CIS5930 Internet Computing Internet Security - Part 2 Prof. Robert van Engelen

OpenSSL Get a copy of “Network Security with OpenSSL” from O’Reilly Download code examples version 1.3 from http://www.opensslbook.com/code.html and unpack Download scripts from http://www.cs.fsu.edu/~engelen/sslscripts.tar.gz create a new ‘CA’ dir somewhere and unpack files into it 11/13/2018 CIS 5930 Fall 2006 COP4020 Fall 2006

Creating a Self-Signed Root CA Certificate After unpacking sslscripts.tar.gz in ‘CA’, modify the openssl.cnf file in the [req_distinguished_name] section for the following items: countryName_default = US stateOrProvinceName_default = Your-State localityName_default = Your-City 0.organizationName_default = Your-Company-Name emailAddress_default = your-email@address If you are going to use only one configuration file, use: setenv OPENSSL_CONF $HOME/…/CA/openssl.cnf 11/13/2018 CIS 5930 Fall 2006

Creating a Self-Signed Root CA Certificate Run the root.sh script When prompted enter a passphrase to lock the private key of the CA Keep the root.pem key and the passphrase in a safe place You can distribute the cacert.pem CA certificate The script executes the following commands: Create an RSA key and a certificate signing request for the RSA key: openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem Sign the public key with the private key to create a self-signed certificate: openssl x509 -req -in rootreq.pem -sha1 -extfile openssl.cnf -extensions v3_ca -signkey rootkey.pem -out cacert.pem -days 1095 Keep the certificate and the private key in one file (root.pem): cat cacert.pem rootkey.pem > root.pem Display the X509 certificate subject, issuer, and dates: openssl x509 -subject -issuer -dates -noout -in root.pem To display the entire X509 certificate: openssl x509 -text -in root.pem 11/13/2018 CIS 5930 Fall 2006

Using the CA Private Key to Sign Certificates Recall that the CA is the trusted third party, which means: The CA private key is used to sign certificates The CA public key (in the CA certificate) is used to verify certificates To create a new private/public key pair and sign the public key with the CA to create a certificate, run: cert.sh name Enter a password when prompted and enter the host or “localhost” of the domain of the networked application as the “common name” The password is used to lock the private key (it will be needed by your application to unlock the private key to establish secure communications) Use the root CA’s passphrase when prompted to sign the certificate 11/13/2018 CIS 5930 Fall 2006

Using the CA Private Key to Sign Certificates The cert.sh script executes the following commands on command-line argument name (e.g. use “server” for name to create server.pem): Create new keys and a certificate signing request: openssl req -newkey rsa:1024 -sha1 -keyout namekey.pem -out namereq.pem Sign the certificate with the root CA key: openssl x509 -req -in namereq.pem -sha1 -extfile openssl.cnf -extensions usr_cert -CA root.pem -CAkey root.pem -CAcreateserial -out namecert.pem -days 365 Put everything into one PEM file (including the CA certificate): cat namecert.pem namekey.pem cacert.pem > name.pem Display the certificate subject, issuer, and dates: openssl x509 -subject -issuer -dates -noout -in name.pem To display the entire X509 certificate: openssl x509 -text -in name.pem 11/13/2018 CIS 5930 Fall 2006

Client and Server Examples We will review the NSwO-1.3/ssl examples The BIO objects and functions The SSL objects and functions The CRYPTO functions The ERR functions Use man pages and Web resources when necessary 11/13/2018 CIS 5930 Fall 2006