The focus of this tutorial is working of Public Key Infrastructure (PKI) and OpenSSL based Certificate Authority. Different concept related to PKI will be explained first and later a test bed using Ubuntu 14.04 LTS will be prepared to apply PKI knowledge. In this article, detailed explanation will be given on the generation of certification authority (CA), server and user keys/certificates. In the end, generated keys/certificates will be used in different scenarios.
About Public Key Infrastructure (PKI)
It is used to establish trust and security in computer networking. The purpose of PKI is to bind public keys with attributes which are used in various applications and protocols for following security features.
- digital signature,
- non repudiation
PKI consist of key pairs which has private and public keys. As name indicates, Private Key (Pr) should always be kept secure and Public key (Pu) is distributed to all participants for trusted communication. Both keys can be used for encryption and decryption however their usage in application is different.
- Public key is used for encryption, then associated private key is used for decryption.
- Private key is used for encryption, then associated public key is used for decryption. (S/MIME)
RSA (Rivest Shamir Adleman) is the most well-known algorithm used for PKI and it supports different sizes of key length (512,1024,2048 etc). RSA keys are composed of 2 prime numbers which should be very large otherwise it will decrease the security of algorithm.
In the PKI system, digital certificate is the main component which binds the public key to a user/web site with extra details. Basically ownership of public key is proved using digital certificates because it include information about the generated key, owner's identity and allowed operation (like digital signature, non-repudiation & server authentication etc ). There are two parts of digital certificates
- Data part
- Signature part
The name of an entity (user or web site), generated public key for the entity, other useful information (e.g., Common Name, Organizational Unit, validity period for the public key etc) are included in the Data part. The digital signature generated by CA over the data part is known as signature part
A PKI system includes following components.
- CA’s --> Responsible for issuing and revoking digital certificates to the users or subscribers.
- Registration Authorities (RA’s) --> verify the binding between identities of their holders and public keys.
- Digital certificate holders --> Computers, people, network devices that have been issued with certificates.
- End Clients --> These validate digital signatures and the certificates of the communicating parties.
Installation and Configuration
In this article, Uuntu 14.04 LTS is installed on the VM and following required packages are installed.
Install apache web server using following command
apt-get install apache2
Install OpenSSL package using following command
apt-get install openssl.
Key is generated for CA using following command.
openssl genrsa -out myCA_key.pem 2048
A custom configuration file ( my_ca.cfg) is created for CA.
[ ext ] keyUsage = critical, cRLSign, keyCertSign
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash [ req ] distinguished_name = req_distinguished_name
[ req_distinguished_name ] CN = Common Name
policy = policy_supplied [ policy_supplied ] CN = supplied
Run following command to create self signed certificate for CA.
openssl req -config my_ca.cfg -extensions ext -days 180 -new -x509 -key myCA_key.pem -out myCA_cert.crt -set_serial 11 -batch -text
Generated CA certificate is shown in following snapshots.
Now, generate keys and certificates for Apache server.
openssl genrsa -out apache_server.key 2048
A Certificate Signing Request (CSR) will be generated for the Apache server then it will be signed using our CA.
openssl req -out apache_server.csr -key apache_server.key -new -batch
CSR request is shown in following snapshot
Signing apache server certificate using following command.
openssl x509 -req -extensions req_ext -in apache_server.csr -CA myCA_cert.crt -CAkey myCA_key.pem -out apache_server.crt -days 720 -set_serial 10 -text
Now, Apache server will be configured to use above generated keys and certificate. Currently it is running on http (port 80).
Copy CA certificate, server certificate and server key under "/etc/apache2/certificates" directory.
Change ssl configuration file "default-ssl.conf" exists under /etc/apache2/sites-available path with newly generated certificates and key. For testing, add following in the ssl configuration file and restart the apache server.
SSLProtocol All -SSLv2 -SSLv3
Before restarting Apache web server, make sure "ssl" module is enabled. Use following command to enable ssl module of Apache.
Enable ssl web site using following command.
Add CA certificate on client browser like shown below.
Finally, Apache web server is configured to listen on port 443 (https).
PKI is the critical component in the IT world and it is integrated with many applications. It provides the authenticity of entity and encrypted channel for secure communication.