Download presentation
Presentation is loading. Please wait.
1
Customizing X.509 Certificate Fields Charles D. Short CS526 – S2008 University of Colorado, Colorado Springs Dr. C. Edward Chow 5/5/2008CDS - UCCS CS526 - S20081
2
Discussion Project Goal Background OpenSSL OpenSSL commands openssl.cnf File Project.cnf Files Certificate Process Install Server Certificate Install Client Certificate Client Certificate Certificate challenge Server Acknowledgement Server Response Lessons Learned Future Research 5/5/2008CDS - UCCS CS526 - S20082
3
Project Goal Determine and detail how to insert custom field information into an X.509 certificate. 5/5/2008CDS - UCCS CS526 - S20083
4
Background An X.509 certificate can be used for authentication between a client and server to insure client identity but does not provide any additional fields for information which may be useful to custom applications running on the server. This project will detail how to insert additional information into the client certificate which may then be used by a server based application to provide services based upon this information. 5/5/2008CDS - UCCS CS526 - S20084
5
Test Environment 5/5/2008CDS - UCCS CS526 - S20085
6
OpenSSL Open source project Based on SSLeay library developed by Eric A. Young and Tim J. Hudson Provides cryptographic toolkit – Secure Sockets Layer (SSL) – Transport Layer Security (TLS) – General purpose cryptography library http://www.openssl.org/ 5/5/2008CDS - UCCS CS526 - S20086
7
OpenSSL Commands – ca Certificate Authority – Sign certificate requests – Generate Certificate Revocation List (CRL) – Maintain issued certificate database – req Create and process certificate requests – Certificate request creation – Certificate signing – Certificate display – x509 Multi purpose certificate utility – Display certificate information – Convert certificates to various forms – Sign certificate requests – Edit certificate trust settings 5/5/2008CDS - UCCS CS526 - S20087
8
openssl.cnf File Divided into sections that begin with bracketed identifiers such as [ ca ] Sections correspond to openssl commands ca, req, x509 Directives consist of = Provides field values Provides field defaults Provides field attributes Provides user prompts 5/5/2008CDS - UCCS CS526 - S20088
9
openssl.cnf File (cont) CA Section – [ ca ] – [ CA_default ] – [ policy_match ] – [ policy_anything ] REQ Section – [ req ] – [ req_distinguished_name ] – [ req_attributes ] X.509 EXTENSION DIRECTIVES – [ usr_cert ] – [ v3_req ] – [ v3_ca ] – [ crl_ext ] http://www.technoids.org/openssl.cnf.html 5/5/2008CDS - UCCS CS526 - S20089
10
Project.cnf Files Certificate Authority – http://cs.uccs.edu/~cdshort/cs526/certreq.txt http://cs.uccs.edu/~cdshort/cs526/certreq.txt Server – http://cs.uccs.edu/~cdshort/cs526/serverreq.txt http://cs.uccs.edu/~cdshort/cs526/serverreq.txt Client – http://cs.uccs.edu/~cdshort/cs526/clientreq.txt http://cs.uccs.edu/~cdshort/cs526/clientreq.txt 5/5/2008CDS - UCCS CS526 - S200810
11
Certificate Creation Process Create certificate authority openssl req -config certreq.cnf -x509 -newkey rsa:2048 –keyout cakey.pem -out cacert.pem Create server certificate request openssl req -config serverreq.cnf -newkey rsa:1024 –keyout servertempkey.pem –out serverreq.pem Sign server certificate openssl ca -config certreq.cnf -in serverreq.pem -out servercrt.pem Create client certificate openssl req -config clientreq.cnf -newkey rsa:1024 -out clientreq.pem -keyout clientkey.pem Sign client certificate openssl ca -config certreq.cnf -in clientreq.pem -out clientcrt.pem 5/5/2008CDS - UCCS CS526 - S200811
12
Install Server Certificate Move Certificates and Keys – sudo cp servercrt.pem /etc/ssl/certs – sudo cp serverkey.pem /etc/ssl/private – sudo cp cacert.pem /etc/ssl/certs Edit /etc/apache2/sites-available/default – SSLEngine on – SSLCertificateFile /etc/ssl/certs/servercrt.pem – SSLCertificateKeyFile Edit /etc/apache2/ports.conf – Listen 443 Edit /etc/apache2/httpd.conf – SSLVerifyClient require – SSLVerifyDepth 1 – SSLCACertificateFile /etc/ssl/certs Enable SSL – sudo a2enmod ssl Restart Web Server – sudo /etc/init.d/apache2 restart 5/5/2008CDS - UCCS CS526 - S200812
13
Install Client Certificate Combine client certificate and key – cat clientkey.pem clientcrt.pem > clientcrtandkey.pem Convert PEM to PFX – openssl pkcs12 -export -out clientcert.pfx -in clientcrtandkey.pem -name "UbuntuWS1 Client certificate” Import using Internet Explorer – tools/internet options/content/certificates/import 5/5/2008CDS - UCCS CS526 - S200813
14
Client Certificate 5/5/2008CDS - UCCS CS526 - S200814
15
Certificate Challenge 5/5/2008CDS - UCCS CS526 - S200815
16
Server Acknowlegment 5/5/2008CDS - UCCS CS526 - S200816
17
Server Response 5/5/2008CDS - UCCS CS526 - S200817
18
Server PHP Code Client Certificate Subject Distinguished Name Field: Client Certificate Subject Distinguished Name: <?php print("ClientSDN: $_SERVER[SSL_CLIENT_S_DN] "); ?> 5/5/2008CDS - UCCS CS526 - S200818
19
Lessons Learned Documentation is scarce Documentation is confusing Certificate fields are obscure Flexibility is limited 5/5/2008CDS - UCCS CS526 - S200819
20
Future Research Explore the addition of fields outside of the Distinguished Name (DN) section. Explore the creation of a different certificate format. Modify MOD_SSL code to process new certificate contents. Modify Client browser to process new certificate contents. 5/5/2008CDS - UCCS CS526 - S200820
21
References http://www.openssl.org/ http://www.openssl.org/docs/apps/ca.html http://www.openssl.org/docs/apps/req.html http://www.openssl.org/docs/apps/x509.html http://www.technoids.org/openssl.cnf.html http://www.oid-info.com/standards.htm http://www.zaphu.com/2007/08/21/ubuntu-lamp-server-guide-configure-apache-mysql- and-cgi-bin/ http://www.zaphu.com/2007/08/21/ubuntu-lamp-server-guide-configure-apache-mysql- and-cgi-bin/ http://cs.uccs.edu/~cs526/secureWebAccess/secureWebAccess.htm https://help.ubuntu.com/6.06/ubuntu/serverguide/C/httpd.html http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6 5/5/2008CDS - UCCS CS526 - S200821
22
Questions? 5/5/2008CDS - UCCS CS526 - S200822
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.