1. "PKI demystified"

OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them.

The openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. It can be used for

Creation of RSA, DH and DSA key parameters
Creation of X.509 certificates, CSRs and CRLs
Calculation of Message Digests
Encryption and Decryption with Ciphers
SSL/TLS Client and Server Tests
Handling of S/MIME signed or encrypted mail

2. Exercice

How to setup a PKI in 10 minutes

or in 5 steps:

generation of CA key-pair
self-sign root CA certificate
generation of a user key-pair
creation of a CSR (certification signing request)
signing of the CSR by the CA to produce a fully fetched certificate

2.1. Generate the RSA key-pair for the CA

Use this command to generate the RSA key-pair:

  $ openssl genrsa -aes128 -out ca.key 2048

genrsa: the openssl component to generate an RSA key-pair
-aes128: the symmetric algorithm to encrypt the key-pair
-out ca.key: the filename to store the key-pair
2048: size of RSA modulus in bits

2.2. Create a self-signed CA Certificate

  $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt

req: the openssl component to generate a certificate request,
-new: this is a new certificate
-x509: generate an X.509 certificate
-days 365: the time in days that the certificate will be valid, counting from now
-key ca.key: the key-pair file to be used
-out ca.crt: the filename that the new certificate will be written onto

2.2.1. Visualize the created certificate

  $ openssl x509 -text -in ca.crt

x509: certificate display and signing utility
-text: human readable (text) output of certificate
-in: specifies the input filename to read

2.3. Generate the RSA key-pair for a user/server

Use this command to generate the RSA key pair

  $ openssl genrsa -aes128 -out user.key 1024

genrsa: the openssl component to generate an RSA key-pair
-aes128: the symmetric algorithm to encrypt the key-pair
-out user.key: the filename to store the key-pair
1024: size of RSA modulus in bits

2.4. Generate a certificate request

The user generates a certificate request (in PKCS#10 format) with this command. The CSR is sent to the CA for signing. The CA returns the signed certificate.

  $ openssl req -new -key user.key -out user.csr

req: the openssl component to generate a certificate request
-new: this is a new certificate
-key user.key: the key-pair file to be used
-out user.csr: the filename that the new certificate request will be written onto

2.4.1. Visualize the CSR

try by yourselves ;)

2.5. CA signs the CSR and produces usable certificate

The CA signs the CSR and produces the X.509 certificate to issue.

  $ openssl x509 -req -in user.csr -extensions v3_usr -CA ca.crt \
  		-CAkey ca.key -CAcreateserial -out user.crt

x509: certificate display and signing utility
-req: a certificate request is expected on input
-in: specifies the input filename to read
-extensions: the section to add certificate extensions
-CA: specifies the CA certificate to be used for signing
-CAkey: sets the CA private key to sign a certificate with
-CAcreateserial: the CA serial number file is created if it does not exist, it will contain the serial number of the certificate being signed
-out user.crt: the filename that the new certificate will be written onto

PKI applications (C2)

openssl exercice

Pascal Steichen (MSSI-uni.lu) - 25/01/2008