# CySec19/20 - Security Architectures - TP4 We create the directories and file arborescence to be used: ```bash mkdir CA cd CA mkdir newcerts private ``` We create the database for storage of signed certificates: ```bash echo '01' > serial touch index.txt ``` We copy the existing default configuration file in CA directory: ```bash cp /etc/ssl/openssl.cnf opensslCA.cnf ``` We change the `dir` variable in `opensslCA.cnf` to the current directory. We create the CA: ```bash openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./opensslCA.cnf ``` We can check the value of the created certificate: ```bash openssl x509 -in cacert.pem -noout -text ``` We get the following output: ``` Certificate: Data: Version: 3 (0x2) Serial Number: d6:5a:ff:e5:24:52:63:de Signature Algorithm: sha256WithRSAEncryption Issuer: C=FR, ST=France, L=Grenoble, O=MILIOTISS, CN=MILIOTISS Validity Not Before: Dec 18 15:29:49 2019 GMT Not After : Dec 15 15:29:49 2029 GMT Subject: C=FR, ST=France, L=Grenoble, O=MILIOTISS, CN=MILIOTISS Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b5:16:09:0d:5b:c0:d8:d9:a6:5d:89:5b:7e:1e: 1f:b1:c4:0e:f1:11:60:b6:b1:26:c5:f1:1e:cd:e3: 1f:2b:03:56:60:80:b9:9a:10:9c:ab:6d:21:12:a8: fe:4e:7f:8e:56:51:3d:26:2b:81:61:0f:2d:fd:b5: d0:8f:89:80:78:74:bc:c3:e6:7a:55:0b:6a:4c:39: c1:4a:db:91:38:60:0f:03:cc:c7:f8:00:57:69:47: 1a:07:5b:32:91:f5:75:c7:37:d6:f6:b5:10:b9:b5: eb:c4:8e:ac:8b:6e:43:89:39:46:77:8e:1f:70:da: d7:35:aa:43:73:ca:b7:08:23:12:5b:77:82:33:e4: 1e:03:df:57:58:b6:14:79:c4:31:ff:ce:4d:dc:ee: 4d:02:9b:e6:6d:e4:07:21:0e:b9:b9:47:86:84:0c: ce:f9:3e:8e:b3:20:08:c2:4d:01:a1:2e:22:cd:73: 8d:c1:f0:83:b7:6b:66:10:f1:9e:b6:f9:8f:88:7f: be:17:62:96:fc:2a:aa:bf:f4:a0:62:33:37:99:22: 1d:93:b8:83:b8:9e:e0:37:41:4e:ba:d0:a4:9b:ba: 1c:5e:53:ee:b9:ad:99:37:7d:af:2f:87:87:bb:ba: 48:a1:cf:63:f4:7c:4a:ba:5d:45:a9:26:24:00:a7: bc:3d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: FC:A1:F8:C6:FB:00:E6:C4:62:61:58:0A:5B:F0:EA:09:4E:64:F8:89 X509v3 Authority Key Identifier: keyid:FC:A1:F8:C6:FB:00:E6:C4:62:61:58:0A:5B:F0:EA:09:4E:64:F8:89 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 14:69:24:f9:d4:f3:fb:d9:40:36:32:63:74:94:5e:7c:26:6a: 62:28:a1:b4:81:88:c1:70:d1:25:b1:49:55:b7:1a:de:dd:5b: 9e:08:9f:87:6b:c8:ff:cf:19:ee:5b:74:09:ca:1d:eb:91:11: 55:1a:1d:ab:e1:6d:06:95:04:b0:d4:ee:2b:e6:b6:f5:b8:ad: e0:24:d2:97:ed:20:b3:dc:ad:b0:7e:17:26:4b:17:c5:77:bc: b6:9f:7c:cc:a9:3d:4c:a8:4b:8d:31:fb:57:c9:92:ac:6f:a6: 3b:4f:e7:cb:da:d5:12:0a:55:91:d2:0e:4d:f0:76:f2:3a:1a: 50:64:35:9d:c4:15:82:c8:ce:0d:28:e1:c7:54:43:94:0c:97: 5a:b0:d3:b9:29:e3:24:b9:40:4d:06:b7:bd:46:8d:78:e8:10: ed:d0:21:d6:aa:bb:21:34:cd:1f:d1:8a:45:1c:15:b9:1e:69: e5:7f:fa:d6:33:cf:bc:63:71:ae:02:68:19:72:54:4f:91:58: bb:1e:fc:43:3a:30:bc:b9:13:50:49:f9:89:2a:b0:57:d4:f8: 13:e0:b0:a0:64:bf:d6:35:14:57:78:dc:53:5a:51:7e:28:af: 72:9f:89:30:7b:5a:17:c1:95:52:05:de:14:3f:41:36:53:44: ea:25:d4:4c ``` Then we create a certificate (that will be used for our web server - TP1), and we signe it with our CA. We create the file `opensslCerti.cnf`, then we execute: ```bash openssl req -new -nodes -out req.pem -config ./opensslCerti.cnf ``` We can check the content of the signing request: ```bash openssl req -in req.pem -text -verify -noout ``` We get the following output: ``` verify OK Certificate Request: Data: Version: 0 (0x0) Subject: C=FR, ST=France, L=Grenoble, O=MILIOTISS, CN=192.168.142.76 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e0:9b:50:9b:e7:b8:a3:19:e7:f7:40:b6:10:2d: 05:bd:43:6f:f0:bd:13:06:98:82:78:74:92:9a:40: 15:18:46:a5:a2:46:94:08:44:97:95:33:67:eb:f4: e0:73:4d:68:c7:d6:44:5d:2d:06:38:5e:7f:82:bb: 30:d0:c1:9c:4b:c6:25:32:c5:bb:d3:63:24:f7:c7: f6:64:fe:1e:ff:7e:bb:2e:0f:ae:c3:b1:d8:da:4a: f5:0a:b3:f5:12:c6:49:0e:c7:2c:d4:58:25:55:a4: cb:81:92:3b:92:08:ec:53:4e:19:55:52:f1:e2:70: 9c:b6:c1:47:f0:77:57:e5:94:90:09:31:e4:01:e0: e5:37:df:8c:a4:02:af:d8:3c:3b:0b:63:7b:ce:7f: 7a:1f:5c:6f:1e:b6:6a:03:89:e0:e3:1a:a2:76:68: 39:71:d7:41:d8:4d:c8:a8:6a:31:fc:57:22:94:54: af:dd:44:33:c1:73:29:94:29:b5:0b:8f:66:63:3b: 0d:d8:fe:a5:12:c9:ac:6c:73:31:25:59:87:5f:ce: bd:2f:0e:40:7c:51:5f:68:8d:31:47:32:cf:62:ca: c1:7e:4f:7a:3c:2d:ed:67:86:2e:4a:b3:9c:85:e8: 2b:1c:82:79:1e:30:03:8b:98:37:c9:08:22:4f:5d: ec:ad Exponent: 65537 (0x10001) Attributes: challengePassword :unable to print attribute Signature Algorithm: sha256WithRSAEncryption 8a:3c:64:38:2e:d8:9b:4b:01:13:33:01:2d:31:97:e5:ae:f9: 43:6a:b5:cd:90:de:f1:dd:8b:39:02:03:36:26:f4:5f:6a:0d: 69:31:e3:73:78:29:c6:3c:bd:bc:5e:7f:2f:32:21:f5:11:e3: 98:2f:cd:0a:dd:6f:47:62:46:b0:d4:21:e9:ad:6b:ca:7e:fc: c0:cf:b7:1f:02:a1:6f:03:16:82:e1:04:34:28:f8:bf:6f:c0: cf:d1:33:f3:c2:3f:fb:22:bf:44:be:24:47:6a:3c:ff:50:b2: 27:d3:0d:90:d4:ac:10:60:62:f6:35:9f:85:08:7e:70:0d:3f: de:0c:1d:33:cc:e4:05:f3:bf:d6:33:db:32:10:59:8f:59:26: c6:47:59:b8:1a:58:b1:ec:f2:ed:72:19:1a:e7:20:e0:06:b6: 5f:49:ef:c4:94:25:a4:84:3b:1c:af:92:62:06:14:59:f4:37: c2:0a:03:33:60:18:59:02:38:ba:ad:30:14:2f:ac:2d:cd:d6: 11:44:b2:98:e7:77:c2:31:7b:25:59:f8:f1:5a:c5:a5:33:b6: b3:b2:78:b2:91:83:3a:ae:6b:09:87:ec:a7:c2:a9:c2:65:c2: a5:3e:69:86:f6:e0:4d:f3:8d:56:62:b2:c2:70:48:f3:52:af: 14:e8:88:ae ``` Now we make the CA sign the certificate: ```bash openssl ca -out cert.pem -config ./opensslCA.cnf -infiles req.pem ``` We can check the content of the certificate: ```bash openssl x509 -in cert.pem -noout -text -purpose ``` We get the following output: ``` Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=FR, ST=France, L=Grenoble, O=MILIOTISS, CN=MILIOTISS Validity Not Before: Dec 18 15:31:20 2019 GMT Not After : Dec 17 15:31:20 2020 GMT Subject: C=FR, ST=France, O=MILIOTISS, CN=192.168.142.76 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e0:9b:50:9b:e7:b8:a3:19:e7:f7:40:b6:10:2d: 05:bd:43:6f:f0:bd:13:06:98:82:78:74:92:9a:40: 15:18:46:a5:a2:46:94:08:44:97:95:33:67:eb:f4: e0:73:4d:68:c7:d6:44:5d:2d:06:38:5e:7f:82:bb: 30:d0:c1:9c:4b:c6:25:32:c5:bb:d3:63:24:f7:c7: f6:64:fe:1e:ff:7e:bb:2e:0f:ae:c3:b1:d8:da:4a: f5:0a:b3:f5:12:c6:49:0e:c7:2c:d4:58:25:55:a4: cb:81:92:3b:92:08:ec:53:4e:19:55:52:f1:e2:70: 9c:b6:c1:47:f0:77:57:e5:94:90:09:31:e4:01:e0: e5:37:df:8c:a4:02:af:d8:3c:3b:0b:63:7b:ce:7f: 7a:1f:5c:6f:1e:b6:6a:03:89:e0:e3:1a:a2:76:68: 39:71:d7:41:d8:4d:c8:a8:6a:31:fc:57:22:94:54: af:dd:44:33:c1:73:29:94:29:b5:0b:8f:66:63:3b: 0d:d8:fe:a5:12:c9:ac:6c:73:31:25:59:87:5f:ce: bd:2f:0e:40:7c:51:5f:68:8d:31:47:32:cf:62:ca: c1:7e:4f:7a:3c:2d:ed:67:86:2e:4a:b3:9c:85:e8: 2b:1c:82:79:1e:30:03:8b:98:37:c9:08:22:4f:5d: ec:ad Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 12:DE:5C:A5:FF:25:1D:FA:BD:09:AF:36:0F:E0:F4:83:05:A3:F6:34 X509v3 Authority Key Identifier: keyid:FC:A1:F8:C6:FB:00:E6:C4:62:61:58:0A:5B:F0:EA:09:4E:64:F8:89 Signature Algorithm: sha256WithRSAEncryption 30:ef:bc:c1:84:ab:77:de:87:6a:e3:9a:30:dc:21:86:81:91: 2b:40:20:26:96:76:51:92:36:1c:6b:ab:78:e8:67:93:e0:17: ea:2c:f9:a7:59:31:ba:55:ae:99:73:e3:5f:88:cc:8c:cf:84: 8f:14:34:6d:a5:1d:1f:f5:33:05:b2:54:28:d4:a0:b1:f4:ac: 08:fb:83:75:c9:d2:fc:0f:b3:8d:ca:1a:a4:cd:d3:74:0b:94: 84:8b:dc:78:94:1a:6b:89:5c:09:95:c1:9e:68:c1:2c:d5:d1: 54:f7:43:46:f8:12:64:36:fb:e9:12:6d:62:ad:08:40:df:f8: d6:f0:68:d0:7d:06:51:1d:9f:09:2e:80:04:99:c6:f8:9e:24: 92:14:5a:53:71:85:cf:9f:2a:db:84:44:dd:65:b1:23:9c:75: 97:16:9a:54:eb:e1:8c:28:34:9d:b6:f5:fc:d6:85:8e:64:22: 64:67:cf:d6:d2:94:de:c8:33:c8:5c:2d:e4:db:7b:b1:09:6a: 62:4f:63:02:59:db:3b:af:b6:d7:72:56:f2:88:8b:30:f1:eb: 92:19:06:22:b9:94:d9:bc:81:95:35:cd:2f:38:62:ec:af:d9: 89:f3:37:e5:ca:ad:80:51:e3:c9:f3:86:c6:3e:73:0c:7e:03: 64:a1:b5:ef Certificate purposes: SSL client : Yes SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : Yes S/MIME signing CA : No S/MIME encryption : Yes S/MIME encryption CA : No CRL signing : Yes CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No Time Stamp signing : No Time Stamp signing CA : No ``` Then we distribute the CA certificate. We can check that a given certificate has been signed by the CA: ```bash openssl verify -CAfile cacert.pem cert.pem ``` We get the following output: ``` cert.pem: OK ``` If needed, we can also renew a certificate, revoke a certificate or create a CRL.