The focus of this tutorial is the working of Public Key Infrastructure (PKI) and OpenSSL based Certificate Authority. The different concept related to PKI will be explained first and later a test bed using Ubuntu 14.04 LTS will be prepared to apply PKI knowledge.
In this article, a detailed explanation will be given on the generation of certification authority (CA), server and user keys/certificates. In the end, generated keys/certificates will be used in different scenarios.
About Public Key Infrastructure (PKI)
It is used to establish trust and security in computer networking. The purpose of PKI is to bind public keys with attributes that are used in various applications and protocols for following security features.
- digital signature,
- authentication,
- non repudiation
- S/MIME.
PKI consists of key pairs which has private and public keys. As the name indicates, Private Key (Pr) should always be kept secure and Public key (Pu) is distributed to all participants for trusted communication. Both keys can be used for encryption and decryption however their usage in the application is different.
- Public key is used for encryption, then the associated private key is used for decryption.
- Private key is used for encryption, then associated public key is used for decryption. (S/MIME)
RSA (Rivest Shamir Adleman) is the most well-known algorithm used for PKI and it supports different sizes of key length (512,1024,2048 etc). RSA keys are composed of 2 prime numbers which should be very large otherwise it will decrease the security of algorithm.
In the PKI system, digital certificate is the main component that binds the public key to a user/website with extra details. Basically, ownership of public key is proved using digital certificates because it includes information about the generated key, owner's identity and allowed operation (like digital signature, non-repudiation & server authentication etc ). There are two parts of digital certificates
- Data part
- Signature part
The name of an entity (user or web site), generated public key for the entity, other useful information (e.g., Common Name, Organizational Unit, validity period for the public key etc) are included in the Data part. The digital signature generated by CA over the data part is known as signature part
Data part
Signature part
A PKI system includes the following components.
- CA’s --> Responsible for issuing and revoking digital certificates to the users or subscribers.
- Registration Authorities (RA’s) --> verify the binding between identities of their holders and public keys.
- Digital certificate holders --> Computers, people, network devices that have been issued with certificates.
- End Clients --> These validate digital signatures and the certificates of the communicating parties.
Installation and Configuration
In this article, Ubuntu 14.04 LTS is installed on the VM and the following required packages are installed.
Install apache web server using the following command
apt-get install apache2
Install OpenSSL package using the following command
apt-get install openssl.
Key is generated for CA using the following command.
openssl genrsa -out myCA_key.pem 2048
A custom configuration file ( my_ca.cfg) is created for CA.
[ ext ] keyUsage = critical, cRLSign, keyCertSign basicConstraints = critical,CA:true subjectKeyIdentifier = hash [ req ] distinguished_name = req_distinguished_name [ req_distinguished_name ] CN = Common Name CN_default="My CA" policy = policy_supplied [ policy_supplied ] CN = supplied
Run the following command to create self-signed certificate for CA.
openssl req -config my_ca.cfg -extensions ext -days 180 -new -x509 -key myCA_key.pem -out myCA_cert.crt -set_serial 11 -batch -text
Generated CA certificate is shown in the following snapshots.
Now, generate keys and certificates for Apache server.
openssl genrsa -out apache_server.key 2048
A Certificate Signing Request (CSR) will be generated for the Apache server then it will be signed using our CA.
openssl req -out apache_server.csr -key apache_server.key -new -batch
CSR request is shown in the following snapshot
Signing apache server certificate using the following command.
openssl x509 -req -extensions req_ext -in apache_server.csr -CA myCA_cert.crt -CAkey myCA_key.pem -out apache_server.crt -days 720 -set_serial 10 -text
Now, Apache server will be configured to use above generated keys and certificate. Currently, it is running on http (port 80).
Create directory "certificates" under /etc/apache2 path using the following command.
mkdir /etc/apache2/certificates cd /etc/apache2/certificates
Copy CA certificate, server certificate and server key under "/etc/apache2/certificates" directory.
Change SSL configuration file "default-ssl.conf" exists under /etc/apache2/sites-available path with newly generated certificates and key. For testing, add the following in the SSL configuration file and restart the apache server.
NameVirtualHost 0.0.0.0:80 NameVirtualHost 0.0.0.0:443 <VirtualHost 0.0.0.0:80> DocumentRoot /var/www/html/ ServerName test VirtualHost> <VirtualHost 0.0.0.0:443> DocumentRoot /var/www/html/ ServerName test SSLEngine on SSLProtocol All -SSLv2 -SSLv3 SSLCertificateFile /etc/apache2/certificates/apache_server.crt SSLCertificateKeyFile /etc/apache2/certificates/apache_server.key SSLCACertificateFile /etc/apache2/certificates/myCA_cert.crt </VirtualHost>
Before restarting Apache web server, make sure "ssl" module is enabled. Use the following command to enable SSL module of Apache.
a2enmod ssl
Enable ssl web site using following command.
a2ensite default-ssl
Add CA certificate on client browser like shown below.
Finally, the Apache web server is configured to listen on port 443 (https).
Conclusion
PKI is a critical component in the IT world and it is integrated with many applications. It provides the authenticity of the entity and encrypted channel for secure communication.