A Detailed Report on Generating Digital Certificates Using OpenSSL
VerifiedAdded on 2024/06/04
|20
|4422
|319
Report
AI Summary
This report provides a comprehensive overview of generating digital certificates using OpenSSL. It begins by explaining the fundamentals of digital certificates, including their basis in asymmetric cryptography and the standard X.509 format. The report details the process of generating and validating digital certificates, highlighting the importance of certification authorities and the steps involved in ensuring trustworthiness. It then delves into OpenSSL, describing its architecture, its role in implementing SSL/TLS protocols, and its applications in securing communications. The report further explains how to use OpenSSL to create a personal certification authority for signing digital certificates used for internal organizational communications. The report concludes by emphasizing the importance of secure website configuration using SSL and HTTPS protocols. The document is available on Desklib, a platform offering a wide array of study resources for students.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Assignment 3
Using OpenSSL to generate Digital Certificates
1
Using OpenSSL to generate Digital Certificates
1
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Table of Contents
Executive Summary.....................................................................................................................................3
Introduction.................................................................................................................................................4
Basis of Digital Certificate............................................................................................................................5
Use of Asymmetric Cryptography............................................................................................................5
Digital Certificate Format.........................................................................................................................7
Generation of Digital Certificate..............................................................................................................8
Validation of Digital Certificate................................................................................................................9
OpenSSL Fundamentals.............................................................................................................................10
OpenSSL Architecture............................................................................................................................10
SSL and TLS protocols in OpenSSL.........................................................................................................11
OpenSSL applications for implementing SSL/TLS...................................................................................13
Generation of Digital Certificates..............................................................................................................14
Conclusion.................................................................................................................................................16
References.................................................................................................................................................17
Table of Figures
Figure 1 Public key and Private Key Concept...............................................................................................6
Figure 2 Digital certificate Format...............................................................................................................7
Figure 3 Generation of Digital Certificate....................................................................................................8
Figure 4 OpenSSL Architecture..................................................................................................................10
Figure 5 SSL and TLS protocol layer in OpenSSL........................................................................................11
2
Executive Summary.....................................................................................................................................3
Introduction.................................................................................................................................................4
Basis of Digital Certificate............................................................................................................................5
Use of Asymmetric Cryptography............................................................................................................5
Digital Certificate Format.........................................................................................................................7
Generation of Digital Certificate..............................................................................................................8
Validation of Digital Certificate................................................................................................................9
OpenSSL Fundamentals.............................................................................................................................10
OpenSSL Architecture............................................................................................................................10
SSL and TLS protocols in OpenSSL.........................................................................................................11
OpenSSL applications for implementing SSL/TLS...................................................................................13
Generation of Digital Certificates..............................................................................................................14
Conclusion.................................................................................................................................................16
References.................................................................................................................................................17
Table of Figures
Figure 1 Public key and Private Key Concept...............................................................................................6
Figure 2 Digital certificate Format...............................................................................................................7
Figure 3 Generation of Digital Certificate....................................................................................................8
Figure 4 OpenSSL Architecture..................................................................................................................10
Figure 5 SSL and TLS protocol layer in OpenSSL........................................................................................11
2
Executive Summary
Digital Certificates have become an important part of Internet Security. Digital certificates have
provided the authentication for private key in networking entities. It is an electronic document that
has been used to verify that a user has been assigned a public key and a corresponding private key
which he can use for transmitting data under his name. This digital certificate is being signed by a
Certification Authority. This paper deals with the creation of digital certificates and how these
certificates are issued and what all it contains.
This paper also deals with the problems associated with the management of certificates and a
different approach has been adopted in this to create digital certificates by using a command line
script. OpenSSL tool has been used for building a governmental certification authority that can be
used to sign digital certificates that can be used by an individual for internal communications inside
an organization. It has also discussed the challenges faced in adopting this new approach and
writing scripts as per command line scripting language for the creation of X 509 certificates.
The process and methodologies involved in the process of creation of an individual’s very own
certification authority and digital certificates have been reviewed in this paper. The need to create
own certificates using OpenSSL tool has also been reviewed and its necessity been discussed and
understood, the solution has been adopted and new solutions and approaches are also been
discovered to get the better results. Configuring a website with SSL layer also allows it to work more
securely over the internet and can adopt the protocol HTTPS over HTTP (Cross, 2015).
3
Digital Certificates have become an important part of Internet Security. Digital certificates have
provided the authentication for private key in networking entities. It is an electronic document that
has been used to verify that a user has been assigned a public key and a corresponding private key
which he can use for transmitting data under his name. This digital certificate is being signed by a
Certification Authority. This paper deals with the creation of digital certificates and how these
certificates are issued and what all it contains.
This paper also deals with the problems associated with the management of certificates and a
different approach has been adopted in this to create digital certificates by using a command line
script. OpenSSL tool has been used for building a governmental certification authority that can be
used to sign digital certificates that can be used by an individual for internal communications inside
an organization. It has also discussed the challenges faced in adopting this new approach and
writing scripts as per command line scripting language for the creation of X 509 certificates.
The process and methodologies involved in the process of creation of an individual’s very own
certification authority and digital certificates have been reviewed in this paper. The need to create
own certificates using OpenSSL tool has also been reviewed and its necessity been discussed and
understood, the solution has been adopted and new solutions and approaches are also been
discovered to get the better results. Configuring a website with SSL layer also allows it to work more
securely over the internet and can adopt the protocol HTTPS over HTTP (Cross, 2015).
3
Introduction
The increasing number of people and businesses over the internet has made access faster and
cheaper which makes people communicate more over the internet to provide a bigger and better
platform for their businesses to grow and get a new boost in its economy. The Internet has always
been an open platform for communication without any security protocols which criminals thought as
a great opportunity to exploit this era changing technology to get fraudulent gains. Only after this
increasing rate of crimes, it became a necessity to include security protocols so that communication
over the Internet becomes secure and resistant to the threats and security attacks that were
booming by the criminals. Public Key Infrastructure (PKI) is one of the architectures by which all
security properties can be achieved within a communication. A digital certificate is a means to use all
the applications of PKI. OpenSSL and Digital certificate concept has also been discussed here along
with the results of some research papers. OpenSSL helps in creating our own Digital certificate
signed by own certification authority.
4
The increasing number of people and businesses over the internet has made access faster and
cheaper which makes people communicate more over the internet to provide a bigger and better
platform for their businesses to grow and get a new boost in its economy. The Internet has always
been an open platform for communication without any security protocols which criminals thought as
a great opportunity to exploit this era changing technology to get fraudulent gains. Only after this
increasing rate of crimes, it became a necessity to include security protocols so that communication
over the Internet becomes secure and resistant to the threats and security attacks that were
booming by the criminals. Public Key Infrastructure (PKI) is one of the architectures by which all
security properties can be achieved within a communication. A digital certificate is a means to use all
the applications of PKI. OpenSSL and Digital certificate concept has also been discussed here along
with the results of some research papers. OpenSSL helps in creating our own Digital certificate
signed by own certification authority.
4
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Basics of Digital Certificate
A digital certificate is a way to get the knowledge of which key has been assigned to a user for their
involvement in the communication process and transmission of data over the network to other
parties. The receiving party can get to know the sender of the message by using the attached digital
certificate along with the message. Both the sender and receiver is required to attach their
certificates along with the messages to authenticate themselves so that no unauthorized user can
use the false identity of a person while sending any illegal or questionable messages over the
internet (Cross, 2015).
Use of Asymmetric Cryptography
In the creation of digital certificates, asymmetric cryptography has been used where a sender
encrypts the data or message with his public key and sends the encrypted message to the receiver
and he decrypts the data with the help of his own private key. Here in this scenario, the keys used
for both encryption and decryption are different and hence it makes asymmetric cryptography. This
situation can also be viewed as the sender signed or sealed the confidential message with his digital
authentication proof or digital signature by attaching his digital certificate to it.
The concept of Public and Private Key
There are two types of keys that are used in the process of encryption and decryption. A person
owns both public and private key if he is involved in any sort of communication. The public key of
the owner is known to every person involved in the communication processor it can be said that it is
open to everyone. This key is used for encrypting a data and never used for decrypting any type of
data as every person has the access to the public key. The private key owned by a person is known
to only that person and no other person has access to it. In other terms, it is a secret key that is used
for decryption of a data such that only the person that owns the particular private key can decrypt a
data and get access to it. Digital certificates have been issued to a user with the mention of their
public key in it so that it can be used as a proof that they are the authorized owner of a particular
public key and no other person use it without presenting a properly authorized digital certificate
(Cross, 2015).
5
A digital certificate is a way to get the knowledge of which key has been assigned to a user for their
involvement in the communication process and transmission of data over the network to other
parties. The receiving party can get to know the sender of the message by using the attached digital
certificate along with the message. Both the sender and receiver is required to attach their
certificates along with the messages to authenticate themselves so that no unauthorized user can
use the false identity of a person while sending any illegal or questionable messages over the
internet (Cross, 2015).
Use of Asymmetric Cryptography
In the creation of digital certificates, asymmetric cryptography has been used where a sender
encrypts the data or message with his public key and sends the encrypted message to the receiver
and he decrypts the data with the help of his own private key. Here in this scenario, the keys used
for both encryption and decryption are different and hence it makes asymmetric cryptography. This
situation can also be viewed as the sender signed or sealed the confidential message with his digital
authentication proof or digital signature by attaching his digital certificate to it.
The concept of Public and Private Key
There are two types of keys that are used in the process of encryption and decryption. A person
owns both public and private key if he is involved in any sort of communication. The public key of
the owner is known to every person involved in the communication processor it can be said that it is
open to everyone. This key is used for encrypting a data and never used for decrypting any type of
data as every person has the access to the public key. The private key owned by a person is known
to only that person and no other person has access to it. In other terms, it is a secret key that is used
for decryption of a data such that only the person that owns the particular private key can decrypt a
data and get access to it. Digital certificates have been issued to a user with the mention of their
public key in it so that it can be used as a proof that they are the authorized owner of a particular
public key and no other person use it without presenting a properly authorized digital certificate
(Cross, 2015).
5
Figure 1 Public key and Private Key Concept
6
6
Digital Certificate Format
Digital certificates are issued by Certification Authority (CA) and they need to be in a particular
format, a standard structured way so that the information in can be understood easily. The standard
X 509 digital certificate has been followed and it has the following format-
Figure 2 Digital certificate Format
The X 509 standard comprises version number of the standard, serial number of the certificate,
signature algorithm ID that tells about the tells about the algorithm used for signing the certificate
by the CA, name of the issuer, its validity period, name of the person to whom it is issued, public key
that is being issued to the person and its related algorithm, unique id allotted to the issuer and the
person, and CA’s digital signature for signing the certificate. These are the common properties that
are contained in both versions of X 509. There is a block of extension in version 3 that contains
information like alternate name, CRL distribution points, Authority Information Access (AIA),
Enhanced Key Usage (EKU) and others (Beringer, 2016).
7
Digital certificates are issued by Certification Authority (CA) and they need to be in a particular
format, a standard structured way so that the information in can be understood easily. The standard
X 509 digital certificate has been followed and it has the following format-
Figure 2 Digital certificate Format
The X 509 standard comprises version number of the standard, serial number of the certificate,
signature algorithm ID that tells about the tells about the algorithm used for signing the certificate
by the CA, name of the issuer, its validity period, name of the person to whom it is issued, public key
that is being issued to the person and its related algorithm, unique id allotted to the issuer and the
person, and CA’s digital signature for signing the certificate. These are the common properties that
are contained in both versions of X 509. There is a block of extension in version 3 that contains
information like alternate name, CRL distribution points, Authority Information Access (AIA),
Enhanced Key Usage (EKU) and others (Beringer, 2016).
7
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Generation of Digital Certificate
There are a set of steps that need to be followed to request and get digital certificates. Firstly a
person needs to request for the generation of a pair of public and private key from an authorized
company. Then the person needs to gather and submit all the required documents and information
for his identification like fingerprints, email address, etc. Then he can request for issuing of a
certificate for his pair of keys, for which all of his documents are verified and validated and then
after confirmation the certification authority signs the digital certificate and issue it to the person
(Zhu, 2016).
Figure 3 Generation of Digital Certificate
8
There are a set of steps that need to be followed to request and get digital certificates. Firstly a
person needs to request for the generation of a pair of public and private key from an authorized
company. Then the person needs to gather and submit all the required documents and information
for his identification like fingerprints, email address, etc. Then he can request for issuing of a
certificate for his pair of keys, for which all of his documents are verified and validated and then
after confirmation the certification authority signs the digital certificate and issue it to the person
(Zhu, 2016).
Figure 3 Generation of Digital Certificate
8
Validation of Digital Certificate
After acquiring the certificate, Windows perform a set of steps for validating the trustworthiness of
the certificate before it can be used in further communication. For this, firstly the origin of certificate
issuing is obtained and the verification of CAs is done. Then the validation of issuer’s certificate and
the digital signature is verified. After the chain building process that is done to check the authenticity
of the certificate, revocation process is done to check no certificate is revoked. This validation
process ensures that the certificates are fully tested and can be trusted. It authenticates the user at
both sending and receiving point to ensure the integrity of the messages. And any irregularity in the
creation of digital certificate can prove to be very dangerous and can create troubles in the
communication network. Hence it is important that each and every digital certificate is verified
before release with all steps to ensure complete surety in securing system (Zhu, 2016).
9
After acquiring the certificate, Windows perform a set of steps for validating the trustworthiness of
the certificate before it can be used in further communication. For this, firstly the origin of certificate
issuing is obtained and the verification of CAs is done. Then the validation of issuer’s certificate and
the digital signature is verified. After the chain building process that is done to check the authenticity
of the certificate, revocation process is done to check no certificate is revoked. This validation
process ensures that the certificates are fully tested and can be trusted. It authenticates the user at
both sending and receiving point to ensure the integrity of the messages. And any irregularity in the
creation of digital certificate can prove to be very dangerous and can create troubles in the
communication network. Hence it is important that each and every digital certificate is verified
before release with all steps to ensure complete surety in securing system (Zhu, 2016).
9
OpenSSL Fundamentals
OpenSSL is a command line scripting tool that has been used to simplify the tasks of Public key
Infrastructure (PKI) and HTTPS or SSL layer over HTTP. It is a software application library that is used
for securing communication and provide authentication of the person present at the receiving end.
It is widely used in web server to provide security to a large number of websites. OpenSSL has been
used to create an individual’s own digital certificate inside an organization and to acquire more
security while browsing a website by using HTTPS protocol. It has been provided with a number of
encryption algorithms and ciphers to protect the network and data. OpenSSL has been provided with
a pre-built form but a newer version can also be created by rebuilding the open source code and
making slight changes in it. It is a software application library that is used for securing
communication and provide authentication of the person present at the receiving end. It is widely
used in web server to provide security to a large number of websites (Wong, 2015).
OpenSSL Architecture
OpenSSL is a kit providing cryptographic tools that are used for free implementation of security
protocol layers such as Secure Socket Layer (SSL) and Transport Layer Security (TLS). It is also used in
implementing tasks for PKI cryptographic commands. The OpenSSL tool includes configuration file
and command lines along with the predefined source code, header files, and executable libraries.
Apart from creating digital certificates, it has also been used in creating a message digest, SSL and
TLS testing programs, RSA key parameters, and ciphers for encrypting and decryption processes. It
contains an EVP interface that changes the ciphers for different algorithms without changing the
source code. The architecture of OpenSSL has been described below (Beringer, 2016).
10
OpenSSL is a command line scripting tool that has been used to simplify the tasks of Public key
Infrastructure (PKI) and HTTPS or SSL layer over HTTP. It is a software application library that is used
for securing communication and provide authentication of the person present at the receiving end.
It is widely used in web server to provide security to a large number of websites. OpenSSL has been
used to create an individual’s own digital certificate inside an organization and to acquire more
security while browsing a website by using HTTPS protocol. It has been provided with a number of
encryption algorithms and ciphers to protect the network and data. OpenSSL has been provided with
a pre-built form but a newer version can also be created by rebuilding the open source code and
making slight changes in it. It is a software application library that is used for securing
communication and provide authentication of the person present at the receiving end. It is widely
used in web server to provide security to a large number of websites (Wong, 2015).
OpenSSL Architecture
OpenSSL is a kit providing cryptographic tools that are used for free implementation of security
protocol layers such as Secure Socket Layer (SSL) and Transport Layer Security (TLS). It is also used in
implementing tasks for PKI cryptographic commands. The OpenSSL tool includes configuration file
and command lines along with the predefined source code, header files, and executable libraries.
Apart from creating digital certificates, it has also been used in creating a message digest, SSL and
TLS testing programs, RSA key parameters, and ciphers for encrypting and decryption processes. It
contains an EVP interface that changes the ciphers for different algorithms without changing the
source code. The architecture of OpenSSL has been described below (Beringer, 2016).
10
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Figure 4 OpenSSL Architecture
To use OpenSSL, first, it is required to download its source code. The source code of OpenSSL
contains various commands to perform various functions. For example, there is a different source
code file for each function like for including SSL/TLS protocols, including headers, for generation of C
code, for testing, etc.( Oppliger, 2016)
11
To use OpenSSL, first, it is required to download its source code. The source code of OpenSSL
contains various commands to perform various functions. For example, there is a different source
code file for each function like for including SSL/TLS protocols, including headers, for generation of C
code, for testing, etc.( Oppliger, 2016)
11
SSL and TLS protocols in OpenSSL
SSL protocols are used to provide security in the communication between two hosts by utilizing
cryptographic fundamentals to provide confidentiality, authentication of user and integrity of
messages. SSL has been started using with HTTP to protect the secure e-commerce transactions. TLS
protocols add some modifications to various versions of SSL. Currently, TLS has been used in the
practical implementation. However, TLS also provide the functionality to rollback to SSL in case TLS is
not supported by an OS as TLS can’t work with SSL3.0 version due to compatibility issues. The
SSL/TLS protocol layer has been inserted in between the application and transport layer. It has
various components involved in securing the data and communication network (Wong, 2015).
Figure 5 SSL and TLS protocol layer in OpenSSL
This protocol layer begins with a client who initiates the communication by handshaking or sending a
message that contains protocol version and session id along with a randomly generated number.
Then the server also sends the hello message with including details like cipher suite to complete the
initiation or handshaking procedure. The the server sends its digital certificate for its authentication.
The client sends the key exchange message and encrypts it with the public key of the server. The
server receives the key exchange request and decrypts it using the keys and verifies the bytes of a
master secret that has been sent by the client along with the message (Alkazimi, 2016). The client
version and the server version of the bytes should be same in handshake protocol. Using the random
numbers that have been sent earlier the communication move forward, and these random numbers
12
SSL protocols are used to provide security in the communication between two hosts by utilizing
cryptographic fundamentals to provide confidentiality, authentication of user and integrity of
messages. SSL has been started using with HTTP to protect the secure e-commerce transactions. TLS
protocols add some modifications to various versions of SSL. Currently, TLS has been used in the
practical implementation. However, TLS also provide the functionality to rollback to SSL in case TLS is
not supported by an OS as TLS can’t work with SSL3.0 version due to compatibility issues. The
SSL/TLS protocol layer has been inserted in between the application and transport layer. It has
various components involved in securing the data and communication network (Wong, 2015).
Figure 5 SSL and TLS protocol layer in OpenSSL
This protocol layer begins with a client who initiates the communication by handshaking or sending a
message that contains protocol version and session id along with a randomly generated number.
Then the server also sends the hello message with including details like cipher suite to complete the
initiation or handshaking procedure. The the server sends its digital certificate for its authentication.
The client sends the key exchange message and encrypts it with the public key of the server. The
server receives the key exchange request and decrypts it using the keys and verifies the bytes of a
master secret that has been sent by the client along with the message (Alkazimi, 2016). The client
version and the server version of the bytes should be same in handshake protocol. Using the random
numbers that have been sent earlier the communication move forward, and these random numbers
12
have been generated using a random number generator function and will be used for MAC,
encryption key, and initialization of encryption algorithm. When both the server and the client are
done with sending the messages then they quit the connection and the session id is destroyed. For
starting another communication between the same server and client, they need to follow the same
steps as above as their old connection is destroyed and it can’t be accessed again.
The SSL record protocol is responsible for breaking application data into fixed length blocks,
compressing the data, adding MAC (message authentication code) that is generated using the
integrity key, packet encryption, and adding SSL headers in the packets for security purposes.
The SSL alert message protocol has been applied after completion of handshake protocol and
checking the integrity of message using record protocol. The alert message protocol is used to
inform the receiving party of any problem in delivering the message and any caught irregularity.
The most important task of OpenSSL is to secure private key of the server. Hence the private key is
generated in a secure manner using a strong cryptographic generator that has a random number
generator and both these functions work in coordination to get a secure private key for the server.
The private key needs to be protected and should not be shared with others. When the work of
private key is finished, it needs to be destroyed so that no other person can misuse it for illegal
communications (Chandrasekar, 2017).
13
encryption key, and initialization of encryption algorithm. When both the server and the client are
done with sending the messages then they quit the connection and the session id is destroyed. For
starting another communication between the same server and client, they need to follow the same
steps as above as their old connection is destroyed and it can’t be accessed again.
The SSL record protocol is responsible for breaking application data into fixed length blocks,
compressing the data, adding MAC (message authentication code) that is generated using the
integrity key, packet encryption, and adding SSL headers in the packets for security purposes.
The SSL alert message protocol has been applied after completion of handshake protocol and
checking the integrity of message using record protocol. The alert message protocol is used to
inform the receiving party of any problem in delivering the message and any caught irregularity.
The most important task of OpenSSL is to secure private key of the server. Hence the private key is
generated in a secure manner using a strong cryptographic generator that has a random number
generator and both these functions work in coordination to get a secure private key for the server.
The private key needs to be protected and should not be shared with others. When the work of
private key is finished, it needs to be destroyed so that no other person can misuse it for illegal
communications (Chandrasekar, 2017).
13
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
OpenSSL applications for implementing SSL/TLS
The various libraries that are present in OpenSSL toolkit are being used for implementing the TLS and
SSL protocol layers. The OpenSSL source code is published under Apache and is a free and open
source which can be downloaded, uploaded, rebuild as required without any costing. The command
for requesting OpenSSL to run is as follows-
openssl req -new key RSA:1024 -x509 -nodes -key out test_key.pm -new -out test_cert.pem
After this, the OpenSSL kit has been installed by using the command-
$ ./config --prefix=/usr/local --openssldir=/usr/local/openssl
$ make install
14
The various libraries that are present in OpenSSL toolkit are being used for implementing the TLS and
SSL protocol layers. The OpenSSL source code is published under Apache and is a free and open
source which can be downloaded, uploaded, rebuild as required without any costing. The command
for requesting OpenSSL to run is as follows-
openssl req -new key RSA:1024 -x509 -nodes -key out test_key.pm -new -out test_cert.pem
After this, the OpenSSL kit has been installed by using the command-
$ ./config --prefix=/usr/local --openssldir=/usr/local/openssl
$ make install
14
Generation of Digital Certificates
There are various methods by which digital certificates are generated using the OpenSSL. Here is
presented some methods which include the following steps:
1. Generation of new RSA private key and Certification Signing Request(CSR)
There are various methods for the generation of private key and certificates, highest
encryption standards have been chosen for the same. OpenSSL config file is used for this
step to submit the desired options. Existing openssl.config file can be located by using the
command- openssl version –d while a new openssl.config file can be created adding it in
configuration folder using the command- -config ./openssl.cnf. After this, openSSL is
initialized as $ openssl. Then openssl commands have been issued to generate the private
key and CSR all at once. User friendly messaged is viewed on screen as the commands are
entered to get information according to the request. The example of requesting a digital
certificate (Chandrasekar, 2017)-
OpenSSL> req -config ./openssl.cnf -new -out ca.req -new key RSA:2048
-key out privkey.pm -nodes
Configure from ./openssl.cnf
A 2048 bit private key is generated
After this information about the user will be asked that will be incorporated in digital certificate.
Here is a sample of the information that will be asked after this stage as per asked to me during
my experiment (Gallagher¸2016):
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [North Carolina]:
Locality Name (city) [Cary]:
Organization Name (company) [Proton Inc.]:
Organizational Unit Name (department) [IDB]:
Common Name (YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes to be sent with
your certificate request
A challenge password []:
An optional company name []:
OpenSSL>
2. Generate a public key Certificate from Existing Certificate
15
There are various methods by which digital certificates are generated using the OpenSSL. Here is
presented some methods which include the following steps:
1. Generation of new RSA private key and Certification Signing Request(CSR)
There are various methods for the generation of private key and certificates, highest
encryption standards have been chosen for the same. OpenSSL config file is used for this
step to submit the desired options. Existing openssl.config file can be located by using the
command- openssl version –d while a new openssl.config file can be created adding it in
configuration folder using the command- -config ./openssl.cnf. After this, openSSL is
initialized as $ openssl. Then openssl commands have been issued to generate the private
key and CSR all at once. User friendly messaged is viewed on screen as the commands are
entered to get information according to the request. The example of requesting a digital
certificate (Chandrasekar, 2017)-
OpenSSL> req -config ./openssl.cnf -new -out ca.req -new key RSA:2048
-key out privkey.pm -nodes
Configure from ./openssl.cnf
A 2048 bit private key is generated
After this information about the user will be asked that will be incorporated in digital certificate.
Here is a sample of the information that will be asked after this stage as per asked to me during
my experiment (Gallagher¸2016):
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [North Carolina]:
Locality Name (city) [Cary]:
Organization Name (company) [Proton Inc.]:
Organizational Unit Name (department) [IDB]:
Common Name (YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes to be sent with
your certificate request
A challenge password []:
An optional company name []:
OpenSSL>
2. Generate a public key Certificate from Existing Certificate
15
This step is optional. A public certificate is generated using commands from existing signing
request. The commands used are x509 -req -in ca.csr -signkey cakey.pem -out ca.pem -
sha256 for generating self-signed certificate, ca -config ./openssl.cnf -in server.csr -out
server.pem -md sha256 for generating server certificates signed by CA, ca -config
./openssl.cnf -in client.csr -out client.pem -md sha256 for generating client certificates
signed by CA. After this informational messages are prompted on screen to enter password
and creating a certificate. This is the example of what informational messages will be
displayed to the user after this stage-
Configure from ./openssl.cnf
Enter PEM pass phrase: password
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:
stateOrProvinceName :PRINTABLE:
localityName :PRINTABLE:
organizationName :PRINTABLE:
organizationalUnitName:PRINTABLE:
commonName :PRINTABLE:
Certificate is to be certified until Oct 16 17:48:27 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Data Base Updated
3. Securing Private key files
The access to the private key is confined to the person to whom it belongs. To secure its
access, a password is used to restrict the usage of files inside private keys. The password can
be provided while the generation of the private key or it can be given later. To add a
password later in private keys files we need to write the command- openssl RSA -aes256 -
in /tmp/cakey.pem -out /tmp/enccakey.pem. This will open a prompt box which will ask for
password and it can be entered and saved successfully (Hu, 2016).
4. Checking of Digital certificate using OpenSSL
For checking a digital certificate that has been generated, we need to use the following
command- openssl> x509 -text -in filename.pem. A digital certificate comprises of all the
information that has been used in the generation of its timestamps, and digital signatures.
The generated digital certificate is in PEM format and encoded and hence it is unreadable.
5. Creating Certificate Chain
16
request. The commands used are x509 -req -in ca.csr -signkey cakey.pem -out ca.pem -
sha256 for generating self-signed certificate, ca -config ./openssl.cnf -in server.csr -out
server.pem -md sha256 for generating server certificates signed by CA, ca -config
./openssl.cnf -in client.csr -out client.pem -md sha256 for generating client certificates
signed by CA. After this informational messages are prompted on screen to enter password
and creating a certificate. This is the example of what informational messages will be
displayed to the user after this stage-
Configure from ./openssl.cnf
Enter PEM pass phrase: password
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:
stateOrProvinceName :PRINTABLE:
localityName :PRINTABLE:
organizationName :PRINTABLE:
organizationalUnitName:PRINTABLE:
commonName :PRINTABLE:
Certificate is to be certified until Oct 16 17:48:27 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Data Base Updated
3. Securing Private key files
The access to the private key is confined to the person to whom it belongs. To secure its
access, a password is used to restrict the usage of files inside private keys. The password can
be provided while the generation of the private key or it can be given later. To add a
password later in private keys files we need to write the command- openssl RSA -aes256 -
in /tmp/cakey.pem -out /tmp/enccakey.pem. This will open a prompt box which will ask for
password and it can be entered and saved successfully (Hu, 2016).
4. Checking of Digital certificate using OpenSSL
For checking a digital certificate that has been generated, we need to use the following
command- openssl> x509 -text -in filename.pem. A digital certificate comprises of all the
information that has been used in the generation of its timestamps, and digital signatures.
The generated digital certificate is in PEM format and encoded and hence it is unreadable.
5. Creating Certificate Chain
16
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
After the generation of digital certificates for all CAs, servers, and clients, it is required to
produce a list of one or more CAs that can be trusted for a particular OpenSSL client
application. This list is called a chair of trustees. The digital certificates of the trustees CAs
comprise files that have information and name of other trusted CAs and this file are copied
and pasted to all trusted CAs digital certificate. The trusted CAs can be categorized into
primary, intermediate, and root. The details of root CA sends to application’s trust store.
Root CA is not stored in the server chain of trust.
The following command can be used to generate a trust list-
(Your Server Certificate - ssl.crt)
-----BEGIN CERTIFICATE-----
<PEM encoded certificate>
-----END CERTIFICATE-----
(Your Intermediate CA Certificate(s))
-----BEGIN CERTIFICATE-----
<PEM encoded certificate>
-----END CERTIFICATE-----
(Your Root CA Certificate)
-----BEGIN CERTIFICATE-----
<PEM encoded certificate>
-----END CERTIFICATE-----
The content of digital certificate has been encoded and presented as <PEM encoded
certificate> and all text outside the delimiters are ignored by the processor. The root CA
certificate, server certificate, and client certificate can be concatenated in a sing file using
commands-
cat server.pem > certchain.pem
cat intermediateCA.pem >> certchain.pem
cat rootCA.pem >> certchain.pem
As the digital certificates are encoded, the content of digital certificate is unreadable. To
view the complete contents of Digital certificates the following command can be used-
openssl x509 -in the cert.pem -text –noout
openssl x509 -in cert.cer -text –noout
openssl x509 -in cert.crt -text –noout
6. Verifying Certificates
17
produce a list of one or more CAs that can be trusted for a particular OpenSSL client
application. This list is called a chair of trustees. The digital certificates of the trustees CAs
comprise files that have information and name of other trusted CAs and this file are copied
and pasted to all trusted CAs digital certificate. The trusted CAs can be categorized into
primary, intermediate, and root. The details of root CA sends to application’s trust store.
Root CA is not stored in the server chain of trust.
The following command can be used to generate a trust list-
(Your Server Certificate - ssl.crt)
-----BEGIN CERTIFICATE-----
<PEM encoded certificate>
-----END CERTIFICATE-----
(Your Intermediate CA Certificate(s))
-----BEGIN CERTIFICATE-----
<PEM encoded certificate>
-----END CERTIFICATE-----
(Your Root CA Certificate)
-----BEGIN CERTIFICATE-----
<PEM encoded certificate>
-----END CERTIFICATE-----
The content of digital certificate has been encoded and presented as <PEM encoded
certificate> and all text outside the delimiters are ignored by the processor. The root CA
certificate, server certificate, and client certificate can be concatenated in a sing file using
commands-
cat server.pem > certchain.pem
cat intermediateCA.pem >> certchain.pem
cat rootCA.pem >> certchain.pem
As the digital certificates are encoded, the content of digital certificate is unreadable. To
view the complete contents of Digital certificates the following command can be used-
openssl x509 -in the cert.pem -text –noout
openssl x509 -in cert.cer -text –noout
openssl x509 -in cert.crt -text –noout
6. Verifying Certificates
17
Servers and clients exchange their digital certificate in the first stage before starting an
actual communication and start sending messages only after verifying and authenticating
each other’s digital certificates. The validation process of the server certificate is performed
by the CAs who are a part of trust chain. All the CAs in the chain of trust has to be available
to verify a certificate. All the certificates can either be validated individually by putting them
in individual files and sending the location to the CAs as pointed by SSLCACERTDIR
environment variable or it can also be combined into a single file and can be located by
pointing to the SSLCALISTLOC= option.
7. End OpenSSL the OpenSSL application can be ended by typing quit in the prompt or
command box (Le Saint, 2016).
18
actual communication and start sending messages only after verifying and authenticating
each other’s digital certificates. The validation process of the server certificate is performed
by the CAs who are a part of trust chain. All the CAs in the chain of trust has to be available
to verify a certificate. All the certificates can either be validated individually by putting them
in individual files and sending the location to the CAs as pointed by SSLCACERTDIR
environment variable or it can also be combined into a single file and can be located by
pointing to the SSLCALISTLOC= option.
7. End OpenSSL the OpenSSL application can be ended by typing quit in the prompt or
command box (Le Saint, 2016).
18
Conclusion
The basic concepts of digital certificates and their architecture have been studied in this paper and
the need of using them to provide confidentiality; authentication and integrity have also been
discussed. The basics of OpenSSl including its use in the implementation of SSL and TLS protocol
layer have also been studied to get a better insight while studying the procedure to generate the
digital certificates using OpenSSL application. The OpenSSL generated digital certificates are in PEM
format and encoded and the steps followed to decode the content of digital certificates have also
been mentioned in this work. The digital certificates play an important role in authentication of a
user as it contains the person’s digital signature and has been approved by a trusted certification
authority. It has also provided the details of securing digital certificates and the private key files by
providing passwords and other security measures to keep those files accessible to only one
authenticated person. The OpenSSL libraries and source code have also been taken into account and
various commands of OpenSSL application tool have been reviewed and their usage and purpose
have been discussed in detail.
19
The basic concepts of digital certificates and their architecture have been studied in this paper and
the need of using them to provide confidentiality; authentication and integrity have also been
discussed. The basics of OpenSSl including its use in the implementation of SSL and TLS protocol
layer have also been studied to get a better insight while studying the procedure to generate the
digital certificates using OpenSSL application. The OpenSSL generated digital certificates are in PEM
format and encoded and the steps followed to decode the content of digital certificates have also
been mentioned in this work. The digital certificates play an important role in authentication of a
user as it contains the person’s digital signature and has been approved by a trusted certification
authority. It has also provided the details of securing digital certificates and the private key files by
providing passwords and other security measures to keep those files accessible to only one
authenticated person. The OpenSSL libraries and source code have also been taken into account and
various commands of OpenSSL application tool have been reviewed and their usage and purpose
have been discussed in detail.
19
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
References
Le Saint, E.F., Assa Abloy AB, 2016. Trusted and unsupervised digital certificate generation
using a security token. U.S. Patent 9,331,990.
Hu, Y., Tie, M., Tong, W., Zhang, B., Huang, Z., Jian, L. and Yuan, P., China Iwncomm Co Ltd,
2016. Digital certificate automatic application method, device, and system. U.S. Patent
9,397,840.
Gallagher, S.J., Red Hat Inc, 2017. Creating a digital certificate for a service using a local
certificate authority. U.S. Patent Application 15/275,102.
Cross, T.J., Dewey, D.B. and Takahashi, T., International Business Machines Corp, 2015. Using
the information in a digital certificate to authenticate a network of a wireless access point.
U.S. Patent 9,197,420.
Beringer, L., Petcher, A., Katherine, Q.Y. and Appel, A.W., 2015, August. Verified Correctness
and Security of OpenSSL HMAC. In USENIX Security Symposium (pp. 207-221).
Wong, A., Liu, V., Caelli, W. and Sahama, T., 2015, May. An architecture for trustworthy open
data services. In IFIP International Conference on Trust Management (pp. 149-162). Springer,
Cham.
Oppliger, R., 2016. SSL and TLS: Theory and Practice. Artech House.
Alkazimi, A. and Fernandez, E.B., 2016, October. Heartbleed: a misuse pattern for the
OpenSSL implementation of the SSL/TLS protocol. In Proceedings of the 23rd Conference on
Pattern Languages of Programs (p. 6). The Hillside Group.
Zhu, W.T., and Lin, J., 2016. Generating Correlated Digital Certificates: Framework and
Applications. IEEE Transactions on Information Forensics and Security, 11(6), pp.1117-1127.
Chandrasekar, B., Ramesh, B., Prabhu, V., Sajeev, S., Mohanty, P.K. and Shobha, G., 2017,
March. Development of Intelligent Digital Certificate Fuzzer Tool. In Proceedings of the 2017
International Conference on Cryptography, Security and Privacy (pp. 126-130). ACM.
20
Le Saint, E.F., Assa Abloy AB, 2016. Trusted and unsupervised digital certificate generation
using a security token. U.S. Patent 9,331,990.
Hu, Y., Tie, M., Tong, W., Zhang, B., Huang, Z., Jian, L. and Yuan, P., China Iwncomm Co Ltd,
2016. Digital certificate automatic application method, device, and system. U.S. Patent
9,397,840.
Gallagher, S.J., Red Hat Inc, 2017. Creating a digital certificate for a service using a local
certificate authority. U.S. Patent Application 15/275,102.
Cross, T.J., Dewey, D.B. and Takahashi, T., International Business Machines Corp, 2015. Using
the information in a digital certificate to authenticate a network of a wireless access point.
U.S. Patent 9,197,420.
Beringer, L., Petcher, A., Katherine, Q.Y. and Appel, A.W., 2015, August. Verified Correctness
and Security of OpenSSL HMAC. In USENIX Security Symposium (pp. 207-221).
Wong, A., Liu, V., Caelli, W. and Sahama, T., 2015, May. An architecture for trustworthy open
data services. In IFIP International Conference on Trust Management (pp. 149-162). Springer,
Cham.
Oppliger, R., 2016. SSL and TLS: Theory and Practice. Artech House.
Alkazimi, A. and Fernandez, E.B., 2016, October. Heartbleed: a misuse pattern for the
OpenSSL implementation of the SSL/TLS protocol. In Proceedings of the 23rd Conference on
Pattern Languages of Programs (p. 6). The Hillside Group.
Zhu, W.T., and Lin, J., 2016. Generating Correlated Digital Certificates: Framework and
Applications. IEEE Transactions on Information Forensics and Security, 11(6), pp.1117-1127.
Chandrasekar, B., Ramesh, B., Prabhu, V., Sajeev, S., Mohanty, P.K. and Shobha, G., 2017,
March. Development of Intelligent Digital Certificate Fuzzer Tool. In Proceedings of the 2017
International Conference on Cryptography, Security and Privacy (pp. 126-130). ACM.
20
1 out of 20
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.