Assignments of day 5 in week #1

Building Your PKI

Last Updated : Monday, 03-Jun-2002 11:08:46 HKT
  1. Build a SSL-aware apache web server

    1. Get the lastest apache, mod_ssl and openssl from
      http://httpd.apache.org/dist/
      http://www.modssl.org/source/
      http://www.openssl.org/source/
       respectively.

    2. Extract the distributions

      e.g. tar zxvf xxxx.tar.gz

    3. Build and install the SSL-aware Apache accordingly
      e.g. 
      csh> cd mod_ssl-xxxxxx
csh> ./configure --with-apache=../apache_xxxxx --with-ssl=../openssl-xxxxx
csh> cd ../apache_xxxxx
csh> make certificate TYPE=dummy
csh> make install

    4. start and test your SSL-aware apache server

      1. Edit the httpd.conf accordingly. You may keep "Listen 80 port" if you want this apache server to replace the original one at your host; otherwise remark it. Make sure you set the Listen 443 port in httpd.conf. This is the https port.

      2. Start the web server by apachectl startssl and check the error.log if there is any problem.

      3. Set the security proxy of your browser to be : ntec-fw.hkntec.net:80 or ntec-fw.hkntec.net:8012

      4. Then access your host web page by https://

  2. Create a Certificate Request (CSR)

    1. Generate your server key-pair first. e.g.
      openssl genrsa -des -out user.key 2048

    2. Generate certificate request. e.g.
      openssl req -new -key user.key -out user.csr 
      Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be 
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name 
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:HK
State or Province Name (full name) [Some-State]:Hong Kong
Locality Name (eg, city) []:Hong Kong
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CUHK
Organizational Unit Name (eg, section) []:NTEC
Common Name (eg, YOUR name) []:xxxx.wsh.hkntec.net
Email Address []:root@xxxx.wsh.hkntec.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
      You have now generated the CSR. Normally, you will submit your CSR to popular and well-trusted CA to sign (eg: Verisign and other site you will find built-in in your netscape and IE browser). In this exercise, you will act as the CA also so you will sign your CSR in the next steps.

  3. Build your CA server

    1. Download the CA scripts ssl.ca-0.1.tar.gz from http://www.openssl.org/contrib/ and extract it

    2. Create the self-signed Root CA key by the new-root-ca.sh script. E.g. 
      ./new-root-ca.sh
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

Self-sign the root CA...
Using configuration from root-ca.conf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or 
a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [MY]:HK
State or Province Name (full name) [Perak]:Hong Kong
Locality Name (eg, city) [Sitiawan]:Shatin
Organization Name (eg, company) [My Directory Sdn Bhd]:CUHK
Organizational Unit Name (eg, section) [Certification Services Division]:ntec
Common Name (eg, MD Root CA) []:ntec CA
Email Address []:root@hkntec.net

    3. After the creation, you should have the following two files:
      • ca.cert (CA self signed cert)
      • ca.key (CA private key)

      Sign the server certificate request you have generated before. E.g.
      ./sign-server-cert.sh user

      After the sign, you should have user.crt file which the server certficate, signed by your CA

    4. Remove the password protection of your server private key. E.g.
      openssl rsa -in user.key -out user2.key

    5. Copy your user2.key and user.crt to the certs directory

    6. Edit the httpd.conf accordingly, e.g.: 
      ServerAdmin root@xxx.hkntec.net
Servername xxxx.xxx.hkntec.net
SSLCertificateFile /usr/local/apache/certs/user.crt
SSLCertificateKeyFileFile /usr/local/apache/certs/user2.key
    7. Restart the httpd server
      • apachectl stop then apachectl startssl
      • check logs files in logs for debugging
      • Check your newly signed certificate using your browser (by clicking the lock icon of your browser)

  4. Act as a CA to sign a user CSR

    1. Create a user cert e.g. 
      	./new-user-cert.sh user@xxxx.hkntec.net

    2. Sign the user cert 
         ./sign-user-cert.sh user@xxxx.hkntec.net

      After the sign, you should have three files:

      • user@xxxx.hkntec.net.crt (the user cert; signed by your CA)
      • user@xxxx..hkntec.net.csr (the user CSR)
      • user@xxxx.hkntec.net.key (the user private key)

    3. Collect the user cert into a pkcs12 file. E.g. 
        ./p12.sh user@xxxx.hkntec.net
      You need to supply an export password when you create the pkcs12 file. Ftp the " user@xxxx.hkntec.net.p12" into your PC/wks and then import this user cert into your browser. (i.e. click your netscape low left lock icon to pop up the security info window; click the yours under the certificates; then click the import certificate button in the right window.)

  5. Try the Client Authentication and Access Control of your https severs

    1. Create another user cert name "user2" according to the procedure in above step IV.

    2. Create two directories under the htdoc directory

    3. Edit the httpd.conf to configure the access control for the above two directories. E.g.

      SSLVerifyClient none SSLCACertificateFile /usr/local/apache/certs/ca.crt <Location /secure> SSLVerifyClient require SSLVerifyDepth 1 </Location> <Directory /usr/local/apache/htdocs/secure/user2> SSLVerifyClient require SSLVerifyDepth 5 SSLOptions +FakeBasicAuth SSLRequireSSL SSLRequire %{SSL_CLIENT_S_DN_CN} eq "user2 " </Directory>

    4. Restart your apache web server and delete all user cert in your browser. You will find that your browser cannot access both "secure" and "secure/user2" web pages.

    5. Now just import a user cert name "user". You can access "secure" but not "secure/user2" web page

    6. Now import the user2 cert. You can access both "secure" and "secure/user2" web pages

References: