| Table of Contents | Previous Next |
20.4 Secure Sockets Layer (SSL) and OpenSSL20.4.1 What is SSL and how does it work?SSL is a communications protocol layer which may be placed between your TCP/IP and HTTP suites. In effect, it can intercept your Web traffic and provide security between the browser and server. The encryption or cryptography used in SSL guarantees secure communications in an insecure environment. More importantly, all security operations are transparent to both ends. The first practical SSL protocol known as SSL v2.0 was implemented by Netscape and supported by the NS 1.x/2.x and IE 3.x browsers. This version of SSL is mainly vendor specific and with limited features. Although not a standard, the next version of SSL (SSL v3.0) attracted much more attention and is widely supported by the Web community. Perhaps not many ordinary Web users notice that most browsers and browser families including IE, NS, and Opera support security in a strong cryptography sense. For example, they all support 128-bit encryption (RSA key exchange) for SSL v1.0/v2.0, and the successor Transport Layer Security (TLS v1.0) from the IETF. All of them also extend the cryptographic support to a wider area beyond HTTP (Web) covering NNTP (news), POP, and SMTP (email). They provide security by means of encryption/decryption, generating private/public keys and responding to certificate (in the SSL sense) requests. In addition to gaining support from browsers, more importantly, an open source implementation called OpenSSL is freely available from the Open Source Initiative (OSI). This software package can be integrated into server software such as Apache with little effort. Therefore, secure Web servers or add-on transmission packages are no longer costly proprietary products. In fact, the latest implementation of OpenSSL matches almost all cryptography standards including both SSL v2.0/v3.0 and TLS v1.0. Now, we can say that SSL is there, free, and widely available to us all. In fact, OpenSSL is a cryptography toolkit. More precisely, it is a collection of functions organized in a library structure controlled by a command-line program called openssl. The package implements the SSL v2.0/v3.0 and TLS v1.0 network protocols and many other related cryptography standards required by them. At a minimum level, it can be used to generate a certificate (in the SSL sense) identifying yourself. This certificate can then be imported into your favorite browser such as IE, NS, or Opera. We will show you how to install OpenSSL and how to use it for security purposes later in section 20.4.2. In section 20.5, we will show you how to set up a secure Web site that people can surf with HTTPS. Examples related to SSL will have the extension .ssl in this chapter. Before the engineering work, let's consider how SSL works to provide a secure environment for Web communication. Basically, SSL establishes mutual trust between browser and server. This mutual trust is controlled by the SSL Record Protocol with handshake sequences. The handshake contains the following three layers:
These sequences are used to establish an SSL session. When this session is identified and established, secure connection and transmission take place. In normal circumstances, there will be some certificate exchange and an agreed cipher suite will be used for the transmission. This means that both the client and server will have the chance to identify themselves and request authentication of each other via certificate requests. When this initial handshake is established, an agreed cipher (encryption) is used to protect the privacy of the transmission. If something goes wrong during the entire connection or SSL session, the SSL Alert Protocol is used to convey SSL error messages between client and server. A typical SSL session is shown in Fig. 20.9. Figure 20.9. A typical SSL session between browser and server
To make this work, the key is the certificate administration. A certificate in SSL is a special piece of information associated with a public key and the real identity of the object concerned, which includes the individual, server, or other entity. Any SSL implementation should be able to generate certificates for you and/or your applications. The public key can be used to decrypt the message you send to the receiver. In order to increase the credibility of the certificate, the certificate should be signed by a trusted organization known as a Certification Authority (CA). Once the certificate is signed, it can be imported into your favorite browser to identify you as the client. A signed certificate can also be installed into a Web server for authentication purposes. We will show you how to generate these certificates by examples later in this section. Once the Web server is equipped with SSL security and changed into a secure server, the secure Web server can be surfed by https such as:
or using the following URL with anchor element: <a href="https://www.pwt-ex.com"> This is a secure link</a> When your browser enters the secure mode with SSL, you will see an alert window. The alert windows for IE, NS, and Opera are shown in Figs 20.1020.12. Figure 20.10. IE6.x "Seucurity Alert" window
Figure 20.12. Opera security alert
Figure 20.11. NS6.x alert window
Before you can activate OpenSSL and make it work for you, it is necessary to install the package on your system first. 20.4.2 Installation of OpenSSLOpenSSL is a software package from the Open Source Initiative (OSI), which means that you can use it for commercial or non-commercial purposes. You can download a copy of the software from the official site www.openssl.org. The version and tar that we are using is openssl-0.9.6c.tar.gz Unlike many other software packages, this file contains everything you need to install OpenSSL for the following platforms:
The OpenSSL software team has done a very good job in encapsulating all these environments into one distribution. If you are using UNIX/LINUX, you can use the following commands to extract the files and subdirectories into your machine: gzip d openssl-0.9.6c.tar.gz tar xvf openssl-0.9.6c.tar These two commands will extract all the files and associated subdirectories into a directory called openssl-0.9.6c. Sometimes, you can use one process command tar -zxvf openssl-0.9.6c.tar.gz to do the job. For Windows users, you can use WinZip to extract all files to the destination directory in one process. In order to build the package, you will also need the following additional packages up and running:
Suppose you are using a UNIX/LINUX system and you are already inside the OpenSSL file directory (e.g., openssl-0.9.6c). You can use the following two commands to build and install the package on your system temporarily: $./config $make This will build the OpenSSL libraries libcrypto.a and libssl.a and the OpenSSL command-line program openssl. The command-line program is stored in the subdirectory called apps. When the package is built, you should test it before installing it on your system permanently. You can test the libraries by $make test OpenSSL is a complicated software package; even the testing printout is well over two full pages. Basically, the test is to see whether the built libraries can generate RSA keys and perform clientserver authentication. If everything is in working order, you will see "passed all tests" at the end of the screen output. In this case, you can perform the following command to install the package: $make install Among other things, this will create the following subdirectories under the target directory openssl-0.9.6c:
For most users, the command-line program openssl and the certificates are the essential tools to make SSL work. For programmers, the header files in the include/openssl directory and the libraries are important components for building SSL applications. If you are using Windows systems, a default subdirectory or folder called ms under the folder openssl-0.9.6c is available for you to build OpenSSL there. To compile OpenSSL under Windows, a Perl package for Win32 is required. Such a package is available from (www.activestate.com/ActivePerl). Also, you may need at least one of the following compilers:
We will describe how to compile OpenSSL using Visual C++ only. First, run the Perl program to configure OpenSSL for VC++: perl Configure VC-WIN32 The next step is to build the makefile dedicated for Visual C++ by the following command: ms\do_ms This command runs the batch file do_ms.bat under the ms directory and subsequently builds all make files for Visual C++. Now you can compile the software using nmake as nmake f ms\ntdll.mak Again, we assume all commands were typed under the openssl-0.9.6c directory. If all goes well it will build all Dynamic Linked Libraries (DLLs) and executables in the out32dll directory. Now, you can run OpenSSL inside out32dll or put this directory into your path. For example, you can test the libraries and software by cd out32dll ..\ms\test Let's consider some examples of how to use OpenSSL for security purposes. The first application of OpenSSL is to generate some digital keys and certificates. 20.4.3 Generating digital keys and certificatesIf you install OpenSSL correctly, most SSL applications can be performed by the command-line program openssl. This program is a command-line tool for using the various cryptography functions of OpenSSL's crypto libraries from a console window. Even at a basic level, it can be used for
We will go through some major functionalities with you step by step. In particular, we will concentrate on the creation and application of certificates. Once certificates are created and signed by a CA, they can be imported into browsers such as IE and NS so that user authentication can be performed. Certificates can also put into a Web server so that secure HTTP (or HTTPS) can be established. The openssl program offers well over 100 commands and options. Many of them are characterized into three categories:
Each category contains a rich set of operational commands. Some of them are complicated with a large number of arguments and options. There is a help utility in openssl, though. If the program openssl doesn't understand a command or statement, a command summary is displayed to provide help. A session of the command summary is shown in ex20-11.ssl below:
Example: ex20-11.ssl - The Command Summary Of OpenSSL
1: [openssl-0.9.6c]$ openssl help
2:
3: Standard commands
4: asn1parse ca ciphers crl crl2pkcs7
5: dgst dh dhparam dsa dsaparam
6: enc errstr gendh gendsa genrsa
7: nseq passwd pkcs12 pkcs7 pkcs8
8: rand req rsa rsautl s_client
9: s_server s_time sess_id smime speed
10: spkac verify version x509
11:
12: Message Digest commands (see the `dgst' command for more details)
13: md2 md4 md5 mdc2 rmd160
14: sha sha1
15:
16: Cipher commands (see the `enc' command for more details)
17: base64 bf bf-cbc bf-cfb bf-ecb
18: bf-ofb cast cast-cbc cast5-cbc cast5-cfb
19: cast5-ecb cast5-ofb des des-cbc des-cfb
20: des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb
21: des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb
22: des3 desx idea idea-cbc idea-cfb
23: idea-ecb idea-ofb rc2 rc2-40-cbc rc264-cbc
24: rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4
25: rc440 rc5 rc5-cbc rc5-cfb rc5-ecb
26: rc5-ofb
As for many cryptography studies, a natural starting point is the MD string. From example ex20-11.ssl, you can see a rich set of MD functions under the dgst (digest string) command. The general calling syntax for this dgst command is
openssl dgst
[-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1]
[-c] [-d] [-hex] [-binary] [-out filename] [-sign filename]
[-verify filename] [-prverify filename] [-signature filename]
[file...]
One of the best ways to show you how to use it is by examples. Like most openssl commands, this dgst command is designed to work with files. If you have a file called johnsmith.txt that contains only one word, johnsmith, you can obtain the MD string (e.g., md5) of johnsmith by openssl dgst md5 johnsmith.txt This statement will digest the contents of the file johnsmith.txt and output the md5 string to the screen. To output the md5 string to a file, you can use openssl dgst out out.txt md5 johnsmith.txt Also, if openssl cannot understand the arguments or options, it will display a help screen to display a summary on the arguments and options. A session on how to use dgst is shown in the next example. Example: ex20-12.ssl - Using Message Digest With OpenSSL 1: [openssl-0.9.6c]$ openssl dgst -md5 johnsmith.txt 2: MD5(johnsmith.txt)= cd4388c0c62e65ac8b99e3ec49fd9409 3: 4: openssl-0.9.6c>openssl dgst -h 5: unknown option '-h' 6: options are 7: -c to output the digest with separating colons 8: -d to output debug info 9: -hex output as hex dump 10: -binary output in binary form 11: -sign file sign digest using private key in file 12: -verify file verify a signature using public key in file 13: -prverify file verify a signature using private key in file 14: -signature file signature to verify 15: -binary output in binary form 16: -md5 to use the md5 message digest algorithm (default) 17: -md4 to use the md4 message digest algorithm 18: -md2 to use the md2 message digest algorithm 19: -sha1 to use the sha1 message digest algorithm 20: -sha to use the sha message digest algorithm 21: -mdc2 to use the mdc2 message digest algorithm 22: -ripemd160 to use the ripemd160 message digest algorithm If you have a private key, you can use it to sign your message together with the MD with the sign option in line 11. Also, before you can generate certificates, you need to generate private keys. Let's consider how to generate private keys using openssl. You can generate private keys using openssl genrsa or openssl gendsa depending on what kind of keys you want to use. For example, if you want to generate an RSA private key, you can use the following command: openssl genrsa -des3 -out johnsmith.key 1024 The option des3 (see line 22 of ex20-11.ssl) specifies the encryption method used for the private key. It means that the generated private key is encrypted by the des3 method with a passphrase. The program openssl will ask you to input the passphrase. Once the passphrase has been input, the private key is output to the file johnsmith.key. A dialog session to see this command in action is shown in ex20-13.ssl. Example: ex20-13.ssl - Generate RSA Private Key Using OpenSSL 1: [openssl-0.9.6c]$ openssl genrsa -des3 -out johnsmith.key 1024 2: Loading 'screen' into random state - done 3: warning, not much extra random data, consider using the -rand option 4: Generating RSA private key, 1024 bit long modulus 5: .....++++++ 6: ..............................++++++ 7: e is 65537 (0x10001) 8: Enter PEM pass phrase: johnsmith <--------------------- (Will Not Display) 9: Verifying password - Enter PEM pass phrase: johnsmith <-(Will Not Display) 10: 11: [openssl-0.9.6c]$ more johnsmith.key 12: -----BEGIN RSA PRIVATE KEY----- 13: Proc-Type: 4,ENCRYPTED 14: DEK-Info: DES-EDE3-CBC,929A7CE14A2FF8E5 15: 16: IQ/sgRGNgg1MDqiUh3aour+rxnphWcbGVkTgana0BPzAa38p88QYZdHT1tccr29p 17: 2joCWOEYobe7TQrnUcBHfJQDctEy9Wn6sosnyI0tfow1nhVo3pzJNcPByf5KSI7X 18: ax6RrBD11jU04bzli2P4WlfbdpvFoLfX+4f8X3U5nbOVF3nAI/gso18BNs0WaIwt 19: tdzoQgolFbO8FhYteZh8pjXwpTzGGdwb2rDvHOHWzUzD5BU5K9Gma3jPBqdPSp4O 20: TxQ5yT4RxCGGSKSvNNdwQjLstRFW8YZLgYtYUYMdP+wi5ObyGN/kNxwCr1SKfsdk 21: X4md+FXJPGu3zzit+ksX1LI5YGG8NdIL/OWxEeHSRqx63xTjlsv3Jn2AJJXsh0OY 22: DenhjhWHpCPh4xwWBm4r0UmDXIkDJmU1YlgYqO7S6Py1mXUqriUNu7gp8QnmDQ55 23: 9vcm/Y8p5icxypwLhLlIBJoHh0czZoBBrhr7NvZ+ktrQ+KbGjgOYnLIy1m5GdR9E 24: 5iMOgp/xWqc59KbtcXSrSpaG5cO1NltHMeFny2Pb37qyxDnl4XqVQG21AZB5Wtzr 25: zit/jQ+8LVrA1Mv5Ct4kQy4+EDjFu9EpSNXGFayLtxyRnNUoUgZdDKJo/xy9bi27 26: Br7T/z2V16AwZv9dQUoMSpOQHA51mETeFyMWrysSFI9VJLH0zr+L7J3oFpFk/LM1 27: DcEhGOmkRMeGBrDPqhxZ0jQ0/ihgxxoTG5Ccpjn1VVU7lXBfsiI7CKwAbXXAfLig 28: 6nlPzd6L1AY0CVzvwNE/kaqgjZKRKzfqeiQ9wjNSH2ZmQvlprHVosw== 29: -----END RSA PRIVATE KEY----- 30: The more command in line 11 is a general system command of UNIX/LINUX to display the contents of a file. Lines 1314 indicate that the key is protected by the DES-EDE3-CBC (des3) encryption method with a passphrase. You can see the details of your private key by Openssl rsa noout text in johnsmith.key This statement displays a detailed report about the private key johnsmith.key on the screen. If you just want to store the unprotected private key, you can issue the command openssl rsa -in johnsmith.key -out johnsmith.unprotected After asking for the passphrase of johnsmith.key, the unprotected private key is output into the file johnsmith.unprotected. To generate a certificate, you need to go through the following two processes:
The CSR is, basically, a digital form to identify you. Usually, you generate a CSR with your private key. For example, johnsmith can use his private key johnsmith.key to generate a CSR form using the following command: openssl req -new -key johnsmith.key -out johnsmith.csr This command generates a new CSR form in the local directory using the default configuration file openssl.cnf and its location. If the OpenSSL configuration file openssl.cnf is in another directory, you should include the config option such as: openssl req -new -key johnsmith.key -out johnsmith.csr config ./openssl.cnf This statement uses the OpenSSL configuration file openssl.cnf in the local directory. In order to identify yourself, the openssl program will ask you a series of questions. You can answer most of them just by hitting the return key. A typical session dialog is shown in ex20-14.ssl. Example: ex20-14.ssl - Generate A Certificate Signing Request 1: [openssl-0.9.6c]$ openssl req -new -key johnsmith.key 2: -out johnsmith.csr -config ./openssl.cnf 3: Using configuration from ./openssl.cnf 4: Enter PEM pass phrase: johnsmith <------------------- (Will Not Display) 5: You are about to be asked to enter information that will be incorporated 6: into your certificate request. 7: What you are about to enter is what is called a Distinguished 8: Name or a DN. 9: 10: There are quite a few fields but you can leave some blank 11: For some fields there will be a default value, 12: If you enter '.', the field will be left blank. 13: ----- 14: Country Name (2 letter code) [AU]:UK 15: State or Province Name (full name) [Some-State]: (Just Press Return) 16: Locality Name (eg, city) []:(Just Press Return) 17: Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC 18: Organizational Unit Name (eg, section) []:www.pwt-ex.com 19: Common Name (eg, YOUR name) []:johnsmith 20: Email Address []:johnsmith@pwt-ex.com 21: 22: Please enter the following 'extra' attributes 23: to be sent with your certificate request 24: A challenge password []:johnsmith 25: An optional company name []: (Just Press Return) 26: 27: [openssl-0.9.6c]$ Now, you have a CSR in your system. The next step is to send this CSR file johnsmith.csr to a CA for signing. The result is then a real certificate that can be used for applications or imported to your browser. There are a number of commercial CAs on the Internet ready to sign your CSR. Two popular ones are:
Usually, you may need to fill in a form on their Web site and post your CSR. They will digitally sign your CSR and return a signed certificate to you. The signed certificate is normally a file with a file extension .crt such as johnsmith.crt. For testing or very lightweight applications, you can sign the CSR yourself. For example, you can sign the CSR form johnsmith.csr by using your own private key as follows:
openssl x509 -req -in johnsmith.csr -out johnsmith.crt
-signkey johnsmith.key -days 365
This command signs this CSR file using the signing key johnsmith.key and outputs the signed certificate using the X509 standard format. The final certificate is output to a file called johnsmith.crt. The certificate itself is an encrypted file similar to the key file johnsmith.key listed in ex20-13.ssl. To convert the file into meaningful text, you can use the command openssl x509 -noout -text -in johnsmith.crt A dialog session to use the two statements above is shown in ex20-15.ssl. Example: ex20-15.ssl - Signing CSR With Your Own Private Key 1: [openssl-0.9.6c]$ openssl x509 -req -in johnsmith.csr 2: -out johnsmith.crt 3: -signkey johnsmith.key -days 365 4: Loading 'screen' into random state - done 5: Signature ok 6: subject=/C=UK/ST=Some-State/O=ABC/OU=www.pwt-ex.com/CN=johnsmith/ 7: Email=johnsmith@pwt-ex.com 8: Getting Private key 9: Enter PEM pass phrase: johnsmith <----------------- (Will Not Display) 10: 11: [openssl-0.9.6c]$ openssl x509 -noout -text -in johnsmith.crt 12: Certificate: 13: Data: 14: Version: 1 (0x0) 15: Serial Number: 0 (0x0) 16: Signature Algorithm: md5WithRSAEncryption 17: Issuer: C=UK, ST=Some-State, O=ABC, OU=www.pwt-ex.com, 18: CN=johnsmith/Email=johnsmith@pwt-ex.com 19: Validity 20: Not Before: Feb 20 05:28:39 2002 GMT 21: Not After : Feb 20 05:28:39 2003 GMT 22: Subject: C=UK, ST=Some-State, O=ABC, OU=www.pwt-ex.com, 23: CN=johnsmith/Email=johnsmith@pwt-ex.com 24: Subject Public Key Info: 25: Public Key Algorithm: rsaEncryption 26: RSA Public Key: (1024 bit) 27: Modulus (1024 bit): 28: 00:c8:70:e5:e4:a8:1b:fc:27:37:22:2c:55:0f:8d: 29: 70:f4:ec:30:10:c5:03:79:e7:8c:fe:35:a5:29:30: 30: c4:ce:3b:a8:23:27:da:56:83:51:96:8f:f7:3a:8d: 31: c5:32:7c:9e:5e:dc:3f:15:09:da:13:c3:e4:26:4d: 32: 83:8e:87:a7:d1:9e:b2:e2:06:b1:d0:f5:d3:e1:10: 33: d0:c2:45:d7:7b:68:9f:a9:fd:46:3d:d8:3a:db:c2: 34: 26:9d:d6:99:e6:df:51:19:01:a0:82:38:28:e8:2f: 35: be:cf:30:af:aa:8a:30:76:1e:6f:4a:d7:b5:09:1b: 36: 25:b9:d3:f1:08:ac:b1:14:2f 37: Exponent: 65537 (0x10001) 38: Signature Algorithm: md5WithRSAEncryption 39: 3d:31:21:bd:66:a4:f3:80:28:68:06:d5:94:95:31:4a:c7:db: 40: 2a:b7:f3:fd:c7:e0:d0:67:dd:02:b4:da:c7:c6:65:5a:f8:3c: 41: 10:a7:b1:64:ca:40:88:07:db:10:43:18:60:18:1e:ac:9f:b5: 42: c5:b8:93:cf:64:27:66:25:12:a0:bc:a2:41:57:8d:42:48:56: 43: f0:7c:e2:dd:33:f9:0c:ee:26:79:ba:96:bb:b7:d2:fb:39:dc: 44: 06:a0:6f:39:ae:cb:e3:4f:c7:0d:f3:49:be:e3:b6:b6:53:2e: 45: a1:0f:e8:e8:03:60:14:ea:24:cb:d1:d4:10:9f:52:d3:83:8c: 46: 7a:8b The command in lines 13 is used to generate the signed certificate johnsmith.crt. In order to get the private key, the openssl program will ask you to input the passphrase in line 9. The command in line 11 is used to generate meaningful text output from the certificate. From this example, you can see that a certificate contains the following sections:
The information above is vital for any secure communications using certificate exchange. For some real applications, the certificate must be signed by a CA. With OpenSSL, we can create our own CA and sign certificates. 20.4.4 Signing certificates as a CA with OpenSSLTo manipulate the CA, you may need to deal with the command openssl ca ... This command is one of the most complicated commands in OpenSSL. The full syntax and options are listed below: openssl ca [-verbose] [-config filename] [-name section] [-gencrl] [-revoke file] [-subj arg] [-crldays days] [-crlhours hours] [-crlexts section] [-startdate date] [-enddate date] [-days arg] [-md arg] [-policy arg] [-keyfile arg] [-key arg] [-passin arg] [-cert file] [-in file] [-out file] [-notext] [-outdir dir] [-infiles] [-spkac file] [-ss_cert file] [-preserveDN] [-noemailDN] [-batch] [-msie_hack] [-extensions section] [-extfile section] Together with some strange arrangement of the configuration file openssl, it doesn't allow one to use this "openssl ca" easily. For this reason, the distribution of OpenSSL includes a Perl script file called CA.pl in the apps directory to help. Basically, this Perl script is to create the right environment so that using the command "openssl ca" is a lot easier. In its simplest form, the following command will create a CA certificate and private key: CA.pl newca The CA's signed certificate (cacert.pem) and private key (cakey.pem) are stored in the directories apps/demoCA and apps/demoCA/private respectively. A dialog session is shown in ex20-16.ssl. Example: ex20-16.ssl - Generating CA's Certificate And Private Key 1: [openssl-0.9.6c/apps]$ CA.pl -newca 2: CA certificate filename (or enter to create) (Just Press Return) 3: 4: Making CA certificate ... 5: Using configuration from ./openssl.cnf 6: Loading 'screen' into random state done 7: Generating a 1024 bit RSA private key 8: ................................++++++ 9: ...............++++++ 10: writing new private key to './demoCA/private/cakey.pem' 11: Enter PEM pass phrase: myca <------------------------ (Will Not Display) 12: Verifying password - Enter PEM pass phrase: myca <--- (Will Not Display) 13: ----- 14: There are quite a few fields but you can leave some blank 15: For some fields there will be a default value, 16: If you enter '.', the field will be left blank. 17: ----- 18: Country Name (2 letter code) [AU]:UK 19: State or Province Name (full name) [Some-State]: <--- (Just Press Return) 20: Locality Name (eg, city) []:<------------------------ (Just Press Return) 21: Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCA 22: Organizational Unit Name (eg, section) []:<---------- (Just Press Return) 23: Common Name (eg, YOUR name) []:<--------------------- (Just Press Return) 24: Email Address []:<----------------------------------- (Just Press Return) 25: If you are using a PC with Microsoft systems, you may need to use the following command in line 1: C:\openssl-0.9.6c\out32dll>perl ..\apps\CA.pl -newca Note that you may also need to delete the existing cacert.pem and cakey.pem files to make this example work. Now, you can use this new CA's certificate and private key to sign the CSR form. One of the simplest ways to do this is to rename the johnsmith.csr file as newreq.pem and then call the CA.pl script as CA.pl sign This command will sign the CSR file newreq.pem using the default CA created in ex20-16.ssl. The signed certificate is called newcert.pem. This file can be renamed to johnsmith.crt later as a real certificate. A dialog session is shown in example ex20-17.ssl. Example: ex20-17.ssl - Signing Certificate With Your Own CA 1: [openssl-0.9.6c/apps]$ mv johnsmith.csr newreq.pem 2: 3: [openssl-0.9.6c/apps]$ CA.pl -sign 4: Using configuration from ./openssl.cnf 5: Loading 'screen' into random state - done 6: Enter PEM pass phrase: myca <------------------------ (Will Not Display) 7: Check that the request matches the signature 8: Signature ok 9: The Subjects Distinguished Name is as follows 10: countryName :PRINTABLE:'UK' 11: stateOrProvinceName :PRINTABLE:'Some-State' 12: organizationName :PRINTABLE:'ABC' 13: organizationalUnitName :PRINTABLE:'www.pwt-ex.com' 14: commonName :PRINTABLE:'johnsmith' 15: emailAddress :IA5STRING:'johnsmith@pwt-ex.com' 16: Certificate is to be certified until Oct 2 05:40:44 2004 GMT (365 days) 17: Sign the certificate? [y/n]:y 18: 19: 1 out of 1 certificate requests certified, commit? [y/n]y 20: Write out database with 1 new entries 21: Data Base Updated 22: Signed certificate is in newcert.pem Now let's see how certificates can be imported into browsers. 20.4.5 Importing certificates into browsersBy installing a certificate in a browser, you have given your favorite browser the capability to identify you. This is important when your browser communicates with a Web server in secure mode. Your browser can respond to the request of the server by sending the certificate over. This process is called client authentication. Together with server authentication, mutual trust can be built and security serves its purposes. By default the structure of the certificate used in OpenSSL is called X509. This is an authentication certificate scheme recommended by the International Telecommunication Union (ITU-T) and supported by the SSL/TLS standard. The default format for X509 certificates used by OpenSSL is the base 64 Privacy Enhanced Mail (PEM) encoding. This is why a number of authors and articles use the file extension .pem for certificates generated by OpenSSL. Unfortunately, this PEM format is not very popular (at least not in this form) among browsers. For example, PEM is not accepted by both IE and NS as an import or export certificate. Some browsers such as IE do support the PEM format in a binary form known as DER. Another widely accepted standard format for certificates is called PKCS#12. It is a structure to store private keys and certificates securely. Some advantages of this format are:
With OpenSSL, to generate a PKCS#12 file from the standard PEM files is not difficult. For example, you can generate the PKCS#12 file johnsmith.p12 corresponding to the johnsmith.key and johnsmith.crt by the following command:
openssl pkcs12 -export -in johnsmith.crt -inkey johnsmith.key
-certfile cacert.pem -name "johnsmith" -out johnsmith.p12
This command takes johnsmith.crt, johnsmith.key, and cacert.pem as the input argument. The output file is johnsmith.p12 in PKCS#12 format. A dialog session of this process is shown in ex20-18.ssl. Example: ex20-18.ssl - Creating PKCS#12 Certificates 1: openssl-0.9.6c\apps>openssl pkcs12 -export -in johnsmith.crt 2: -inkey johnsmith.key -certfile newcert.pem 3: -name "johnsmith" -out johnsmith.p12 4: 5: Loading 'screen' into random state - done 6: Enter PEM pass phrase:johnsmith <--------------------- (Will Not Display) 7: Enter Export Password: anything <--------------------- (Will Not Display) 8: Verifying password - Enter Export Password: anything <-(Will Not Display) 9: Now you have a certificate in PKCS#12 format and ready to be imported into the IE browser. If you are using IE5.x or IE6.x, you can use the following step-by-step procedure to import the certificate johnsmith.p12 into the browser:
If you are using NS6.x, you can use the following steps to import the certificate johnsmith.p12:
For other browsers, client certificates can be handled in a similar manner. Now let's consider how to set up a secure Web server or a secure site. |
| Table of Contents | Previous Next |
