Presentation is loading. Please wait.

Presentation is loading. Please wait.

Certificate Management with OpenSSL 樹德科技大學 資訊工程系 林峻立 助理教授.

Published byCody Bates Modified over 8 years ago

Similar presentations

Presentation on theme: "Certificate Management with OpenSSL 樹德科技大學 資訊工程系 林峻立 助理教授."— Presentation transcript:

1 Certificate Management with OpenSSL 樹德科技大學 資訊工程系 林峻立 助理教授

2 Certificate Hierarchy Root CA ca.key.pem ca.cert.pem Intermediate CA intermediate.key.pem intermediate.cert.pem www.example.com www.example.com.key.pem www.example.com.cert.pem client client.key.pem client.cert.pem client.pfx

3 Procedure Create a key pair –Private key –Public key Create a certificate signing request (CSR) –Only public key in CSR –The CSR is signed by private key Send CSR to a CA CA sign certificate for the public key in CSR –Only public key in certificate –The certificate is signed by CA's private key

4 Create the root key

5 Create the root certificate

6 Create the intermediate key

7 Create the intermediate certificate signing request (CSR)

8 Create the intermediate certificate

9 Create the certificate chain file

10 Create a server key

11 Create a server certificate signing request (CSR)

12 Create a server certificate

13 Config Apache SSL /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/pki/tls/certs/www.example.com.cert.pem SSLCertificateKeyFile /etc/pki/tls/private/www.example.com.key.pem Restart httpd –Provide protected password if needed

14 Config Apache SSL

15 Config Apache SSL Certificate Chain Starts with the issuing CA certificate of the server certificate up to the root CA certificate /etc/httpd/conf.d/ssl.conf SSLCertificateChainFile /etc/pki/tls/certs/ca-chain.cert.pem

16 Config Apache SSL Certificate Chain

17 Config Apache SSL Trust Root Certificate

18 Create a client key  cd /root/ca  openssl genrsa -aes128 -out intermediate/private/client.key.pem 1024  chmod 400 intermediate/private/client.key.pem

19 Create a client certificate signing request (CSR)

20 Create a client certificate

21 Create a client PKCS#12 certificate PKCS #12 is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of CAs.

22 Authenticate Client Import client PKCS#12 certificate into client In server /etc/httpd/conf.d/ssl.conf SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile /etc/pki/tls/certs/ca-chain.cert.pem

23 Authenticate Client

24 Certificate revocation lists (CRL) A certificate revocation list (CRL) provides a list of certificates that have been revoked. –A client application, such as a web browser, can use a CRL to check a server's authenticity. –A server application, such as Apache or OpenVPN, can use a CRL to deny access to clients that are no longer trusted.

25 Certificate revocation lists (CRL) For client certificates Revoke a client certificate Create the CRL Config ssl.conf

26 Certificate revocation lists (CRL) Revoke a client certificate

27 Certificate revocation lists (CRL) Create the CRL  openssl ca -config intermediate/openssl.cnf -gencrl -out /etc/pki/tls/crl/intermediate.crl.pem  openssl crl -in /etc/pki/tls/crl/intermediate.crl.pem -noout -text

28 Certificate revocation lists (CRL) Server-side use of the CRL For client certificates, it's typically a server- side application (eg, Apache) that is doing the verification. In server /etc/httpd/conf.d/ssl.conf SSLCARevocationFile /etc/pki/tls/crl/intermediate.crl.pem

29 Online Certificate Status Protocol (OCSP) For server certificates Prepare the configuration file Create a client certificate Revoke the server certificate Start OSCP responder

30 Online Certificate Status Protocol (OCSP) Prepare the configuration file [ usr_cert ] crlDistributionPoints = URI:http://ca.example.com/intermediate.crl.pe m authorityInfoAccess = OCSP;URI:http://ocsp.example.com

31 Online Certificate Status Protocol (OCSP) Create a client certificate

32 Online Certificate Status Protocol (OCSP) Revoke the server certificate

33 Online Certificate Status Protocol (OCSP) Start OSCP responder  openssl ocsp -index intermediate/index.txt -CA intermediate/certs/ca-chain.cert.pem -rkey intermediate/private/intermediate.key.pem -rsigner intermediate/certs/intermediate.cert.pem -port 2560

Download ppt "Certificate Management with OpenSSL 樹德科技大學 資訊工程系 林峻立 助理教授."

Similar presentations

SSL Implementation Guide Onno W. Purbo

SSL Implementation Guide Onno W. Purbo
Introduction to OpenSSL Jing Dalhousie University.

Introduction to OpenSSL Jing Dalhousie University.
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005.

1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Apache Web Server Quick and Dirty Steve Gibbard for SANOG 16 (Originally by Joel Jaeggli for AfNOG 2007) ‏

Apache Web Server Quick and Dirty Steve Gibbard for SANOG 16 (Originally by Joel Jaeggli for AfNOG 2007) ‏
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Web Prefetch 張燕光 資訊工程系 成功大學

Web Prefetch 張燕光 資訊工程系 成功大學
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
Customizing X.509 Certificate Fields Charles D. Short CS526 – S2008 University of Colorado, Colorado Springs Dr. C. Edward Chow 5/5/2008CDS - UCCS CS526.

Customizing X.509 Certificate Fields Charles D. Short CS526 – S2008 University of Colorado, Colorado Springs Dr. C. Edward Chow 5/5/2008CDS - UCCS CS526.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
Apache Security with SSL Using FreeBSD SANOG VI IP Services Workshop July 18, 2005 Hervey Allen Network Startup Resource Center.

Apache Security with SSL Using FreeBSD SANOG VI IP Services Workshop July 18, 2005 Hervey Allen Network Startup Resource Center.
Secure Sockets Layer (SSL) Fred Schank Kevin Wetter.

Secure Sockets Layer (SSL) Fred Schank Kevin Wetter.
Public-key Infrastructure. Computer Center, CS, NCTU 2 Public-key Infrastructure  A set of hardware, software, people, policies, and procedures.  To.

Public-key Infrastructure. Computer Center, CS, NCTU 2 Public-key Infrastructure  A set of hardware, software, people, policies, and procedures.  To.
Onno W. Purbo onno@indo.net.id openssl Onno W. Purbo onno@indo.net.id.

Onno W. Purbo openssl Onno W. Purbo

Similar presentations

Ads by Google