Weinstein.org > Digital World > Work > Red Hat > Presentations

> > > > >

feb 08 010

Digital World

O'Reilly Open Source Convention: Apache Track: Web Security for Business: Creating and Implementing a Private Certificate Authority with OpenSSL and mod_ssl, San Diego, July 27th 2001.

What You Should Know (Slide Two)

How SSL/TLS works
Maintain and Run Apache, Apache Modules
CGI Interface works, know Perl
How to get around in Un*x shell

What We're Going to Talk About (Slide Three)

The Basics:
- How to create a private certificate authority (CA).
- How to sign server certificate request with pricate CA.
- How to sign and distribute client certificate request with private CA.
The Nit and Gritty:
- OpenSSL Configuration FIle.
- Some HTML and Perl Code.
- How to publish private CA within a limited environment.
- Configuring mod_ssl to authenticate access based on client certificates issued by private CA.
- Certificate Revocation and Revocation Lists.

Disclaimer (Slide Four)

This presentation does not cover all of the security issues involved in maintaining a certificate authority (CA) or the data that is being protected by the CA.
Nor does this presentation cover all the issues involved in securing a networked based machine and its contents, but only covers issues involved in securing and authenticating data transmitted between machines.

Quick Review (Slide Five)

Digital Certificates
Certificate Authorities

Digital Certificates (Slide Six)

Type of Digital Certificates
- Server Certificate
- Client Cerificate
X509 Format, Issued by Certifcate Authorities
- A Serial Number
- Name of Issuing Certifcate Authority
- Identifying Information, such as; Name, Street, Address and/or Email Address
- Subject's Public Key
- A "Signature" of Issuing Certifcate Authority

Certificate Authorities (Slide Seven)

Public Certificate Authority; Verisign, Thawte, Equifax; recognized by default by most web browsers and servers; used when no other relation exists between two parties.
Private Certificate Authorityl by default not recognized; used when a relationship already exists between two parties.

The Basics: OpenSSL (Slide Eight)

Creating our private certificate authority
Creating a Server Certificate Request
Signing a Server Certificate Request
Signing a CLient Certificate Request

Creating a Private Certificate Authority (Slide Nine)

Creating a self-sign (root) certificate for private CA

Creating a Certificate Signing Request (CSR) for Server (Slide Ten)

Since Apache uses OpenSSL via mod_ssl for SSL we'll use it to create a CSR for Apache

Signing Our Server CSR (Slide Eleven)

Now we'll sign this CSR using OpenSSL and our Private Certificate Authority

The Wonderful World of Web Browsers (Slide Twelve)

Different Web Browsers Support Different Methods For Creating Client Certificates.
The General Procedure:
- User Access a Web Page with Their Favorite Client (web browser)
- User Enters Identification Information Into Web Page Form.
- Submit Form, which:
  - Has client genertate a public and private key.
  - CGI script adds public key to a identification information being submitted, which creates a client certificate signing request

Signing Our Client CSR (Slide Thirteen)

After a little magic we can sign this client CSR.

The Nit and Gritty (Slide Fourteen)

What's in opnessl.cnf file
HTML code for submit form
Perl scripts for creating client certificate signing request and installing client certificate into browser
Publishing private CA within a limited environment
Configuring mod_ssl to authenticate access based on client certificates issued by private CA.
Certificate Revocation and Revocation Lists

openssl.cnf (Slide Fifteen)

Our Self-Signed Certificate and Private Key

openssl.cnf (Slide Sixteen)

openssl.cnf (Slide Seventeen)

Defining a policy of necessary information in our certificates

HTML Form (Slide Eighteen)

HTML Form (Slide Nineteen)

CGI & Perl (Slide Twenty)

Setup our environment

CGI & Perl (Slide Twenty One)

Save the submit data and create a client CSR file.

CGI & Perl (Slide Twenty Two)

Getting a signed certificate to client.

Apahce and mod_ssl (Slide Twenty Three)

Setup Apache so clients can download CA's root certificate.

Apahce and mod_ssl (Slide Twenty Four)

Configuring our server certificate for Apache

Apahce and mod_ssl (Slide Twenty Five)

Adding our CA to Apache and using it to authenticate clients

Certificate Revocation (Slide Twenty Six)

Revoking a certificate before it expires and creating a certificate revocation list.

Certificate Revocation (Slide Twenty Seven)

Making sure our Apache server doesn't accept the revoked certificate.

Citation (Slide Twenty Eight)

Engelschall, Ralf User Manual mod_ssl Version 2.8 Jan. 2001 <http://www.modssl.org/docs/2.8>
Hirsch, Frederick Introducting SSL and Certificates using SSLeay Summer 1997 <http://www.ultranet.com/~fhirsch/Papers/wwwj/article.html>
Leach, Mike and Tim Starr Using Certificate Revocation Lists 12 Dec. 2000 <http://www.apacheweek.com/issues/00-12-22>

Acknowledgments & Suggested References (Slide Twenty Nine)

Red Hat's Stronghold Team
This Presentation:
- <http://www.weinstein.org/redhat/presentations/oscon01/intro_to_private_ca> (HTML)
- <http://www.weinstein.org/redhat/presentations/oscon01/intro_to_private_ca.pdf> (PDF)
Apache Project, <http://www.apache.org>
Apache Week, <http://www.apacheweek.com>

Acknowledgments & Suggested References (Slide Thirty)

mod_ssl Project, <http://www.modssl.org>
Mailing Lists, List Archives:
OpenSSL Project, <http://www.openssl.org>
Mailing Lists, List Archives:

The isolation of every human soul and the necessity of self-dependence must give each individual the right, to choose his own surroundings. The strongest reason for giving woman all the opportunities for higher education, for the full development of her faculties, forces of mind and body; for giving her the most enlarged freedom of thought and action; a complete emancipation from all forms of bondage, of custom, dependence, superstition; from all the crippling influences of fear, is the solitude and personal responsibility of her own individual life. The strongest reason why we ask for woman a voice in the government under which she lives; in the religion she is asked to believe; equality in social life, where she is the chief factor; a place in the trades and professions, where she may earn her bread, is because of her birthright to self-sovereignty; because, as an individual, she must rely on herself. No matter how much women prefer to lean, to be protected and supported, nor how much men desire to have them do so, they must make the voyage of life alone, and for safety in an emergency they must know something of the laws of navigation. To guide our own craft, we must be captain, pilot, engineer; with chart and compass to stand at the wheel; to match the wind and waves and know when to take in the sail, and to read the signs in the firmament over all. It matters not whether the solitary voyager is man or woman. Nature having endowed them equally, leaves them to their own skill and judgment in the hour of danger, and, if not equal to the occasion, alike they perish. To appreciate the importance of fitting every human soul for independent action, think for a moment of the immeasurable solitude of self.

From: Solitude of Self, Elizabeth Cady Stanton