View
476
Download
3
Category
Tags:
Preview:
DESCRIPTION
The easiest way to build a very basic Public Key Infrastructure (PKI) using OpenSSL.
Citation preview
Building Basic Public Key Infrastructure
T h i s W o r k i s d o n e b y I S M A I L R A C H D A O U I
Generating Digital certificate for a user using OpenSSL:
The first step in every certificate system is to create the Root Certificate, i twill be
a self-signed one, then we will use this certificate (Root) to sign other generates
certificates.
1- Generate Root certificate:
As mentioned in the introduction, the Root certificate will be self-signed; here is
the command line under openSSl to generate it:
openssl req -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -days 356
In this example, the root certif will user RSA as public key infrastructure algorithm
with 2048 bits ok key length, this command will generate 2 files:
ca.key: the private key of the root certificate
ca.crt: the public key of the root certificate
The -x509 option is used for a self-signed certificate and the parameter –days
mean than i twill be valid of 356 days.
Here are the screenshots:
Once we valid the given command, openSSL will ask us to put a PassPhrase of the
certificate … Then we continue.
The next step is to enter the Distinguished Name (DN) for the certificate, the
given informations will help the system to build the certificate, you can leave
some fields empty but not Common Name (CN), the CN may be for example your
hostname, in this case Ubuntu.
That's All! Our Root certificate is created; we can display ca.key and ca.pem using
Linux cat command
2- Generate a user certificate:
The creation of user certificate is done in two steps.
Step 1: create the private key of user cert:
The command is
openssl genrsa -out user.key 4096
4096 is for key length.
Step 2: Creating a certificate request
To create a certificate, you need to start with a certificate request. A certificate request can be signed using the self-signed certificate crated before.
To generate a request certificate we use the following command: openssl req -new -key user.key -out user.csr
Then the openssl will ask to fill some information about the user as bellow:
This command result user.csr file (csr for Certificate Singing Request),
Step 3 : Sign the CSR file with Root Certificate The final step is the get user.csr signed using Root certificate, so it will be valid in the certificate chain. The command line is
openssl x509 -req -days 730 -in user.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out user.crt
In this command we have to provide CSR certificate path, Root certificate path and path of Root certificate private key, the generated certificate is user.crt valid for 730 days.
That's All! The screenshot prove the the CSR is successfully signed and user certificate user.crt is created.
To use user.key for Authenticode signatures with Microsoft’s signtool, you’ll have to package the keys and certs in a PKCS12 file using the command line:
More about PKC12 format: http://en.wikipedia.org/wiki/PKCS_12
openssl pkcs12 -export -out user.p12 -inkey user.key -in user.crt -chain -CAfile ca.crt
The program ask for an exporting password, just give a one an remember it to use
it under any Windows machine.
Recommended