Presentation is loading. Please wait.

Presentation is loading. Please wait.

Customizing X.509 Certificate Fields Charles D. Short CS526 – S2008 University of Colorado, Colorado Springs Dr. C. Edward Chow 5/5/2008CDS - UCCS CS526.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Customizing X.509 Certificate Fields Charles D. Short CS526 – S2008 University of Colorado, Colorado Springs Dr. C. Edward Chow 5/5/2008CDS - UCCS CS526."— Presentation transcript:

1 Customizing X.509 Certificate Fields Charles D. Short CS526 – S2008 University of Colorado, Colorado Springs Dr. C. Edward Chow 5/5/2008CDS - UCCS CS526 - S20081

2 Discussion Project Goal Background OpenSSL OpenSSL commands openssl.cnf File Project.cnf Files Certificate Process Install Server Certificate Install Client Certificate Client Certificate Certificate challenge Server Acknowledgement Server Response Lessons Learned Future Research 5/5/2008CDS - UCCS CS526 - S20082

3 Project Goal Determine and detail how to insert custom field information into an X.509 certificate. 5/5/2008CDS - UCCS CS526 - S20083

4 Background An X.509 certificate can be used for authentication between a client and server to insure client identity but does not provide any additional fields for information which may be useful to custom applications running on the server. This project will detail how to insert additional information into the client certificate which may then be used by a server based application to provide services based upon this information. 5/5/2008CDS - UCCS CS526 - S20084

5 Test Environment 5/5/2008CDS - UCCS CS526 - S20085

6 OpenSSL Open source project Based on SSLeay library developed by Eric A. Young and Tim J. Hudson Provides cryptographic toolkit – Secure Sockets Layer (SSL) – Transport Layer Security (TLS) – General purpose cryptography library http://www.openssl.org/ 5/5/2008CDS - UCCS CS526 - S20086

7 OpenSSL Commands – ca Certificate Authority – Sign certificate requests – Generate Certificate Revocation List (CRL) – Maintain issued certificate database – req Create and process certificate requests – Certificate request creation – Certificate signing – Certificate display – x509 Multi purpose certificate utility – Display certificate information – Convert certificates to various forms – Sign certificate requests – Edit certificate trust settings 5/5/2008CDS - UCCS CS526 - S20087

8 openssl.cnf File Divided into sections that begin with bracketed identifiers such as [ ca ] Sections correspond to openssl commands ca, req, x509 Directives consist of = Provides field values Provides field defaults Provides field attributes Provides user prompts 5/5/2008CDS - UCCS CS526 - S20088

9 openssl.cnf File (cont) CA Section – [ ca ] – [ CA_default ] – [ policy_match ] – [ policy_anything ] REQ Section – [ req ] – [ req_distinguished_name ] – [ req_attributes ] X.509 EXTENSION DIRECTIVES – [ usr_cert ] – [ v3_req ] – [ v3_ca ] – [ crl_ext ] http://www.technoids.org/openssl.cnf.html 5/5/2008CDS - UCCS CS526 - S20089

10 Project.cnf Files Certificate Authority – http://cs.uccs.edu/~cdshort/cs526/certreq.txt http://cs.uccs.edu/~cdshort/cs526/certreq.txt Server – http://cs.uccs.edu/~cdshort/cs526/serverreq.txt http://cs.uccs.edu/~cdshort/cs526/serverreq.txt Client – http://cs.uccs.edu/~cdshort/cs526/clientreq.txt http://cs.uccs.edu/~cdshort/cs526/clientreq.txt 5/5/2008CDS - UCCS CS526 - S200810

11 Certificate Creation Process Create certificate authority openssl req -config certreq.cnf -x509 -newkey rsa:2048 –keyout cakey.pem -out cacert.pem Create server certificate request openssl req -config serverreq.cnf -newkey rsa:1024 –keyout servertempkey.pem –out serverreq.pem Sign server certificate openssl ca -config certreq.cnf -in serverreq.pem -out servercrt.pem Create client certificate openssl req -config clientreq.cnf -newkey rsa:1024 -out clientreq.pem -keyout clientkey.pem Sign client certificate openssl ca -config certreq.cnf -in clientreq.pem -out clientcrt.pem 5/5/2008CDS - UCCS CS526 - S200811

12 Install Server Certificate Move Certificates and Keys – sudo cp servercrt.pem /etc/ssl/certs – sudo cp serverkey.pem /etc/ssl/private – sudo cp cacert.pem /etc/ssl/certs Edit /etc/apache2/sites-available/default – SSLEngine on – SSLCertificateFile /etc/ssl/certs/servercrt.pem – SSLCertificateKeyFile Edit /etc/apache2/ports.conf – Listen 443 Edit /etc/apache2/httpd.conf – SSLVerifyClient require – SSLVerifyDepth 1 – SSLCACertificateFile /etc/ssl/certs Enable SSL – sudo a2enmod ssl Restart Web Server – sudo /etc/init.d/apache2 restart 5/5/2008CDS - UCCS CS526 - S200812

13 Install Client Certificate Combine client certificate and key – cat clientkey.pem clientcrt.pem > clientcrtandkey.pem Convert PEM to PFX – openssl pkcs12 -export -out clientcert.pfx -in clientcrtandkey.pem -name "UbuntuWS1 Client certificate” Import using Internet Explorer – tools/internet options/content/certificates/import 5/5/2008CDS - UCCS CS526 - S200813

14 Client Certificate 5/5/2008CDS - UCCS CS526 - S200814

15 Certificate Challenge 5/5/2008CDS - UCCS CS526 - S200815

16 Server Acknowlegment 5/5/2008CDS - UCCS CS526 - S200816

17 Server Response 5/5/2008CDS - UCCS CS526 - S200817

18 Server PHP Code Client Certificate Subject Distinguished Name Field: Client Certificate Subject Distinguished Name: <?php print("ClientSDN: $_SERVER[SSL_CLIENT_S_DN] "); ?> 5/5/2008CDS - UCCS CS526 - S200818

19 Lessons Learned Documentation is scarce Documentation is confusing Certificate fields are obscure Flexibility is limited 5/5/2008CDS - UCCS CS526 - S200819

20 Future Research Explore the addition of fields outside of the Distinguished Name (DN) section. Explore the creation of a different certificate format. Modify MOD_SSL code to process new certificate contents. Modify Client browser to process new certificate contents. 5/5/2008CDS - UCCS CS526 - S200820

21 References http://www.openssl.org/ http://www.openssl.org/docs/apps/ca.html http://www.openssl.org/docs/apps/req.html http://www.openssl.org/docs/apps/x509.html http://www.technoids.org/openssl.cnf.html http://www.oid-info.com/standards.htm http://www.zaphu.com/2007/08/21/ubuntu-lamp-server-guide-configure-apache-mysql- and-cgi-bin/ http://www.zaphu.com/2007/08/21/ubuntu-lamp-server-guide-configure-apache-mysql- and-cgi-bin/ http://cs.uccs.edu/~cs526/secureWebAccess/secureWebAccess.htm https://help.ubuntu.com/6.06/ubuntu/serverguide/C/httpd.html http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6 5/5/2008CDS - UCCS CS526 - S200821

22 Questions? 5/5/2008CDS - UCCS CS526 - S200822

Download ppt "Customizing X.509 Certificate Fields Charles D. Short CS526 – S2008 University of Colorado, Colorado Springs Dr. C. Edward Chow 5/5/2008CDS - UCCS CS526."

Similar presentations

CP3397 ECommerce.

CP3397 ECommerce.
HTTPS/SSL Oleh: Idris Winarno. Persiapan Pastikan repository debian # vim /etc/apt/sources.list deb etch main contrib non-freehttp://kebo.vlsm.org/debian.

HTTPS/SSL Oleh: Idris Winarno. Persiapan Pastikan repository debian # vim /etc/apt/sources.list deb etch main contrib non-freehttp://kebo.vlsm.org/debian.
Apache2 HTTPS. 1. Install webserver Apache # apt-get install apache2 2. Buat direktori untuk menyimpan file https # mkdir /var/www/secure 3. Instalasi.

Apache2 HTTPS. 1. Install webserver Apache # apt-get install apache2 2. Buat direktori untuk menyimpan file https # mkdir /var/www/secure 3. Instalasi.
SSL Implementation Guide Onno W. Purbo

SSL Implementation Guide Onno W. Purbo
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
SECURE SITES. A SECURE CONNECTION TERMS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client.

SECURE SITES. A SECURE CONNECTION TERMS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client.
Introduction to OpenSSL Jing Dalhousie University.

Introduction to OpenSSL Jing Dalhousie University.
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Secure Information Sharing Using Attribute Certificates and Role Based Access Control Ganesh Godavari, C. Edward Chow 06/22/2005 University of Colorado.

Secure Information Sharing Using Attribute Certificates and Role Based Access Control Ganesh Godavari, C. Edward Chow 06/22/2005 University of Colorado.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
12/2/2003chow1 Network and System Support for Multi-Level Security C. Edward Chow Department of Computer Science University of Colorado At Colorado Springs.

12/2/2003chow1 Network and System Support for Multi-Level Security C. Edward Chow Department of Computer Science University of Colorado At Colorado Springs.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Apache Web Server Quick and Dirty Steve Gibbard for SANOG 16 (Originally by Joel Jaeggli for AfNOG 2007) ‏

Apache Web Server Quick and Dirty Steve Gibbard for SANOG 16 (Originally by Joel Jaeggli for AfNOG 2007) ‏
Summer School Certificates Diego Romano & Gilda Team.

Summer School Certificates Diego Romano & Gilda Team.
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Similar presentations

Ads by Google