Posts tagged PKI

OpenSSL: Create a TLS certificate

posted on 2015-07-18 01:13:32

This posting is solely about handling certificates, no cryptographic background or deeper technical digging.

background and grey theory

Basically creating a certificate can be done via two ways:

  • create a private key and a certificate from it
  • create a private key, a certificate signing-request out of it, and with another certificate-authority private-key and certificate-authority certificate create an own certificate

The first approach is to be done for CA's (certificate authorities), and their (CA) certificates are shipped with the common browsers.

Website (or whatever type of service uses SSL/TLS) let their domain be secured with an own certificate, which the certificate authority created from a certificate signing request the owner sent them using their private key and certificate.

The user using the browser to access the secured domain gets the ca cert and the site owner's cert, and can check if the site owner's cert can be validated against the root CA cert.

So these are the artifacts in play: (CA = certificate authority, SRV = server owner)

  • CA privkey (CA_PK)
  • CA cert (CA_C)
  • SRV privkey (SRV_PK)
  • SRV cert (SRV_C)

installing them server-side

In this order they are created and installed:

         SRV                                         CA
        -----                                       ----
          |                                          |
          |                                     1. create CA_PK
          |                                     2. create CA_C
          |                                          |
    3. create SRV_PK                                 |
    4. create SRV_CSR                                |
          |                                          |
    5.    |--------------- email SRV_CSR ----------->|
          |                                          |
          |                                     6. create SRV_C
          |                                     (from CA_PK,CA_C,SRV_CSR)
          |                                          |
    7.    |<--------------  email SRV_C  ------------|
          |                                          |
    8. configure server (web,ftp,...)                |
       (to provide CA_C,SRV_PK,SRV_C)                |
          |                                          |

This is all which is needed to set TLS encryption up.

Note: CA_C and SRV_C differ in having the CA flag set to TRUE or not. Besides that, they are the same.

using them client-wise

To keep it simple, clients negotiate the connection with the server, and use the th SRV_C of aforementioned artefacts from the server. The CA_C is already part of the web browser.

practice and its complexities

To prevent some misunderstandings, even more basics:

  • CA's are just companies printing money, as these certificates tend to be very expensive but are not saver than ones you create on your own and validate these against a self-created self-signed one (With you being basically your own CA.). The only difference is, the CA's get their certificates shipped with every browser, whereas you do not get that luxury.
  • CA_PK and SRV_PK do not differ in how they were created.
  • self-signed certificate = no higher-level cert is needed for validation (for CA's)
  • messing up which one is which is the third biggest source of problems revolving around certificates
  • the second biggest problem is the unwieldiness of the tools to handle these things
  • the biggest source of FAIL when dealing with certificates is the amount of different ones being in different formats (single file or container 'containing' several 'files') and encodings (ascii/base64 vs. binary) and simple copy-paste errors when creating some of them

This sounds complexer than it really is. Haha, I know.

You can import the self-created self-signed CA cert into your browser by hand, so you don't get the warning about visiting unsecure sites anymore, but the rest of the world will still get the error. Plus your google ranking for your website should be lower, as far as I can remember.

a script for automating things

When having to have to create certificates from time to time, this may come handy:

openssl genrsa 2048 > ca-key.pem && \
openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem && \
openssl req -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem -out server-req.pem && \
openssl rsa -in server-key.pem -out server-key.pem && \
openssl x509 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

For automated generation, the openssl tool is way more nicer than certtool from GnuTLS. For checking contents or creating a .p12 / pkcs #12 container, the latter is better:

# check contents
certtool --certificate-info --infile C.pem

# create .p12
certtool --to-p12 --load-ca-certificate CA_C.pem --load-privkey PK.key --load-certificate C.pem --outfile CONTAINER.p12 --outder

show certificate information

certtool --certificate-info --infile C.pem

This blog covers .csv, .htaccess, .pfx, .vmx, /etc/crypttab, /etc/network/interfaces, /etc/sudoers, /proc, 10.04, 14.04, AS, ASA, ControlPanel, DS1054Z, GPT, HWR, Hyper-V, IPSEC, KVM, LSI, LVM, LXC, MBR, MTU, MegaCli, PHP, PKI, R, RAID, S.M.A.R.T., SNMP, SSD, SSL, TLS, TRIM, VEEAM, VMware, VServer, VirtualBox, Virtuozzo, XenServer, acpi, adaptec, algorithm, ansible, apache, apachebench, apple, applet, arcconf, arch, architecture, areca, arping, asa, asdm, autoconf, awk, backup, bandit, bar, bash, benchmarking, binding, bitrate, blackarmor, blockdev, blowfish, bochs, bond, bonding, booknotes, bootable, bsd, btrfs, buffer, c-states, cache, caching, ccl, centos, certificate, certtool, cgdisk, cheatsheet, chrome, chroot, cisco, clamav, cli, clp, clush, cluster, coleslaw, colorscheme, common lisp, configuration management, console, container, containers, controller, cron, cryptsetup, csync2, cu, cups, cygwin, d-states, database, date, db2, dcfldd, dcim, dd, debian, debug, debugger, debugging, decimal, desktop, df, dhclient, dhcp, diff, dig, display manager, dm-crypt, dmesg, dmidecode, dns, docker, dos, drivers, dtrace, dtrace4linux, du, dynamictracing, e2fsck, eBPF, ebook, efi, egrep, emacs, encoding, env, error, ess, esx, esxcli, esxi, ethtool, evil, expect, exportfs, factory reset, factory_reset, factoryreset, fail2ban, fbsd, fdisk, fedora, file, filesystem, find, fio, firewall, firmware, fish, flashrom, forensics, free, freebsd, freedos, fritzbox, fsck, fstrim, ftp, ftps, g-states, gentoo, ghostscript, git, git-filter-branch, github, gitolite, global, gnutls, gradle, grep, grml, grub, grub2, guacamole, hardware, haskell, hdd, hdparm, hellowor, hex, hexdump, history, howto, htop, htpasswd, http, httpd, https, i3, icmp, ifenslave, iftop, iis, imagemagick, imap, imaps, init, innoDB, innodb, inodes, intel, ioncube, ios, iostat, ip, iperf, iphone, ipmi, ipmitool, iproute2, ipsec, iptables, ipv6, irc, irssi, iw, iwconfig, iwlist, iwlwifi, jailbreak, jails, java, javascript, javaws, js, juniper, junit, kali, kde, kemp, kernel, keyremap, kill, kpartx, krypton, lacp, lamp, languages, ldap, ldapsearch, less, leviathan, liero, lightning, links, linux, linuxin3months, lisp, list, livedisk, lmctfy, loadbalancing, locale, log, logrotate, looback, loopback, losetup, lsblk, lsi, lsof, lsusb, lsyncd, luks, lvextend, lvm, lvm2, lvreduce, lxc, lxde, macbook, macro, magento, mailclient, mailing, mailq, manpages, markdown, mbr, mdadm, megacli, micro sd, microsoft, minicom, mkfs, mktemp, mod_pagespeed, mod_proxy, modbus, modprobe, mount, mouse, movement, mpstat, multitasking, myISAM, mysql, mysql 5.7, mysql workbench, mysqlcheck, mysqldump, nagios, nas, nat, nc, netfilter, networking, nfs, nginx, nmap, nocaps, nodejs, numberingsystem, numbers, od, onyx, opcode-cache, openVZ, openlierox, openssl, openvpn, openvswitch, openwrt, oracle linux, org-mode, os, oscilloscope, overview, parallel, parameter expansion, parted, partitioning, passwd, patch, pct, pdf, performance, pfsense, php, php7, phpmyadmin, pi, pidgin, pidstat, pins, pkill, plasma, plesk, plugin, posix, postfix, postfixadmin, postgres, postgresql, poudriere, powershell, preview, profiling, prompt, proxmox, ps, puppet, pv, pveam, pvecm, pvesm, pvresize, python, qemu, qemu-img, qm, qmrestore, quicklisp, quickshare, r, racktables, raid, raspberry pi, raspberrypi, raspbian, rbpi, rdp, redhat, redirect, registry, requirements, resize2fs, rewrite, rewrites, rhel, rigol, roccat, routing, rs0485, rs232, rsync, s-states, s_client, samba, sar, sata, sbcl, scite, scp, screen, scripting, seafile, seagate, security, sed, serial, serial port, setup, sftp, sg300, shell, shopware, shortcuts, showmount, signals, slattach, slip, slow-query-log, smbclient, snmpget, snmpwalk, software RAID, software raid, softwareraid, sophos, spacemacs, spam, specification, speedport, spi, sqlite, squid, ssd, ssh, ssh-add, sshd, ssl, stats, storage, strace, stronswan, su, submodules, subzone, sudo, sudoers, sup, swaks, swap, switch, switching, synaptics, synergy, sysfs, systemd, systemtap, tar, tcpdump, tcsh, tee, telnet, terminal, terminator, testdisk, testing, throughput, tmux, todo, tomcat, top, tput, trafficshaping, ttl, tuning, tunnel, tunneling, typo3, uboot, ubuntu, ubuntu 16.04, udev, uefi, ulimit, uname, unetbootin, unit testing, upstart, uptime, usb, usbstick, utf8, utm, utm 220, ux305, vcs, vgchange, vim, vimdiff, virtualbox, virtualization, visual studio code, vlan, vmstat, vmware, vnc, vncviewer, voltage, vpn, vsphere, vzdump, w, w701, wakeonlan, wargames, web, webdav, weechat, wget, whois, wicd, wifi, windowmanager, windows, wine, wireshark, wpa, wpa_passphrase, wpa_supplicant, x11vnc, x2x, xfce, xfreerdp, xmodem, xterm, xxd, yum, zones, zsh

Unless otherwise credited all material Creative Commons License by sjas