Certificate Authority Lab Class Activity - Hsanokklis/2023-2024-Tech-journal GitHub Wiki
Lab Information:
For this lab, you are going to configure a Certificate Authority using OpenSSL. You will then request a certificate from a separate web server - and use your CA to issue that certificate.
The basic commands are included below. Pay attention to the file paths as your OS has specific locations it uses by default for PKILinks to an external site. related files.
Decode the OpenSSL commands and describe the command arguments:
- Create a functioning CA and issue a certificate for a web server So using 2 VMs total: one a Web Server (make sure it's on default port 80), and another a Cert Authority.
Create the Certificate Authority
Using the kali VM
Choose a directory to store all keys and cirtificates
mkdir /root/cacd /root/ca
Create directories certs, crl, newcerts and private
mkdir certs crl newcerts private
touch index.txt(CA uses this file to keep track of certs)echo 1000 > serial(used to assign serial #'s to certs)
nano /usr/lib/ssl/openssl.cnf(The default configuration file for openssl in kali)
GET RID OF THE PERIOD IN FRONT
Create your CA's private key
openssl genrsa -des3 -out private/cakey.pem 2048
This command generates a 2048-bit RSA private key and encrypts it using the triple DES algorithm. The private key is saved in a file named cakey.pem located in the private directory.
openssl
- This is the command-line tool for OpenSSL, which is an open-source implementation of the SSL and TLS protocols. OpenSSL provides cryptographic functions and utilities, including the generation of certificates and keys.
genrsa
- Used for generating RSA private keys
-des3
- Specifies that the private key should be encrypted using Triple DES algorithm
-out private/cakey.pem
- The path where the output file of the private key will be saved.
2048
- Specifies the length of the RSA key to be generated in bits, ie a 2048-bit RSA key will be generated.
pw: FurkanLilDude26
Create your CA certificate
openssl req -new -x509 -days 365 -key private/cakey.pem -out cacert.pem
This command generated a self-signed X509 certificate with the validity period of 365 using a private key located at private/cakey.pem, and saves the generated certificate in a file named cacert.pem
openssl
- This is the command-line tool for OpenSSL, which is an open-source implementation of the SSL and TLS protocols. OpenSSL provides cryptographic functions and utilities, including the generation of certificates and keys.
req
- subcommand of OpenSSL used for generating certificate requests and self-signed certificates, it stands for request.
-new
- This option specifies that a new certificate should be generated
-x509
- Tells OpenSSL to create a self-signed certificate rather than a certificate signing request(CSR). X509 is a standard that defines the format of public key certificates.
-days 365
- Validity period of the certificate is being generated in days and this one will be valid for 365 days.
-key private/cakey.pem
- Specifies the path to the private key file
cakey.pem
-out cacert.pem
- Where the output file will be saved, ie it will be saved to
cacert.pem
Fill out the prompts + record your entries
Make sure to use Joyce310 as organization name, org unit name, and common name when prompted
Create the certificate request on your web server
Using the Rocky VM
Generate a private key for the web server and a certificate request file
openssl req -newkey rsa:2048 -keyout websrv.key -out websrv.csr- Do not need the 'extra' attributes
- Pw: FurkanLilDude26
This command generates a new RSA key pair with a key length of 2048 bits. The private key is saved in a file named websrv.key and a corresponding certificate signing request (CSR) is saved in a file named websrv.csr
openssl
- This is the command-line tool for OpenSSL, which is an open-source implementation of the SSL and TLS protocols. OpenSSL provides cryptographic functions and utilities, including the generation of certificates and keys.
req
- subcommand of OpenSSL used for generating certificate requests and self-signed certificates, it stands for request.
-newkey rsa:2048
- specifies that a new key pair should be generated with the RSA algorithm with a key length of 2048 bits.
-keyout websrv.key
- specifies the path to the output file where the generated private key will be saved. In this case it will be saved to the file
websrv.key
-out websrv.csr
- Specifies the path to the output file where the generated certificate signing request will be saved.
SCP the CSR file to the Certificate Authority
Secure Copy (SCP):
Scpallows files to be copied to, from or between different hosts. It usessshfor data transfer and provides the same authentication and same level of security asssh.
scp websrv.csr [email protected]:/`
- once the file is copied to kali, move it to the
/cadirectory
Sign the certificate on the Certificate Authority
On the Certificate Authority Server
openssl ca -out websrv.crt -infiles websrv.csr
This command tells OpenSSL's CA subcommand to sign the certificate signing request (CSR) contained in the file websrv.csr and save the resulting signed certificate in a file named websrv.crt
openssl
- Command-line tool for OpenSSL
ca
- openSSL uses this for performing CA operations.
-out websrv.crt
- specifies the path the signed certificate will be saved to
-infiles websrv.csr
- specifies the path to the input file containing the certificate signing request (CSR) that needs to be signed.