Certificate Management with OpenSSL 樹德科技大學 資訊工程系 林峻立 助理教授

Certificate Hierarchy Root CA ca.key.pem ca.cert.pem Intermediate CA intermediate.key.pem intermediate.cert.pem client client.key.pem client.cert.pem client.pfx

Procedure Create a key pair –Private key –Public key Create a certificate signing request (CSR) –Only public key in CSR –The CSR is signed by private key Send CSR to a CA CA sign certificate for the public key in CSR –Only public key in certificate –The certificate is signed by CA's private key

Create the root key

Create the root certificate

Create the intermediate key

Create the intermediate certificate signing request (CSR)

Create the intermediate certificate

Create the certificate chain file

Create a server key

Create a server certificate signing request (CSR)

Create a server certificate

Config Apache SSL /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/pki/tls/certs/ SSLCertificateKeyFile /etc/pki/tls/private/ Restart httpd –Provide protected password if needed

Config Apache SSL

Config Apache SSL Certificate Chain Starts with the issuing CA certificate of the server certificate up to the root CA certificate /etc/httpd/conf.d/ssl.conf SSLCertificateChainFile /etc/pki/tls/certs/ca-chain.cert.pem

Config Apache SSL Certificate Chain

Config Apache SSL Trust Root Certificate

Create a client key  cd /root/ca  openssl genrsa -aes128 -out intermediate/private/client.key.pem 1024  chmod 400 intermediate/private/client.key.pem

Create a client certificate signing request (CSR)

Create a client certificate

Create a client PKCS#12 certificate PKCS #12 is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of CAs.

Authenticate Client Import client PKCS#12 certificate into client In server /etc/httpd/conf.d/ssl.conf SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile /etc/pki/tls/certs/ca-chain.cert.pem

Authenticate Client

Certificate revocation lists (CRL) A certificate revocation list (CRL) provides a list of certificates that have been revoked. –A client application, such as a web browser, can use a CRL to check a server's authenticity. –A server application, such as Apache or OpenVPN, can use a CRL to deny access to clients that are no longer trusted.

Certificate revocation lists (CRL) For client certificates Revoke a client certificate Create the CRL Config ssl.conf

Certificate revocation lists (CRL) Revoke a client certificate

Certificate revocation lists (CRL) Create the CRL  openssl ca -config intermediate/openssl.cnf -gencrl -out /etc/pki/tls/crl/intermediate.crl.pem  openssl crl -in /etc/pki/tls/crl/intermediate.crl.pem -noout -text

Certificate revocation lists (CRL) Server-side use of the CRL For client certificates, it's typically a server- side application (eg, Apache) that is doing the verification. In server /etc/httpd/conf.d/ssl.conf SSLCARevocationFile /etc/pki/tls/crl/intermediate.crl.pem

Online Certificate Status Protocol (OCSP) For server certificates Prepare the configuration file Create a client certificate Revoke the server certificate Start OSCP responder

Online Certificate Status Protocol (OCSP) Prepare the configuration file [ usr_cert ] crlDistributionPoints = URI: m authorityInfoAccess = OCSP;URI:

Online Certificate Status Protocol (OCSP) Create a client certificate

Online Certificate Status Protocol (OCSP) Revoke the server certificate

Online Certificate Status Protocol (OCSP) Start OSCP responder  openssl ocsp -index intermediate/index.txt -CA intermediate/certs/ca-chain.cert.pem -rkey intermediate/private/intermediate.key.pem -rsigner intermediate/certs/intermediate.cert.pem -port 2560