Crypto lab publickey cryptography and pki


Questions to answer¶

CA is a depended on entity to problem digital certificate. The digital certificate certifies the ownership of a public key by way of the named subject of the certificates. Root CAs are some of trusted commercial CAs. (VeriSign is one in every of the biggest) However, we are not obligate to the commercial world, we’re free to become a root CA, after which use this root CA to problem certificates to others. Remember that the root CAs are self-signed. root CA’s certificates are pre-loaded into most OS, browsers, and different software program that the usage of PKI. Root CA’s certificates are unconditionally trusted.

To create a root CA, we use the following openssl command to generate a self-signed certificates for the choices CA.

The Configure File openssl.conf is used by 3 OpenSSL command: ca, req, and x509. To get a glimpse of it’s purporse, right here is partial of the choices openssl.conf (from [CA_Default phase).

0x2 Create a Certificate for PKILabServer.com¶

When one becomes a certificates autority(CA), he/she is prepared to sign virtual certificate for his/her clients. PKILabServer.com is a enterprise that attempts to get a digital certificate from a CA. He wishes to do the subsequent steps:

This step may be finished the usage of OpenSSL command line tool like this:

The generated keys can be saved within the report server.key. This record is encrypted as indicated via the choice -ase128, because of this using AES-128 encrytpion algorithm. The effect of that is you need to input a password while executing the above command. To see the choices plan text content material of the server.key record, you can run the following command:

The password you entered works like a key to decrypt the choices ciphertext within the report.

To request a certificates, the organisation want to include its public key in a certificates signing request (CSR) and send the CSR to the certificates authority. The command to generate the choices CSR the usage of OpenSSL is:

Note that this command is pretty just like the only we used in developing a self-signed certificates for the certificate authority previously. The handiest difference is the choices -x509 option.

The CSR document needs to have the choices CA’s signature to form a certificate. When obtained the choices CSR document, CA will first affirm the identity information within the CSR. In fact, CA might contact the corporation thru physical channel to do the choices verification. For instance, thru traditional mails or letters. For this experiment, we will expect we are the CA and could generate the certificate for the choices agency. The following command turns the choices certificates signing request (server.csr) into an X509 certificate (server.crt), using the CA’s ca.crt and ca.key:

If OpenSSL refuses to generate certificate, it’s miles very probable that the choices names for your requests do no longer healthy with those of CA. (sure, reflect onconsideration on you are developing a root CA in your organisation, and use it to sign certificates for unique departments.) The matching policies are designated inside the configuration report (at the [policy match] section). You can alternate the names of your requests to comply with the choices policy, or you could change the choices policy. The configuration file also includes any other policy (referred to as policy_anything), which is less restrictive. You can select that coverage by way of changing the following line: “policy = policy_match” alternate to “coverage = policy_anything”.

0x3 Use PKI for Web Sites¶

Following the lab guide didn’t work out. While adding the choices ca.crt to Firefox, I run into the following error that the format isn’t always supported by Firefox.

Find this stackoverflow put up. We have to use the subsequent command to mix the server.crt with the ca.crt.

Finally, we will import PKILabServerFirefox.pfx to Firefox and right click the certificate and pick “Edit Trust->this certificates can pick out web sites”

0x4 Test the choices certificate¶

start a openssl simple webserver:

Now navigate to https://www.pkilabserver.com:6666, the safety verification is handed and display the choices openssl internet server default web page.

half RSA and AES encryption performace¶

We use the following instructions to assess RSA encryption and decryption:

Commands for AES encrytption and decryption