Securing Web Access with a Private Certificate Authority



Similar documents
Creation and Management of Certificates


X.509 and SSL. A look into the complex world of X.509 and SSL UUASC 07/05/07. Phil Dibowitz

Working with Certificate and Key Files in MatrixSSL

Technical specification

SSL Peach Pit User Guide. Peach Fuzzer, LLC. Version

Replacing vcenter Server 4.0 Certificates VMware vsphere 4.0

Generating and Installing SSL Certificates on the Cisco ISA500

Securing Your Condor Pool With SSL. Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison

Virtual Private Network with OpenVPN

Secure Systems and Networks OpenSSL. Tomasz Surmacz, PhD 25 listopada 2014

DoD Public Key Enablement (PKE) Quick Reference Guide. Securing Apache HTTP with mod_ssl for Linux

The OPC UA Security Model For Administrators. Whitepaper Version 1.00

Implementing HTTPS in CONTENTdm 6 September 5, 2012

Information Systems Security Management

e-cert (Server) User Guide For Apache Web Server

How to generate SSL certificates for use with a KVM box & XViewer with XCA v0.9.3

Yealink Technical White Paper. Contents. About VPN Types of VPN Access VPN Technology... 3 Example Use of a VPN Tunnel...

Installing an SSL certificate on the InfoVaultz Cloud Appliance

SSL Certificates HOWTO

Replacing VirtualCenter Server Certificates VMware Infrastructure 3

SSL Certificates in IPBrick

Crypto Lab Public-Key Cryptography and PKI

About VPN Yealink IP Phones Compatible with VPN Installing the OpenVPN Server Configuring the OpenVPN Feature on IP Phones...

Cisco Expressway Certificate Creation and Use

Installing Apache as an HTTP Proxy to the local port of the Secure Agent s Process Server

ViMP 3.0. SSL Configuration in Apache 2.2. Author: ViMP GmbH

Encrypted Connections

LoadMaster SSL Certificate Quickstart Guide

KMIP installation Guide. DataSecure and KeySecure Version SafeNet, Inc

mod_ssl Cryptographic Techniques

Cisco TelePresence VCS Certificate Creation and Use

SSL Certificates HOWTO

SBClient SSL. Ehab AbuShmais

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

Do Web Browsers Obey Best Practices When Validating Digital Certificates?

Websense Content Gateway HTTPS Configuration

This section describes how to use SSL Certificates with SOA Gateway running on Linux.

Cisco Expressway Certificate Creation and Use

Chapter 7 Managing Users, Authentication, and Certificates

Apache Security with SSL Using Linux

CentOS. Apache. 1 de 8. Pricing Features Customers Help & Community. Sign Up Login Help & Community. Articles & Tutorials. Questions. Chat.

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Cisco TelePresence VCS Certificate Creation and Use

Server Certificate: Apache + mod_ssl + OpenSSL

Certificate technology on Pulse Secure Access

Apache Security with SSL Using Ubuntu

Certificate technology on Junos Pulse Secure Access

Displaying SSL Certificate and Key Pair Information

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Implementing Secure Sockets Layer on iseries

>copy openssl.cfg openssl.conf (use the example configuration to create a new configuration)

Apache, SSL and Digital Signatures Using FreeBSD

Laboratory Exercises VI: SSL/TLS - Configuring Apache Server

Configuration (X87) SAP Mobile Secure: SAP Afaria 7 SP5 September 2014 English. Building Block Configuration Guide

Virtual Private Network (VPN) Lab

Activating HTTPS using wildcard certificate in Horizon Application Manager 1.5

Creating Certificate Authorities and self-signed SSL certificates

SSL Interception on Proxy SG

IEA Software, Inc x/EAP Authentication Guide RadiusNT/X V5.1

Security Workshop. Apache + SSL exercises in Ubuntu. 1 Install apache2 and enable SSL 2. 2 Generate a Local Certificate 2

unigui Developer's Manual 2014 FMSoft Co. Ltd.

HP OpenView Adapter for SSL Using Radia

To enable https for appliance

By default, STRM provides an untrusted SSL certificate. You can replace the untrusted SSL certificate with a self-signed or trusted certificate.

BEA Weblogic Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

Apache 2.2 and mod_proxy_balancer

CHAPTER 7 SSL CONFIGURATION AND TESTING

Factory Application Certificates and Keys Products: SB700EX, SB70LC

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

Displaying SSL Certificate and Key Pair Information

HOST LINKS SSL G&R. Using SSL for security with G&R products.

Configuring Digital Certificates

Securing Your Apache Web Server With a Thawte Digital Certificate

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Junio SSL WebLogic Oracle. Guía de Instalación. Junio, SSL WebLogic Oracle Guía de Instalación CONFIDENCIAL Página 1 de 19

jodbc Service and SQL Catalog

Understanding digital certificates

A STEP- BY-STEP GUIDE

Grid Computing - X.509

Secure Communications with OpenEdge and SSL PAUL KOUFALIS PRESIDENT PROGRESSWIZ CONSULTING

Domino and Internet. Security. IBM Collaboration Solutions. Ask the Experts 12/16/2014

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

Security Digital Certificate Manager

Clearswift Information Governance

Security Digital Certificate Manager

Djigzo S/MIME setup guide

COMP 3704 Computer Security

SSL/TLS Hands-on Thomas Herlea

NetApp Storage Encryption: Preinstallation Requirements and Procedures for SafeNet KeySecure

CERTIFICATE-BASED SINGLE SIGN-ON FOR EMC MY DOCUMENTUM FOR MICROSOFT OUTLOOK USING CA SITEMINDER

SolarWinds Technical Reference

Mise en pratique : installation d'openvpn sur OpenWRT

User s guide. APACHE SSL Linux. Using non-qualified certificates with APACHE SSL Linux. version 1.3 UNIZETO TECHNOLOGIES S.A.

X.509 Certificate Generator User Manual

Presented by Mark Bixby Solution Symposium 2002

Generate CSR for Third Party Certificates and Download Unchained Certificates to the WLC

Implementing Secure Sockets Layer (SSL) on i

Integrated SSL Scanning

Transcription:

Securing Web Access with a Private Certificate Authority Presented by Paul Weinstein, Waubonsie Consulting, <pdw@waubonsie.com> ApacheCon US 2002 November 20, 2002 Paul Weinstein - <pdw@waubonsie.com> - 1

Hello World Introduction The Basics: Review of Digital Certificates A Private Certificate Authority in Action The Nit and Gritty Creating a Private Certificate Authority Publishing the Private Certificate Authority Using Our Private Certificate Authority Paul Weinstein - <pdw@waubonsie.com> - 2

Notice Persons attempting to find a motive in this narrative will be prosecuted; persons attempting to find a moral will be banished; persons attempting to find a plot will be shot. - Preface for The Adventures of Huck Finn By Mark Twain Paul Weinstein - <pdw@waubonsie.com> - 3

The Basics Digital Certificates and Certificate Authorities Paul Weinstein - <pdw@waubonsie.com> - 4

Digital Certificates SSL Protocol Encryption Authentication Digital Certificates A Serial Number Identifying Information Individual and/or Group Name Location/Contact Information Subject s Public Key Name Of Issuing Certificate Authority A Signature Of Issuing Certificate Authority Type Of Digital Certificates Root Certificate Server Certificate Client Certificate Paul Weinstein - <pdw@waubonsie.com> - 5

Certificate Authorities Public Certificate Authority; Verisign, Thawte, GeoTrust; recognized by default by most web browsers and web servers; used when no other relation exists between two parties. Private Certificate Authority; by default not recognized; used when a relationship already exists between two parties. Paul Weinstein - <pdw@waubonsie.com> - 6

A PCA in Action Secure valuable data in transit between employees/departments Intranet Employee Workstations Department Servers Paul Weinstein - <pdw@waubonsie.com> - 7

A PCA in Action Secure valuable data in transit between business/departments Extranet Public Server Paul Weinstein - <pdw@waubonsie.com> - 8 Business Partner s Workstations

The Nit and Gritty Creating, Publishing and Using a Private Certificate Authority Paul Weinstein - <pdw@waubonsie.com> - 9

Creating a Private Certificate Authority A self-signed Root Certificate: [pca]$ openssl req -new -x509 -keyout private/ca.key -out certs/ca.cert -config openssl.cnf Using configuration from openssl.cnf Generating a 1024 bit RSA private key...++++++...++++++ writing new private key to 'private/ca.key' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Richmond Organization Name (eg, company) [Internet Widgits Pty Ltd]:Waubonsie Consulting Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:Paul Weinstein Email Address []:pdw@waubonsie.com Paul Weinstein - <pdw@waubonsie.com> - 10

Creating a Private Certificate Configuring OpenSSL: Authority [ CA_default ] dir = /usr/local/pca # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/certs # default place for new certs. certificate = $dir/certs/ca.cert # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/ca.key # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert Paul Weinstein - <pdw@waubonsie.com> - 11

Creating a Private Certificate Configuring OpenSSL: policy = policy_match Authority # For the CA policy [ policy_match ] countryname = match stateorprovincename = match organizationname = match organizationalunitname = optional commonname = supplied emailaddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryname = optional stateorprovincename = optional localityname = optional organizationname = optional organizationalunitname = optional commonname = supplied emailaddress = optional Paul Weinstein - <pdw@waubonsie.com> - 12

Publishing the Private Certificate Authority Setting MIME-type in Apache: # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert.crt Paul Weinstein - <pdw@waubonsie.com> - 13

Using Our Private Certificate Authority: Server Certificate Creating a Certificate Signing Request: [pca]$ openssl req -new -keyout private/server.key -out certs/server.csr -days 365 -config openssl.cnf Using configuration from openssl.cnf Generating a 1024 bit RSA private key..++++++...++++++ writing new private key to 'private/server.key' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Richmond Organization Name (eg, company) [Internet Widgits Pty Ltd]:Waubonsie Consulting Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:www.waubonsie.com Email Address []:webmaster@waubonsie.com Paul Weinstein - <pdw@waubonsie.com> - 14

Using Our Private Certificate Authority: Server Certificate Signing the Certificate Signing Request: [pca]$ openssl ca -out certs/server.cert -config openssl.cnf -infiles certs/server.csr Using configuration from openssl.cnf Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryname :PRINTABLE:'US' stateorprovincename :PRINTABLE:'California' localityname :PRINTABLE:'Richmond' organizationname :PRINTABLE:'Waubonsie Consulting' commonname :PRINTABLE:'www.waubonsie.com' emailaddress :IA5STRING:'webmaster@waubonsie.com' Certificate is to be certified until Oct 7 04:16:40 2003 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Paul Weinstein - <pdw@waubonsie.com> - 15

Using Our Private Certificate Configuring Apache: Authority: Server Certificate # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A test # certificate can be generated with `make certificate' under # built time. Keep in mind that if you've both a RSA and a DSA # certificate you can configure both in parallel (to also allow # the use of DSA ciphers, etc.) SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.cert # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key Paul Weinstein - <pdw@waubonsie.com> - 16

Using Our Private Certificate Authority: Client Certificate Creating a Certificate Signing Request: Paul Weinstein - <pdw@waubonsie.com> - 17

Using Our Private Certificate Authority: Client Certificate Signing the Certificate Signing Request: [pca]$ openssl ca spkac certs/client.csr out certs/client.cert days 365 -config openssl.cnf Using configuration from openssl.cnf Enter PEM pass phrase: Check that the SPKAC request matches the signature Signature ok The Subjects Distinguished Name is as follows CommonName :PRINTABLE:'Employee Certificate for Paul Weinstein' emailaddress :IA5STRING:'pdw@waubonsie.com' organizationname :PRINTABLE:'Waubonsie Consulting' organizationalunitname:printable:'' stateorprovincename :PRINTABLE:'California' localityname :PRINTABLE:'Richmond' countryname :PRINTABLE:'US' Certificate is to be certified until Oct 7 04:16:40 2003 GMT (365 days) Write out database with 1 new entries Data Base Updated Paul Weinstein - <pdw@waubonsie.com> - 18

Using Our Private Certificate Configuring Apache: Authority: Client Certificate # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. SSLCACertificatePath /usr/local/apache/conf/ssl.crt/ca.cert # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. SSLVerifyClient require SSLVerifyDepth 10 Paul Weinstein - <pdw@waubonsie.com> - 19

Using Our Private Certificate Authority: Certificate Revocation List Revoking an Existing Digital Certificate: [pca]$ openssl ca -revoke certs/client.cert -config openssl.cnf Using configuration from openssl.cnf Enter PEM pass phrase: Revoking Certificate 10. Data Base Updated [pca]$ openssl ca -gencrl -out ca.crl -config openssl.cnf Using configuration from openssl.cnf Enter PEM pass phrase: Paul Weinstein - <pdw@waubonsie.com> - 20

Publishing the Private Certificate Authority Setting MIME-type in Apache: # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert.crt AddType application/x-pkcs7-crl.crl Paul Weinstein - <pdw@waubonsie.com> - 21

Using Our Private Certificate Authority: Certificate Revocation List Configuring Apache: # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. SSLCARevocationFile /usr/local/apache/conf/ssl/ssl.crl/ca.crl #SSLCARevocationPath /usr/local/apache/conf/ssl/ssl.crl Paul Weinstein - <pdw@waubonsie.com> - 22

Review The Basics: Review of Digital Certificates A Private Certificate Authority in Action The Nit and Gritty Creating a Private Certificate Authority Publishing the Private Certificate Authority Using Our Private Certificate Authority Paul Weinstein - <pdw@waubonsie.com> - 23

Citation Hirsch, Frederick Introducing SSL and Certificates using SSLeay. 8 Oct 2002 <http://www.pseudonym.org/ssl/wwwjindex.html>. Engelschall, Ralf User Manual mod_ssl Version 2.8 9 Oct. 2002 <http://www.modssl.org/docs/2.8/> Paul Weinstein - <pdw@waubonsie.com> - 24

Resources This Presentation: <http://www.weinstein.org/work/presentations/apacheco nus02/pca/> (HTML) <http://www.weinstein.org/work/presentations/apacheco nus02/pca.pdf> (PDF) CD-ROM Whitepaper Handout Upcoming Publication: Mobily, Tony, Paul Weinstein, Mark Wilcox, Debashish Bhattacharjee, Sandip Bhattacharya, Brian Rickabaught. Apache Security. Birmingham: Wrox Press, 2003. Paul Weinstein - <pdw@waubonsie.com> - 25

Resources Apache HTTP Server Project <http://httpd.apache.org> Apache Week <http://www.apacheweek.com> Paul Weinstein - <pdw@waubonsie.com> - 26

Resources mod_ssl Project, <http://www.modssl.org> Mailing Lists, List Archives: <modssl-announce@modssl.org> <modssl-users@modssl.org> <http://marc.theaimsgroup.com/?l=apache-modssl> OpenSSL Project, <http://www.openssl.org> Mailing Lists, List Archives: <openssl-announce@openssl.org> <http://marc.theaimsgroup.com/?l=apache-modssl > <openssl-cvs@openssl.org> <http://marc.theaimsgroup.com/?l=openssl-cvs> <openssl-dev@openssl.org> <http://marc.theaimsgroup.com/?l=openssl-dev> <openssl-users@openssl.org> <http://marc.theaimsgroup.com/?l=openssl-users> Paul Weinstein - <pdw@waubonsie.com> - 27

Any Questions? Paul Weinstein - <pdw@waubonsie.com> - 28

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information