SlideShare a Scribd company logo

Building basic public key infrastucture (PKI)

Ismail Rachdaoui
Ismail Rachdaoui

The easiest way to build a very basic Public Key Infrastructure (PKI) using OpenSSL.

Technology
1 of 7
Download to read offline
Building Basic Public Key Infrastructure T h i s W o r k i s d o n e b y I S M A I L R A C H D A O U I
Generating Digital certificate for a user using OpenSSL: The first step in every certificate system is to create the Root Certificate, i twill be a self-signed one, then we will use this certificate (Root) to sign other generates certificates. 1- Generate Root certificate: As mentioned in the introduction, the Root certificate will be self-signed; here is the command line under openSSl to generate it: openssl req -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -days 356 In this example, the root certif will user RSA as public key infrastructure algorithm with 2048 bits ok key length, this command will generate 2 files:  ca.key: the private key of the root certificate  ca.crt: the public key of the root certificate The -x509 option is used for a self-signed certificate and the parameter –days mean than i twill be valid of 356 days. Here are the screenshots: Once we valid the given command, openSSL will ask us to put a PassPhrase of the certificate … Then we continue.
The next step is to enter the Distinguished Name (DN) for the certificate, the given informations will help the system to build the certificate, you can leave some fields empty but not Common Name (CN), the CN may be for example your hostname, in this case Ubuntu. That's All! Our Root certificate is created; we can display ca.key and ca.pem using Linux cat command
2- Generate a user certificate: The creation of user certificate is done in two steps.  Step 1: create the private key of user cert: The command is openssl genrsa -out user.key 4096 4096 is for key length.  Step 2: Creating a certificate request To create a certificate, you need to start with a certificate request. A certificate request can be signed using the self-signed certificate crated before.
To generate a request certificate we use the following command: openssl req -new -key user.key -out user.csr Then the openssl will ask to fill some information about the user as bellow: This command result user.csr file (csr for Certificate Singing Request),
 Step 3 : Sign the CSR file with Root Certificate The final step is the get user.csr signed using Root certificate, so it will be valid in the certificate chain. The command line is openssl x509 -req -days 730 -in user.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out user.crt In this command we have to provide CSR certificate path, Root certificate path and path of Root certificate private key, the generated certificate is user.crt valid for 730 days. That's All! The screenshot prove the the CSR is successfully signed and user certificate user.crt is created.
To use user.key for Authenticode signatures with Microsoft’s signtool, you’ll have to package the keys and certs in a PKCS12 file using the command line:  More about PKC12 format: http://en.wikipedia.org/wiki/PKCS_12 openssl pkcs12 -export -out user.p12 -inkey user.key -in user.crt -chain -CAfile ca.crt The program ask for an exporting password, just give a one an remember it to use it under any Windows machine.

Recommended

Digital Signature
Digital SignatureDigital Signature
Digital Signature
saurav5884
 
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Public key Infrastructure (PKI)
Public key Infrastructure (PKI)
Venkatesh Jambulingam
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
vimal kumar
 
Digital signature & certificate
Digital signature & certificateDigital signature & certificate
Digital signature & certificate
NetGains Technologies Pvt. Ltd.
 
Final ppt ecommerce
Final ppt ecommerceFinal ppt ecommerce
Final ppt ecommerce
priyanka Garg
 
Pki for dummies
Pki for dummiesPki for dummies
Pki for dummies
Alex de Jong
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructure
Aditya Nama
 

Recommended

Digital Signature
Digital SignatureDigital Signature
Digital Signature
saurav5884
 
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Public key Infrastructure (PKI)
Public key Infrastructure (PKI)
Venkatesh Jambulingam
 
public key infrastructure
public key infrastructurepublic key infrastructure
public key infrastructure
vimal kumar
 
Digital signature & certificate
Digital signature & certificateDigital signature & certificate
Digital signature & certificate
NetGains Technologies Pvt. Ltd.
 
Final ppt ecommerce
Final ppt ecommerceFinal ppt ecommerce
Final ppt ecommerce
priyanka Garg
 
Pki for dummies
Pki for dummiesPki for dummies
Pki for dummies
Alex de Jong
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
Public key infrastructure
Public key infrastructurePublic key infrastructure
Public key infrastructure
Aditya Nama
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
Buddhika Karunanayaka
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
Theo Gravity
 
Digital certificate & signature
Digital certificate & signatureDigital certificate & signature
Digital certificate & signature
Netri Chowdhary
 
PKI by Gene Itkis
PKI by Gene ItkisPKI by Gene Itkis
PKI by Gene Itkis
Information Security Awareness Group
 
Certification authority
Certification authorityCertification authority
Certification authority
proser tech
 
kerberos
kerberoskerberos
kerberos
sameer farooq
 
X 509 Certificates How And Why In Vb.Net
X 509 Certificates How And Why In Vb.NetX 509 Certificates How And Why In Vb.Net
X 509 Certificates How And Why In Vb.Net
Puneet Arora
 
Digital signature & PKI Infrastructure
Digital signature & PKI InfrastructureDigital signature & PKI Infrastructure
Digital signature & PKI Infrastructure
Shubham Sharma
 
Presentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesPresentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificates
Vivaka Nand
 
Kumkum digital certificate
Kumkum digital certificateKumkum digital certificate
Kumkum digital certificate
Kumkum Sharma
 
Ch15
Ch15Ch15
Ch15
raja yasodhar
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
Oliver Pfaff
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
rhassan84
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and Applications
Svetlin Nakov
 
Digital certificates and information security
Digital certificates and information securityDigital certificates and information security
Digital certificates and information security
Devam Shah
 
Digital signature introduction
Digital signature introductionDigital signature introduction
Digital signature introduction
Asim Neupane
 
Information and data security digital signatures
Information and data security digital signaturesInformation and data security digital signatures
Information and data security digital signatures
Mazin Alwaaly
 
Digital certificates & its importance
Digital certificates & its importanceDigital certificates & its importance
Digital certificates & its importance
svm
 
Understanding Digital Certificates & Secure Sockets Layer
Understanding Digital Certificates & Secure Sockets LayerUnderstanding Digital Certificates & Secure Sockets Layer
Understanding Digital Certificates & Secure Sockets Layer
CheapSSLUSA
 
Digital certificates
Digital certificates Digital certificates
Digital certificates
Sheetal Verma
 
Installation et Configuration de Pfsense
Installation et Configuration de PfsenseInstallation et Configuration de Pfsense
Installation et Configuration de Pfsense
Ismail Rachdaoui
 
Tuto pfsense
Tuto pfsenseTuto pfsense
Tuto pfsense
Angelito Mandimbihasina
 

More Related Content

What's hot

Digital certificate & signature
Digital certificate & signatureDigital certificate & signature
Digital certificate & signature
Netri Chowdhary
 
X 509 Certificates How And Why In Vb.Net
X 509 Certificates How And Why In Vb.NetX 509 Certificates How And Why In Vb.Net
X 509 Certificates How And Why In Vb.Net
Puneet Arora
 
Kumkum digital certificate
Kumkum digital certificateKumkum digital certificate
Kumkum digital certificate
Kumkum Sharma
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
Oliver Pfaff
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and Applications
Svetlin Nakov
 
Digital certificates
Digital certificates Digital certificates
Digital certificates
Sheetal Verma
 

What's hot (20)

Digital certificates
Digital certificatesDigital certificates
Digital certificates
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
 
Digital certificate & signature
Digital certificate & signatureDigital certificate & signature
Digital certificate & signature
 
PKI by Gene Itkis
PKI by Gene ItkisPKI by Gene Itkis
PKI by Gene Itkis
 
Certification authority
Certification authorityCertification authority
Certification authority
 
kerberos
kerberoskerberos
kerberos
 
X 509 Certificates How And Why In Vb.Net
X 509 Certificates How And Why In Vb.NetX 509 Certificates How And Why In Vb.Net
X 509 Certificates How And Why In Vb.Net
 
Digital signature & PKI Infrastructure
Digital signature & PKI InfrastructureDigital signature & PKI Infrastructure
Digital signature & PKI Infrastructure
 
Presentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificatesPresentation on digital signatures & digital certificates
Presentation on digital signatures & digital certificates
 
Kumkum digital certificate
Kumkum digital certificateKumkum digital certificate
Kumkum digital certificate
 
Ch15
Ch15Ch15
Ch15
 
Implementing Public-Key-Infrastructures
Implementing Public-Key-InfrastructuresImplementing Public-Key-Infrastructures
Implementing Public-Key-Infrastructures
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and Applications
 
Digital certificates and information security
Digital certificates and information securityDigital certificates and information security
Digital certificates and information security
 
Digital signature introduction
Digital signature introductionDigital signature introduction
Digital signature introduction
 
Information and data security digital signatures
Information and data security digital signaturesInformation and data security digital signatures
Information and data security digital signatures
 
Digital certificates & its importance
Digital certificates & its importanceDigital certificates & its importance
Digital certificates & its importance
 
Understanding Digital Certificates & Secure Sockets Layer
Understanding Digital Certificates & Secure Sockets LayerUnderstanding Digital Certificates & Secure Sockets Layer
Understanding Digital Certificates & Secure Sockets Layer
 
Digital certificates
Digital certificates Digital certificates
Digital certificates
 

Viewers also liked

Materi Pki
Materi PkiMateri Pki
Materi Pki
cuken
 
Basic concept of pki
Basic concept of pkiBasic concept of pki
Basic concept of pki
Prabhat Goel
 
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...
Dave Neary
 
Encryption And Decryption
Encryption And DecryptionEncryption And Decryption
Encryption And Decryption
NA
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTION
raf_slide
 
Encryption presentation final
Encryption presentation finalEncryption presentation final
Encryption presentation final
adrigee12
 

Viewers also liked (18)

Installation et Configuration de Pfsense
Installation et Configuration de PfsenseInstallation et Configuration de Pfsense
Installation et Configuration de Pfsense
 
Tuto pfsense
Tuto pfsenseTuto pfsense
Tuto pfsense
 
Implementing a Secure and Effective PKI on Windows Server 2012 R2
Implementing a Secure and Effective PKI on Windows Server 2012 R2Implementing a Secure and Effective PKI on Windows Server 2012 R2
Implementing a Secure and Effective PKI on Windows Server 2012 R2
 
Data encryption
Data encryptionData encryption
Data encryption
 
Materi Pki
Materi PkiMateri Pki
Materi Pki
 
PKI (Partai Komunis Indonesia)
PKI (Partai Komunis Indonesia)PKI (Partai Komunis Indonesia)
PKI (Partai Komunis Indonesia)
 
Basic concept of pki
Basic concept of pkiBasic concept of pki
Basic concept of pki
 
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...
Networking in OpenStack for non-networking people: Neutron, Open vSwitch and ...
 
Introduction To PKI Technology
Introduction To PKI TechnologyIntroduction To PKI Technology
Introduction To PKI Technology
 
Encryption And Decryption
Encryption And DecryptionEncryption And Decryption
Encryption And Decryption
 
AES-Advanced Encryption Standard
AES-Advanced Encryption StandardAES-Advanced Encryption Standard
AES-Advanced Encryption Standard
 
Encryption
EncryptionEncryption
Encryption
 
PUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTIONPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTION
 
Image encryption and decryption
Image encryption and decryptionImage encryption and decryption
Image encryption and decryption
 
basic encryption and decryption
basic encryption and decryption basic encryption and decryption
basic encryption and decryption
 
Crypto and PKI
Crypto and PKICrypto and PKI
Crypto and PKI
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
Encryption presentation final
Encryption presentation finalEncryption presentation final
Encryption presentation final
 

Similar to Building basic public key infrastucture (PKI)

Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)
Netwax Lab
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
Slawomir Jasek
 
Java Cert Pki
Java Cert PkiJava Cert Pki
Java Cert Pki
phanleson
 

Similar to Building basic public key infrastucture (PKI) (20)

Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
 
How To Create a SSL Certificate on Nginx for Ubuntu.pptx
How To Create a SSL Certificate on Nginx for Ubuntu.pptxHow To Create a SSL Certificate on Nginx for Ubuntu.pptx
How To Create a SSL Certificate on Nginx for Ubuntu.pptx
 
Indianapolis mule soft_meetup_30_jan_2021 (1)
Indianapolis mule soft_meetup_30_jan_2021 (1)Indianapolis mule soft_meetup_30_jan_2021 (1)
Indianapolis mule soft_meetup_30_jan_2021 (1)
 
Issue certificates with PyOpenSSL
Issue certificates with PyOpenSSLIssue certificates with PyOpenSSL
Issue certificates with PyOpenSSL
 
Various Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolVarious Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and Keytool
 
Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
presentation_finals
presentation_finalspresentation_finals
presentation_finals
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1
 
Java security
Java securityJava security
Java security
 
SSL-image
SSL-imageSSL-image
SSL-image
 
Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
How we implemented SSO into a zero knowledge cloud encryption solution
How we implemented SSO into a zero knowledge cloud encryption solutionHow we implemented SSO into a zero knowledge cloud encryption solution
How we implemented SSO into a zero knowledge cloud encryption solution
 
Java Cert Pki
Java Cert PkiJava Cert Pki
Java Cert Pki
 
HashiTLS Demystifying Security Certs
HashiTLS Demystifying Security CertsHashiTLS Demystifying Security Certs
HashiTLS Demystifying Security Certs
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS
 
Open-VPN Server
Open-VPN ServerOpen-VPN Server
Open-VPN Server
 
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Building basic public key infrastucture (PKI)

  • 1. Building Basic Public Key Infrastructure T h i s W o r k i s d o n e b y I S M A I L R A C H D A O U I
  • 2. Generating Digital certificate for a user using OpenSSL: The first step in every certificate system is to create the Root Certificate, i twill be a self-signed one, then we will use this certificate (Root) to sign other generates certificates. 1- Generate Root certificate: As mentioned in the introduction, the Root certificate will be self-signed; here is the command line under openSSl to generate it: openssl req -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -days 356 In this example, the root certif will user RSA as public key infrastructure algorithm with 2048 bits ok key length, this command will generate 2 files:  ca.key: the private key of the root certificate  ca.crt: the public key of the root certificate The -x509 option is used for a self-signed certificate and the parameter –days mean than i twill be valid of 356 days. Here are the screenshots: Once we valid the given command, openSSL will ask us to put a PassPhrase of the certificate … Then we continue.
  • 3. The next step is to enter the Distinguished Name (DN) for the certificate, the given informations will help the system to build the certificate, you can leave some fields empty but not Common Name (CN), the CN may be for example your hostname, in this case Ubuntu. That's All! Our Root certificate is created; we can display ca.key and ca.pem using Linux cat command
  • 4. 2- Generate a user certificate: The creation of user certificate is done in two steps.  Step 1: create the private key of user cert: The command is openssl genrsa -out user.key 4096 4096 is for key length.  Step 2: Creating a certificate request To create a certificate, you need to start with a certificate request. A certificate request can be signed using the self-signed certificate crated before.
  • 5. To generate a request certificate we use the following command: openssl req -new -key user.key -out user.csr Then the openssl will ask to fill some information about the user as bellow: This command result user.csr file (csr for Certificate Singing Request),
  • 6.  Step 3 : Sign the CSR file with Root Certificate The final step is the get user.csr signed using Root certificate, so it will be valid in the certificate chain. The command line is openssl x509 -req -days 730 -in user.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out user.crt In this command we have to provide CSR certificate path, Root certificate path and path of Root certificate private key, the generated certificate is user.crt valid for 730 days. That's All! The screenshot prove the the CSR is successfully signed and user certificate user.crt is created.
  • 7. To use user.key for Authenticode signatures with Microsoft’s signtool, you’ll have to package the keys and certs in a PKCS12 file using the command line:  More about PKC12 format: http://en.wikipedia.org/wiki/PKCS_12 openssl pkcs12 -export -out user.p12 -inkey user.key -in user.crt -chain -CAfile ca.crt The program ask for an exporting password, just give a one an remember it to use it under any Windows machine.