Presentation is loading. Please wait.

Presentation is loading. Please wait.

Customizing X.509 Certificate Fields Charles D. Short CS526 – S2008 University of Colorado, Colorado Springs Dr. C. Edward Chow 5/5/2008CDS - UCCS CS526.

Similar presentations


Presentation on theme: "Customizing X.509 Certificate Fields Charles D. Short CS526 – S2008 University of Colorado, Colorado Springs Dr. C. Edward Chow 5/5/2008CDS - UCCS CS526."— Presentation transcript:

1 Customizing X.509 Certificate Fields Charles D. Short CS526 – S2008 University of Colorado, Colorado Springs Dr. C. Edward Chow 5/5/2008CDS - UCCS CS526 - S20081

2 Discussion Project Goal Background OpenSSL OpenSSL commands openssl.cnf File Project.cnf Files Certificate Process Install Server Certificate Install Client Certificate Client Certificate Certificate challenge Server Acknowledgement Server Response Lessons Learned Future Research 5/5/2008CDS - UCCS CS526 - S20082

3 Project Goal Determine and detail how to insert custom field information into an X.509 certificate. 5/5/2008CDS - UCCS CS526 - S20083

4 Background An X.509 certificate can be used for authentication between a client and server to insure client identity but does not provide any additional fields for information which may be useful to custom applications running on the server. This project will detail how to insert additional information into the client certificate which may then be used by a server based application to provide services based upon this information. 5/5/2008CDS - UCCS CS526 - S20084

5 Test Environment 5/5/2008CDS - UCCS CS526 - S20085

6 OpenSSL Open source project Based on SSLeay library developed by Eric A. Young and Tim J. Hudson Provides cryptographic toolkit – Secure Sockets Layer (SSL) – Transport Layer Security (TLS) – General purpose cryptography library http://www.openssl.org/ 5/5/2008CDS - UCCS CS526 - S20086

7 OpenSSL Commands – ca Certificate Authority – Sign certificate requests – Generate Certificate Revocation List (CRL) – Maintain issued certificate database – req Create and process certificate requests – Certificate request creation – Certificate signing – Certificate display – x509 Multi purpose certificate utility – Display certificate information – Convert certificates to various forms – Sign certificate requests – Edit certificate trust settings 5/5/2008CDS - UCCS CS526 - S20087

8 openssl.cnf File Divided into sections that begin with bracketed identifiers such as [ ca ] Sections correspond to openssl commands ca, req, x509 Directives consist of = Provides field values Provides field defaults Provides field attributes Provides user prompts 5/5/2008CDS - UCCS CS526 - S20088

9 openssl.cnf File (cont) CA Section – [ ca ] – [ CA_default ] – [ policy_match ] – [ policy_anything ] REQ Section – [ req ] – [ req_distinguished_name ] – [ req_attributes ] X.509 EXTENSION DIRECTIVES – [ usr_cert ] – [ v3_req ] – [ v3_ca ] – [ crl_ext ] http://www.technoids.org/openssl.cnf.html 5/5/2008CDS - UCCS CS526 - S20089

10 Project.cnf Files Certificate Authority – http://cs.uccs.edu/~cdshort/cs526/certreq.txt http://cs.uccs.edu/~cdshort/cs526/certreq.txt Server – http://cs.uccs.edu/~cdshort/cs526/serverreq.txt http://cs.uccs.edu/~cdshort/cs526/serverreq.txt Client – http://cs.uccs.edu/~cdshort/cs526/clientreq.txt http://cs.uccs.edu/~cdshort/cs526/clientreq.txt 5/5/2008CDS - UCCS CS526 - S200810

11 Certificate Creation Process Create certificate authority openssl req -config certreq.cnf -x509 -newkey rsa:2048 –keyout cakey.pem -out cacert.pem Create server certificate request openssl req -config serverreq.cnf -newkey rsa:1024 –keyout servertempkey.pem –out serverreq.pem Sign server certificate openssl ca -config certreq.cnf -in serverreq.pem -out servercrt.pem Create client certificate openssl req -config clientreq.cnf -newkey rsa:1024 -out clientreq.pem -keyout clientkey.pem Sign client certificate openssl ca -config certreq.cnf -in clientreq.pem -out clientcrt.pem 5/5/2008CDS - UCCS CS526 - S200811

12 Install Server Certificate Move Certificates and Keys – sudo cp servercrt.pem /etc/ssl/certs – sudo cp serverkey.pem /etc/ssl/private – sudo cp cacert.pem /etc/ssl/certs Edit /etc/apache2/sites-available/default – SSLEngine on – SSLCertificateFile /etc/ssl/certs/servercrt.pem – SSLCertificateKeyFile Edit /etc/apache2/ports.conf – Listen 443 Edit /etc/apache2/httpd.conf – SSLVerifyClient require – SSLVerifyDepth 1 – SSLCACertificateFile /etc/ssl/certs Enable SSL – sudo a2enmod ssl Restart Web Server – sudo /etc/init.d/apache2 restart 5/5/2008CDS - UCCS CS526 - S200812

13 Install Client Certificate Combine client certificate and key – cat clientkey.pem clientcrt.pem > clientcrtandkey.pem Convert PEM to PFX – openssl pkcs12 -export -out clientcert.pfx -in clientcrtandkey.pem -name "UbuntuWS1 Client certificate” Import using Internet Explorer – tools/internet options/content/certificates/import 5/5/2008CDS - UCCS CS526 - S200813

14 Client Certificate 5/5/2008CDS - UCCS CS526 - S200814

15 Certificate Challenge 5/5/2008CDS - UCCS CS526 - S200815

16 Server Acknowlegment 5/5/2008CDS - UCCS CS526 - S200816

17 Server Response 5/5/2008CDS - UCCS CS526 - S200817

18 Server PHP Code Client Certificate Subject Distinguished Name Field: Client Certificate Subject Distinguished Name: <?php print("ClientSDN: $_SERVER[SSL_CLIENT_S_DN] "); ?> 5/5/2008CDS - UCCS CS526 - S200818

19 Lessons Learned Documentation is scarce Documentation is confusing Certificate fields are obscure Flexibility is limited 5/5/2008CDS - UCCS CS526 - S200819

20 Future Research Explore the addition of fields outside of the Distinguished Name (DN) section. Explore the creation of a different certificate format. Modify MOD_SSL code to process new certificate contents. Modify Client browser to process new certificate contents. 5/5/2008CDS - UCCS CS526 - S200820

21 References http://www.openssl.org/ http://www.openssl.org/docs/apps/ca.html http://www.openssl.org/docs/apps/req.html http://www.openssl.org/docs/apps/x509.html http://www.technoids.org/openssl.cnf.html http://www.oid-info.com/standards.htm http://www.zaphu.com/2007/08/21/ubuntu-lamp-server-guide-configure-apache-mysql- and-cgi-bin/ http://www.zaphu.com/2007/08/21/ubuntu-lamp-server-guide-configure-apache-mysql- and-cgi-bin/ http://cs.uccs.edu/~cs526/secureWebAccess/secureWebAccess.htm https://help.ubuntu.com/6.06/ubuntu/serverguide/C/httpd.html http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6 5/5/2008CDS - UCCS CS526 - S200821

22 Questions? 5/5/2008CDS - UCCS CS526 - S200822


Download ppt "Customizing X.509 Certificate Fields Charles D. Short CS526 – S2008 University of Colorado, Colorado Springs Dr. C. Edward Chow 5/5/2008CDS - UCCS CS526."

Similar presentations


Ads by Google