate.

Here you can see also CA: True means you have the power to sign the certificate and

make other servers a Sub CA.

By extensions, We can verify the power of Certificates.

Step 3:- Create the certificate for the Sub CA which is signed by the
root CA.

 Now create a separate folder for sub ca, but first, come out to the root ca

folder first.
 Same way, first create a private key and give the password, but first create one

folder also.

 Now create CSR for sub-CA.

  To check the certificate, You can encode and check.

 Root CA decides, how long you can create the chain, this is decided by length

is called path length. By default path length: 0

Path length: 1 — Root CA says, that you can make 1 sub-CA, then signed certificate only,

and Can’t create more than 1 CA. We can control the chain.

 Now go to /pki/rootca/ open the configuration file, And create a custom

extension for custom CA.

In this extension we create a root CA sign sub-CSR to make a Sub CA. Update key file

also in root CA openssl.cnf file.

All settings of the root ca configuration file is:-

  Now Sign and make Sub CA.

openssl ca -config openssl.cnf -extensions v3_intermediate_ca -in /pki/subca/subca.csr

-out /pki/subca/subca.crt -days 3650

check :-
check the Serial file updated to 02.

 And Signed certificate information is stored in index.txt

 When CA signs any certificate, the copy of the certificate into the newcerts

folder.

 Check the signed sub crt in /pki/subca folder.

Here issuer means this certificate issued/Signed by root CA.

Subject:- This certificate belongs to whom(SubCA).

How Become CA.

CA: True — You become CA.

Pathlen:0 — Chaining stops, You can’t create more subCA but you can sign server

certificates.

Now Copy the configuration file for subca also and update some entries according to the

path.
  Save and create some files like serial, index.txt, etc.

Step 4:- Set up and configure the Apache httpd web server.

 Install web server apache httpd, Put some pages in /var/www/html directory,

and start the services.

Check web server working perfectly fine.

Step 5:- Create a certificate for the server which is signed by SubCA.

 Go to /pki/ create a separate folder for the server and create a private key,

CSR for the server.

The below information gives a hostname that is very important, which will be the website

host name.

 Check the certificate by decoding.

  Right now there is no issuer.

 Now this server certificate will be signed by sub-CA.

v3_req extension is used to create the certificate only for the server.

 Now create the CSR certificate for the server.

openssl ca -config openssl.cnf -extensions v3_req -days 3650 -in /pki/server/server.csr

-out /pki/server/server.crt
Check certificate is signed and the database and serial file are updated.

Now check the certificate by decoding it.

Now you can see the difference, Here

The issuer is the sub-CA who signed the server certificate.

And Subject is the server whose certificate is signed by Sub CA.

Note:- The certificate contains a Public key of the server, Company information, The

Validity of the server certificate, and most important is the hostname(Unique in the

world).

Sometimes folder looks confusing which file is in which folder, So to check the entire
structure of the folder in Linux use the tree command.
 Now let’s create a dummy server and check our server.
openssl s_server -accept 443 -www -key private/server.key -cert server.crt -CAfile

/pki/subca/certs/subca.crt

Now let’s check out the web servers with HTTPS.

Obviously, it fails, Because we have to give a certificate to the system also.

In Linux, all certificates are stored in /etc/pki/tls/certs, Now append the root CA

certificate also in the file.

Now Check:-

To solve this situation you have to configure local DNS also.

Now working very fine.

but trying to use -k option with curl means don’t verify the certificate, Just get the public

key from the server.

At least we get something.

Step 6:- Make Apache httpd support HTTPS(Secure Communication).

By, default httpd doesn’t support SSL, To enable we need mod_ssl software.
Go to ssl. conf and change something in this file.

Now Stop this dummy server.

Stop linux advanced security called SELinux temporarily.

Check permissive means stopped.

Now Restart the apache web server and check the port number.

Check port number 443 is active. Now you can access the web server with https also.

Working fantastic. To do the same thing in windows. You have to configure local DNS.

Go to windows:- Open CMD by Run as Admin

Get linux System Ip and update there also.

Now open the windows browser and check web server.

But this works when you upload the root certificate in windows also.

 Copy certificate from linux to windows by WinSCP. I already copied it.

Now go to browser -> settings -> Search security -> Manage certificates and import 1st

root crt in Trusted

Click Yes -> and Your certificate imported in the browser, the Same way import subca

also.

Now try to access the web server in windows.

Disable the firewall first.

Now check with the https local domain.

Working fine.

So this is how you can set up the whole PKI setup and enable https in apache httpd.