Weinstein.org > Digital World > Work > Red Hat > Presentations

> > > > >

mar 14 010

Digital World

O'Reilly Open Source Convention: Apache Track: Web Security for Business: Creating and Implementing a Private Certificate Authority with OpenSSL and mod_ssl, San Diego, July 27th 2001.

What You Should Know (Slide Two)

How SSL/TLS works
Maintain and Run Apache, Apache Modules
CGI Interface works, know Perl
How to get around in Un*x shell

What We're Going to Talk About (Slide Three)

The Basics:
- How to create a private certificate authority (CA).
- How to sign server certificate request with pricate CA.
- How to sign and distribute client certificate request with private CA.
The Nit and Gritty:
- OpenSSL Configuration FIle.
- Some HTML and Perl Code.
- How to publish private CA within a limited environment.
- Configuring mod_ssl to authenticate access based on client certificates issued by private CA.
- Certificate Revocation and Revocation Lists.

Disclaimer (Slide Four)

This presentation does not cover all of the security issues involved in maintaining a certificate authority (CA) or the data that is being protected by the CA.
Nor does this presentation cover all the issues involved in securing a networked based machine and its contents, but only covers issues involved in securing and authenticating data transmitted between machines.

Quick Review (Slide Five)

Digital Certificates
Certificate Authorities

Digital Certificates (Slide Six)

Type of Digital Certificates
- Server Certificate
- Client Cerificate
X509 Format, Issued by Certifcate Authorities
- A Serial Number
- Name of Issuing Certifcate Authority
- Identifying Information, such as; Name, Street, Address and/or Email Address
- Subject's Public Key
- A "Signature" of Issuing Certifcate Authority

Certificate Authorities (Slide Seven)

Public Certificate Authority; Verisign, Thawte, Equifax; recognized by default by most web browsers and servers; used when no other relation exists between two parties.
Private Certificate Authorityl by default not recognized; used when a relationship already exists between two parties.

The Basics: OpenSSL (Slide Eight)

Creating our private certificate authority
Creating a Server Certificate Request
Signing a Server Certificate Request
Signing a CLient Certificate Request

Creating a Private Certificate Authority (Slide Nine)

Creating a self-sign (root) certificate for private CA

Creating a Certificate Signing Request (CSR) for Server (Slide Ten)

Since Apache uses OpenSSL via mod_ssl for SSL we'll use it to create a CSR for Apache

Signing Our Server CSR (Slide Eleven)

Now we'll sign this CSR using OpenSSL and our Private Certificate Authority

The Wonderful World of Web Browsers (Slide Twelve)

Different Web Browsers Support Different Methods For Creating Client Certificates.
The General Procedure:
- User Access a Web Page with Their Favorite Client (web browser)
- User Enters Identification Information Into Web Page Form.
- Submit Form, which:
  - Has client genertate a public and private key.
  - CGI script adds public key to a identification information being submitted, which creates a client certificate signing request

Signing Our Client CSR (Slide Thirteen)

After a little magic we can sign this client CSR.

The Nit and Gritty (Slide Fourteen)

What's in opnessl.cnf file
HTML code for submit form
Perl scripts for creating client certificate signing request and installing client certificate into browser
Publishing private CA within a limited environment
Configuring mod_ssl to authenticate access based on client certificates issued by private CA.
Certificate Revocation and Revocation Lists

openssl.cnf (Slide Fifteen)

Our Self-Signed Certificate and Private Key

openssl.cnf (Slide Sixteen)

openssl.cnf (Slide Seventeen)

Defining a policy of necessary information in our certificates

HTML Form (Slide Eighteen)

HTML Form (Slide Nineteen)

CGI & Perl (Slide Twenty)

Setup our environment

CGI & Perl (Slide Twenty One)

Save the submit data and create a client CSR file.

CGI & Perl (Slide Twenty Two)

Getting a signed certificate to client.

Apahce and mod_ssl (Slide Twenty Three)

Setup Apache so clients can download CA's root certificate.

Apahce and mod_ssl (Slide Twenty Four)

Configuring our server certificate for Apache

Apahce and mod_ssl (Slide Twenty Five)

Adding our CA to Apache and using it to authenticate clients

Certificate Revocation (Slide Twenty Six)

Revoking a certificate before it expires and creating a certificate revocation list.

Certificate Revocation (Slide Twenty Seven)

Making sure our Apache server doesn't accept the revoked certificate.

Citation (Slide Twenty Eight)

Engelschall, Ralf User Manual mod_ssl Version 2.8 Jan. 2001 <http://www.modssl.org/docs/2.8>
Hirsch, Frederick Introducting SSL and Certificates using SSLeay Summer 1997 <http://www.ultranet.com/~fhirsch/Papers/wwwj/article.html>
Leach, Mike and Tim Starr Using Certificate Revocation Lists 12 Dec. 2000 <http://www.apacheweek.com/issues/00-12-22>

Acknowledgments & Suggested References (Slide Twenty Nine)

Red Hat's Stronghold Team
This Presentation:
- <http://www.weinstein.org/redhat/presentations/oscon01/intro_to_private_ca> (HTML)
- <http://www.weinstein.org/redhat/presentations/oscon01/intro_to_private_ca.pdf> (PDF)
Apache Project, <http://www.apache.org>
Apache Week, <http://www.apacheweek.com>

Acknowledgments & Suggested References (Slide Thirty)

mod_ssl Project, <http://www.modssl.org>
Mailing Lists, List Archives:
OpenSSL Project, <http://www.openssl.org>
Mailing Lists, List Archives:

The most beautiful thing we can experience is the mysterious. It is the source of all true art and all science. He to whom this emotion is a stranger, who can no longer pause to wonder and stand rapt in awe, is as good as dead: his eyes are closed.

-A. Einstein