1 / 7

CIS5930 Internet Computing

CIS5930 Internet Computing. Internet Security - Part 2 Prof. Robert van Engelen. OpenSSL. Get a copy of “ Network Security with OpenSSL ” from O’Reilly Download code examples version 1.3 from http://www.opensslbook.com/code.html and unpack

eldaross
Télécharger la présentation

CIS5930 Internet Computing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIS5930Internet Computing Internet Security - Part 2 Prof. Robert van Engelen

  2. OpenSSL • Get a copy of “Network Securitywith OpenSSL” from O’Reilly • Download code examples version 1.3 fromhttp://www.opensslbook.com/code.htmland unpack • Download scripts fromhttp://www.cs.fsu.edu/~engelen/sslscripts.tar.gzcreate a new ‘CA’ dir somewhere and unpack files into it CIS 5930 Fall 2006

  3. Creating a Self-Signed Root CA Certificate • After unpacking sslscripts.tar.gz in ‘CA’, modify the openssl.cnf file in the [req_distinguished_name] section for the following items:countryName_default = USstateOrProvinceName_default = Your-StatelocalityName_default = Your-City0.organizationName_default = Your-Company-NameemailAddress_default = your-email@address • If you are going to use only one configuration file, use:setenv OPENSSL_CONF $HOME/…/CA/openssl.cnf CIS 5930 Fall 2006

  4. Creating a Self-Signed Root CA Certificate • Run the root.sh script • When prompted enter a passphrase to lock the private key of the CA • Keep the root.pem key and the passphrase in a safe place • You can distribute the cacert.pem CA certificate • The script executes the following commands: • Create an RSA key and a certificate signing request for the RSA key:openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem • Sign the public key with the private key to create a self-signed certificate:openssl x509 -req -in rootreq.pem -sha1 -extfile openssl.cnf -extensions v3_ca -signkey rootkey.pem -out cacert.pem -days 1095 • Keep the certificate and the private key in one file (root.pem):cat cacert.pem rootkey.pem > root.pem • Display the X509 certificate subject, issuer, and dates:openssl x509 -subject -issuer -dates -noout -in root.pem • To display the entire X509 certificate:openssl x509 -text -in root.pem CIS 5930 Fall 2006

  5. Using the CA Private Key to Sign Certificates • Recall that the CA is the trusted third party, which means: • The CA private key is used to sign certificates • The CA public key (in the CA certificate) is used to verify certificates • To create a new private/public key pair and sign the public key with the CA to create a certificate, run: cert.sh name • Enter a password when prompted and enter the host or “localhost” of the domain of the networked application as the “common name” • The password is used to lock the private key (it will be needed by your application to unlock the private key to establish secure communications) • Use the root CA’s passphrase when prompted to sign the certificate CIS 5930 Fall 2006

  6. Using the CA Private Key to Sign Certificates • The cert.sh script executes the following commands on command-line argument name (e.g. use “server” for name to create server.pem): • Create new keys and a certificate signing request:openssl req -newkey rsa:1024 -sha1 -keyout namekey.pem -out namereq.pem • Sign the certificate with the root CA key:openssl x509 -req -in namereq.pem -sha1 -extfile openssl.cnf -extensions usr_cert -CA root.pem -CAkey root.pem -CAcreateserial -out namecert.pem -days 365 • Put everything into one PEM file (including the CA certificate):cat namecert.pem namekey.pem cacert.pem > name.pem • Display the certificate subject, issuer, and dates:openssl x509 -subject -issuer -dates -noout -in name.pem • To display the entire X509 certificate:openssl x509 -text -in name.pem CIS 5930 Fall 2006

  7. Client and Server Examples • We will review the NSwO-1.3/ssl examples • The BIO objects and functions • The SSL objects and functions • The CRYPTO functions • The ERR functions • Use man pages and Web resources when necessary CIS 5930 Fall 2006

More Related