Root Certificates- Doc

Added on - 18 Sep 2019

  • 13

    pages

  • 3497

    Words

  • 355

    Views

  • 0

    Downloads

Showing pages 1 to 4 of 13 pages
Project 1: Public Key, Root CA, Certificates, Hash, MAC and SSLVPNs1Lab Preparation...................................................................................................................................22Performance Comparison: RSA versus AES..........................................................................................23Become a root CA and sign a Certificate..............................................................................................33.1Create a new CA..........................................................................................................................33.2Generate a new certificate request.............................................................................................43.3Sign the certificate request..........................................................................................................44Configure SSL certificates on the Apache server..................................................................................54.1Modify the Apache server configuration.....................................................................................54.2Test an SSL/TLS connection.........................................................................................................55Install the CA root certificate as a Trusted Root Certificate.................................................................65.1Install the root CA for Firefox on the Linux server.......................................................................65.2Install the root CA for Firefox on a Linux client............................................................................75.3Install the root CA for IE on Windows..........................................................................................75.4Install the root CA for Firefox on Windows..................................................................................76One-Way Hash Function and MAC......................................................................................................76.1One-way Hash Functions.............................................................................................................76.2Keyed Hash and HMAC................................................................................................................87Setting SSL based VPNs for Linux.........................................................................................................87.1Build Certificate Authority (CA)....................................................................................................87.2Certificate and key generation.....................................................................................................97.3Server configuration..................................................................................................................107.4Client configuration...................................................................................................................118Configure client certificates for authentication (optional).................................................................11Goal:In this lab we will exercise the idea that digital certificates are verified using a chain oftrust. The trust anchor for the digital certificates is the Root Certificate Authority (CA). Inaddition, we will practice using command-line procedures for setting up SSL/TLS certificates.First, we will generate a root certificate (to become the root CA) and other certificates. Then, wewill sign the certificates with the root certificate. Next, we will place these certificates on anApache web server. When the web server is visited by a client’s browser with the root CAinstalled, the server will be trusted automatically due the chain of trust.Page |1
Major Reference for this lab:http://www.reppep.com/~pepper/writing/tidbits/ssl-article/ssl2.textHow to use virtualbox:http://www.makeuseof.com/tag/how-to-use-virtualbox/How to use vmware:https://www.vmware.com/pdf/ws80-using.pdfFedora live image:I usedFedora-18-x86_64-Live-Desktop.iso.http://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/You also can download the new version.https://getfedora.org/en/workstation/download/Windows:I used IE8 on Win7 virtual machines. You can download free virtual machines from thiswebpage:https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/1Lab Preparation(2points)On your FC Linux server, as root, type the following command to update your openssl and httpdutilities: (needs Internet access)yum –y install opensslyum –y install openssl-*yum –y install httpd-*yum –y install mod_ssl2Performance Comparison: RSA versus AESIn this task, we will study the performance of public-key algorithms. Please prepare a file(message.txt) that contains a 16-byte message. Please also generate a 1024-bit RSApublic/private key pair by using the following commands:openssl genrsa -out private.pem 1024This command creates a key file called private.pem that uses 1024 bits. This file actually hasboth the private and public keys, so you should extract the public one from this file:openssl rsa -in private.pem -out public.pem -outform PEM –puboutThe commands of encryption and decryption using public key look like the following:openssl rsautl -encrypt -inkey public.pem -pubin -in file.txt -out file.sslopenssl rsautl -decrypt -inkey private.pem -in file.ssl -out decrypted.txtThe commands of encryption and decryption using AES like the following:Page |2
openssl enc –aes-128-cbc -in file.txt -out file.encopenssl enc –d –aes-128-cbc -in file.enc -out file.txtNext, do the following:1. Encrypt message.txt using the public key; save the output in message enc.ssl.(2 points)2. Decrypt message enc.ssl using the private key.(2 points)3. Encrypt message.txt using a 128-bit AES key.(2 points)2.1.1Compare the time spent on each of the above operations, anddescribe your observations. If an operation is too fast, you may want torepeat it for many times, and then take an average.(5points)After you finish the above exercise, you can now use the openssl speed commands to do such abenchmarking. The following command shows examples of using speed to benchmark RSA andAES:openssl speed rsaopenssl speed aes2.1.2Please describe whether your observations are similar to those fromthe outputs of the speed command.(2 points)3Become a root CA and sign a CertificateGo to the/etc/pki/tls/misc/directory. There is a file namedCA.pl. We will use this file tocreate a root certificate and other certificates.3.1Create a new CA./CA.pl -newcaA certificate filename (or enter to create)<enter>Making CA certificate ...Using configuration from openssl.cnfGenerating a 1024 bit RSA private key............++++++......................++++++writing new private key to '/etc/pki/CA/private/cakey.pem'Enter PEM pass phrase:<secret passphrase here>write it down for futurereference, mine is CMSC622yVerifying password - Enter PEM pass phrase:<secret passphrase again>-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or aDN.Page |3
There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:USState or Province Name (full name) [Some-State]:VALocality Name (eg, city) []:RichmondOrganization Name (eg, company) []:VCUOrganizational Unit Name (eg, section) []:CSCommon Name (eg, YOUR name) []:WeiCheng #I putWeiChenghere as theexample common name. A more general practice is to put your sever’s DNS name.Email Address []:yourname@vcu.eduNo need to add a challenge passwordYou will be asked to input your PEM key again in the end (before theaccomplish of the certificate creation)This creates a new root certificate in the directory/etc/pki/CA. The new root certificate file isnamed ascacert.pem.(3 points)3.2Generate a new certificate request./CA.pl -newreqUsing configuration from openssl.cnfGenerating a 1024 bit RSA private key..........++++++..............++++++writing new private key to 'newreq.pem'Enter PEM pass phrase:<another secret passphrase here> mine is 622reqVerifying password - Enter PEM pass phrase:<another secret passphraseagain>-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or aDN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:USState or Province Name (full name) [Some-State]:VALocality Name (eg, city) []:RichmondOrganization Name (eg, company) [Internet Widgits Pty Ltd]:VCUOrganizational Unit Name (eg, section) []:CStestCommon Name (eg, YOUR name) []:192.168.56.101, which is the http server’sIP address. You can use your FC Linux server’s IP (i.e., the IP of thevirtual machine). If the http server has a DNS name, please use the DNS name.Email Address []:yourname@vcu.eduPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:<enter>An optional company name []:<enter>Request is in newreq.pem, private key is in newkey.pemPage |4
desklib-logo
You’re reading a preview
card-image

To View Complete Document

Become a Desklib Library Member.
Subscribe to our plans

Download This Document