第1页 / 共23页
第2页 / 共23页
第3页 / 共23页
第4页 / 共23页
第5页 / 共23页
第6页 / 共23页
第7页 / 共23页
第8页 / 共23页
CA Certificate.pdf
Certificate Management
Security in Networked Computer Systems
Certificate Management with OpenSSL
Certification Authority
● A main problem in asymmetric cryptography is to be sure that a certain
subject uses a certain cryptographic quantity.
● For example, be sure that the server reachable at a certain domain
“www.server.com” uses a certain public key.
● Only sending the public key over Internet is not safe, because a man in the
middle could change it.
● We need a trusted third entity called certification authority (CA).
● Everyone trusts the CA.
● Everyone knows the CA's public key.
● The CA releases signed certificates, which bind a given subject to a given
cryptographic quantity.
● The most common type of certificates are public key certificates, which bind
a given subject (usually an Internet domain or a company) to a given public
key.
Security in Networked Computer Systems
Certificate Management with OpenSSL
Certification Authority
● Before releasing the certificate, the CA makes sure that the subject really
exists and really owns that cryptographic quantity (validation process).
● Two main types of validation:
● Domain validation
The CA makes sure that the subject controls a particular Internet domain.
Firefox/Chrome:
Internet Explorer:
● Extended validation (EV certificate)
In addition to domain validation, the CA also makes sure that the subject
physically exists, and is really who is meant to be.
Firefox/Chrome:
Internet Explorer:
There are two types of certificates: certificates with domain validation and
certificates with extended validation (EV certificates). With domain validation, the
CA only assures that the requesting subject owns a particular Internet domain.
Usually it is done by sending a challenge email to an email server running on that
domain. The subject proves to own the domain by responding to the email. This
type of certificates costs 369€ (1 year) by Symante c, but far less with cheaper CA's.
With extended validation, the CA assures the physical existence and the identity
of the requesting subject. In particular, three checks must be performed: (i) legal
existence; (ii) physical existence; (iii) operational existence (that is, the subject is a
still-operating company). The extended validation requires a face-to-face
identification with a CA's employee, a notary, or a lawyer. An EV certificate costs
849€ (1 year) by Symantec. Not all CA's are permitt ed to issue EV certificates. Web
browsers usually signals the presence of an EV certificate with green colors (a green
lock in Firefox/Chrome, a green address bar in Internet Explorer).
Security in Networked Computer Systems
Certificate Management with OpenSSL
OpenSSL CA
● OpenSSL includes a basic CA software
openssl ca
● The OpenSSL CA software is not meant to be a professional application.
●
It is very user-hostile and error-prone.
● You should use more advanced, GUI-based CA software in the real life:
– xca → Front-end of OpenSSL CA, runs on Linux, Windows, Mac OS, open-source.
– EJBCA (Enterprise Java Bean CerƟficate Authority) → Java-based, open-source.
– Windows Server → Can be configured to act as a CA, closed-source.
– SimpleAuthority → Free up to 4 users, runs on Linux, Windows, Mac OS, closed-
source.
OpenSSL provides for an extremely basic, command-line certification authority
software. The OpenSSL CA is good for teaching, but it is not meant to be used for
professional activity, because it is very user-hostile and error-prone. Other, more
advanced CA software exists,
like xca, EJBCA, Windows Server CA,
SimpleAuthority, etc.
Security in Networked Computer Systems
Certificate Management with OpenSSL
OpenSSL CA Set Up
● Create the CA's directory (e.g. '~/my_ca/') with two subdirectories:
● /newcerts → For the issued cerƟficates.
● /private → For the CA's private key.
●
Inside the CA's directory, create an empty certificate database:
touch index.txt
● … and initialize to 1 the certificate serial counter and the CRL serial counter:
echo '01' > serial
echo '01' > crlnumber
● Make a copy of the OpenSSL CA default configuration file in your CA's
directory.
● You will find the OpenSSL CA default configuration file in '/etc/ssl/openssl.cnf'
for Ubuntu, or in '/usr/ssl/openssl.cnf' for Cygwin.
● Tell to OpenSSL to read your configuration file by setting the environment
variable 'OPENSSL_CONF':
export OPENSSL_CONF=/openssl.cnf
Follow these instructions in order to set up the OpenSSL CA. In a professional
setting, the directory holding the CA's private key should be accessible only to the
CA user (i.e. the one issuing certificates).
Security in Networked Computer Systems
Certificate Management with OpenSSL
OpenSSL CA Set Up
● The OpenSSL configuration file (openssl.cnf) is organized in sections.
● Each section has a case-sensitive name in square brackets:
[section_name]
● Each section contains a set of case-sensitive keys with an associated value:
key_name = value
● Comments are preceded by '#' character:
# This is a comment
Security in Networked Computer Systems
Certificate Management with OpenSSL
OpenSSL CA Set Up
● Edit your openssl.cnf file.
●
Inside the [CA_default] section, you should change:
● dir =
To set up the OpenSSL CA's directory.
● certificate = $dir/ca_cert.pem
To let OpenSSL CA find its own root certificate.
● private_key = $dir/private/ca_prvkey.pem
To let OpenSSL CA find its own private key.
● policy = policy_anything
Otherwise, OpenSSL CA will refuse to certify subjects belonging to
organizations different from the CA itself.
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
