SEC260 Certificate Authority Lab - eitan-j/tech-journal GitHub Wiki

Setup VMs

  • Create 2 CentOS VMs
  • In both:
    • dhclient
    • yum install open-vm-tools

Create CA

  • Open CA VM
  • cd /etc/pki/CA
  • touch index.txt
  • echo 1000 > serial
  • openssl genrsa -des3 -out private/cakey.pem 2048
    • genrsa creates RSA private keys
      • Note that it is superseded by genpkey, which can generate private keys with various algorithms
    • -des3 means the key will be encrypted using triple DES encryption
      • This means it will need a password
    • -out private/cakey.pem means that it will output the key as cakey.pem in the private folder in the current directory
    • 2048 is the size of the key in bits
      • 2048 is the default so this argument does nothing in this case
  • Enter new password
  • openssl req -new -x509 -days 365 -key private/cakey.pem -out cacert.pem
    • req creates certificates and certificate requests
    • -new makes it a new certificate
    • -x509 makes it create a self signed certificate and not a request
    • -days 365 makes the certificate valid for a year
    • -key private/cakey.pem means that the private key used is cakey.pem in the private folder in the current directory
    • -out cacert.pem means that the certificate will be outputted to cacert.pem in the current folder
  • Enter password
  • US, Vermont, Burlington, Skiff101 x3, <ENTER>

Make and send CR

  • Switch to WS VM
  • openssl req -newkey rsa:2048 -keyout websrv.key -out websrv.csr
    • req creates certificates and certificate requests
    • -newkey creates a new private key and a new certificate request at the same time
      • rsa:2048 means that a 2048 bit RSA key will be created
    • -keyout websrv.pem means that the private key will be outputted to websrv.pem in the current folder
    • -out websrv.csr means that the certificate request will be outputted to websrv.csr in the current folder
  • Make new password
  • Enter same data as before
  • Skip 'extra' attributes
  • scp webserv.csr [email protected]:/tmp

Create cert

  • Switch to CA VM
  • mv /tmp/websrv.csr /etc/pki/CA/
  • openssl ca -out websrv.crt -infiles websrv.csr
    • ca is used to sign and maintain certificates
    • -out websrv.crt means that the signed certificate will be outputted to websrv.crt in the current folder
    • -infiles websrv.csr means that the file websrv.csr in the current folder is the certificate request
  • y x2
  • scp websrv.crt [email protected]:/home/eitanws
⚠️ **GitHub.com Fallback** ⚠️