Public Key Infrastructure (PKI) Certifiactes using OpenSSL. Documentation: ttp://

Transcription

1 Public Key Infrastructure (PKI) Certifiactes using OpenSSL Documentation: ttp:// Certificate Requests Commands: To generate a certificate request and sign it from CA. In the following: replace wahab with your <login name> % mkdir wahab_cert_request % cd wahab_cert_request % cp /home/cs472/public_html/pki/openssl/shells/students/*. This copies all the shell scripts and files needed. % gencertreq.sh wahab That will create two files: wahab_certreq.pem & wahab_privatekey.pem % printcertreq.sh wahab This prints wahab_certreq.pem % submit cs472 Submit file: wahab_certreq.pem % cp /home/cs472/public_html/pki/openssl/signed_requests/wahab_c ert.pem. Do this after the CA has signed your certificate and notifies you via . To renew a certificate and re-sign it from CA. % certoreq.sh wahab This generates wahab_certreq.pem using the your original public/private keys. Submit this request for the CA to sign as you did for the original request. Certificate Authority (CA) Commands To setup the necessary environment to create CA keys and root certificate, and to sign and resign the students certificate requests.

2 To create CA keys and root certificate % cp /home/cs472/public_html/pki/openssl/shells/ca/*. Copy the ca shell scripts in any directory you choose. Edit file myopenssl.cnf to replace cs472 with your <login name> % setup.sh Create the needed files and directories. % genca.sh Create CA keys (ca_key.pem) & certificate (ca_cert.pem). % printcert.sh ca_cert print certificate ca_cert.pem To sign certificate requests % issuecert.sh wahab This signs a request from student whose login is wahab under submitted_requests/wahab_cerreq.pem and produces signed_requests/wahab_cert.pem & issued_certs/xx.pem where xx is serial number of cert. % printcert.sh signed_requests/wahab_cert % printcert.sh issued_certs/xx print wahab_cert.pem & xx.pem To re-sign certificate requests % resign.sh wahab Application of PKI Secure Multipurpose Internet Mail Exchange (SMIME) use Mail to send and read your mail. In reading mail a message: write the message to a file (e.g., w file)

3 encrypted mail Send: % sendencmail.sh wahab file The sender should have wahab_cert.pem Read: % readencmail.sh wahab file The reciepient should have wahab_privatekey.pem signed mail Send: % sendsignmail.sh wahab file cs472 The sender should have cs472_cert.pem & cs472_privatekey.pem Read: % readsignmail.sh file The reciepient should have ca_cert.pem signed encrypted mail Send: % sendsign_encmail.sh wahab file cs472 The sender should have: wahab_cert.pem, cs472_cert.pem & cs472_privatekey.pem Read: % readsign_encmail.sh wahab file The reciepient should have: wahab_cert.pem, wahab_privatekey.pem & ca_cert.pem Shell Scripts for OpenSSl PKI for students gencerreq.sh: openssl req -newkey rsa:1024 -keyout $1_privatekey.pem -keyform PEM -out $1_certreq.pem -outform PEM certoreq.sh: openssl x509 -x509toreq -in $1_cert.pem -out $1_certreq.pem -signkey $1_privatekey.pem printcert.sh:

4 openssl x509 -in $1.pem -text -noout printcertreq.sh: openssl req -in $1_certreq.pem -text -noout setup.sh: genca.sh: for CA cp /home/cs472/randomfile. cp /home/cs472/randomfile /home/cs472/.rnd mkdir issued_certs ca_private_key mkdir submitted_requests signed_requests chmod og-rwx ca_private_key echo "01" > serial touch index.txt openssl req -x509 -newkey rsa -out ca_cert.pem -outform PEM issuecert.sh: openssl ca -in submitted_requests/$1_certreq.pem -out signed_requests/$1_cert.pem -notext resign.sh: openssl x509 -req -in $1_certreq.pem -out $1_cert.pem -signkey ca_privatekey.pem -days 365 myopenssl.cnf: [ ca ] default_ca = wahabca [ wahabca ] dir =/home/cs472/public_html/pki/openssl certificate = $dir/ca_cert.pem

5 database = $dir/index.txt new_certs_dir = $dir/issued_certs private_key = $dir/ca_private_key/ca_key.pem serial = $dir/serial RANDFILE = $dir/randomfile default_days = 365 default_crl_days = 7 default_md = md5 policy = wahabca_policy x509_extensions = certificate_extensions [ wahabca_policy ] commonname = supplied stateorprovincename = supplied countryname = supplied address = optional organizationname = supplied organizationalunitname = optional [ certificate_extensions ] basicconstraints = CA:true [ req ] default_bits = 1024 default_keyfile = /home/cs472/public_html/pki/openssl/ca_private_key/ca_key.pem default_md = md5 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ root_ca_distinguished_name ] commonname = Dr. Wahab stateorprovincename = Virginia countryname = US address = wahab@cs.odu.edu organizationname = Old Dominion University [ root_ca_extensions ] basicconstraints = CA:true smime

6 sendencmail.sh: # syntax: sendencmail.sh <receipient-login> <file> openssl smime -encrypt -in $2 -des3 -out $2.enc $1_cert.pem Mail $1 < $2.enc readencmail.sh: # syntax: readencmail.sh <receipient-login> <file> openssl smime -decrypt -out $2.txt -des3 -in $2 -recip $1_cert.pem -inkey $1_privatekey.pem more $2.txt sendsignmail.sh: # syntax: sendsignmail.sh <receipient-login> <file> <sender_login> openssl smime -sign -in $2 -out $2.sig -signer $3_cert.pem -inkey $3_privatekey.pem Mail $1 < $2.sig readsignmail.sh: # syntax: readsignmail.sh <file> openssl smime -CAfile ca_cert.pem -verify -in $1 -out $1.txt -signer file.pem openssl x509 -in file.pem -text -noout grep Subject: more $1.txt sendsign_encmail.sh: # syntax: sendsign_encmail.sh <receipient-login> <file> <sender_login> openssl smime -sign -in $2 -out $2.sig -signer $3_cert.pem -inkey $3_privatekey.pem openssl smime -encrypt -in $2.sig -des3 -out $2.enc $1_cert.pem Mail $1 < $2.enc readsign_encmail.sh: # syntax: readsign_encmail.sh <receipient-login> <file> openssl smime -decrypt -out $2.sig -des3 -in $2 -recip $1_cert.pem - inkey $1_privatekey.pem

7 openssl smime -CAfile ca_cert.pem -verify -in $2.sig -out $2.txt signer file.pem openssl x509 -in file.pem -text -noout grep Subject: more $2.txt