| |
| |
O'Reilly Open Source Convention: Apache Track: Web Security for Business: Creating and Implementing a Private Certificate Authority with OpenSSL and mod_ssl, San Diego, July 27th 2001.
What You Should Know (Slide Two)
- How SSL/TLS works
- Maintain and Run Apache, Apache Modules
- CGI Interface works, know Perl
- How to get around in Un*x shell
What We're Going to Talk About (Slide Three)
- The Basics:
- How to create a private certificate authority (CA).
- How to sign server certificate request with pricate CA.
- How to sign and distribute client certificate request with private CA.
- The Nit and Gritty:
- OpenSSL Configuration FIle.
- Some HTML and Perl Code.
- How to publish private CA within a limited environment.
- Configuring mod_ssl to authenticate access based on client certificates issued by private CA.
- Certificate Revocation and Revocation Lists.
Disclaimer (Slide Four)
- This presentation does not cover all of the security issues involved in maintaining a certificate authority (CA) or the data that is being protected by the CA.
- Nor does this presentation cover all the issues involved in securing a networked based machine and its contents, but only covers issues involved in securing and authenticating data transmitted between machines.
Quick Review (Slide Five)
- Digital Certificates
- Certificate Authorities
Digital Certificates (Slide Six)
- Type of Digital Certificates
- Server Certificate
- Client Cerificate
- X509 Format, Issued by Certifcate Authorities
- A Serial Number
- Name of Issuing Certifcate Authority
- Identifying Information, such as; Name, Street, Address and/or Email Address
- Subject's Public Key
- A "Signature" of Issuing Certifcate Authority
Certificate Authorities (Slide Seven)
- Public Certificate Authority; Verisign, Thawte, Equifax; recognized by default by most web browsers and servers; used when no other relation exists between two parties.
- Private Certificate Authorityl by default not recognized; used when a relationship already exists between two parties.
The Basics: OpenSSL (Slide Eight)
- Creating our private certificate authority
- Creating a Server Certificate Request
- Signing a Server Certificate Request
- Signing a CLient Certificate Request
Creating a Private Certificate Authority (Slide Nine)
- Creating a self-sign (root) certificate for private CA
Creating a Certificate Signing Request (CSR) for Server (Slide Ten)
- Since Apache uses OpenSSL via mod_ssl for SSL we'll use it to create a CSR for Apache
Signing Our Server CSR (Slide Eleven)
- Now we'll sign this CSR using OpenSSL and our Private Certificate Authority
The Wonderful World of Web Browsers (Slide Twelve)
- Different Web Browsers Support Different Methods For Creating Client Certificates.
- The General Procedure:
- User Access a Web Page with Their Favorite Client (web browser)
- User Enters Identification Information Into Web Page Form.
- Submit Form, which:
- Has client genertate a public and private key.
- CGI script adds public key to a identification information being submitted, which creates a client certificate signing request
Signing Our Client CSR (Slide Thirteen)
- After a little magic we can sign this client CSR.
The Nit and Gritty (Slide Fourteen)
- What's in opnessl.cnf file
- HTML code for submit form
- Perl scripts for creating client certificate signing request and installing client certificate into browser
- Publishing private CA within a limited environment
- Configuring mod_ssl to authenticate access based on client certificates issued by private CA.
- Certificate Revocation and Revocation Lists
openssl.cnf (Slide Fifteen)
- Our Self-Signed Certificate and Private Key
openssl.cnf (Slide Sixteen)
openssl.cnf (Slide Seventeen)
- Defining a policy of necessary information in our certificates
HTML Form (Slide Eighteen)
HTML Form (Slide Nineteen)
CGI & Perl (Slide Twenty)
CGI & Perl (Slide Twenty One)
- Save the submit data and create a client CSR file.
CGI & Perl (Slide Twenty Two)
- Getting a signed certificate to client.
Apahce and mod_ssl (Slide Twenty Three)
- Setup Apache so clients can download CA's root certificate.
Apahce and mod_ssl (Slide Twenty Four)
- Configuring our server certificate for Apache
Apahce and mod_ssl (Slide Twenty Five)
- Adding our CA to Apache and using it to authenticate clients
Certificate Revocation (Slide Twenty Six)
- Revoking a certificate before it expires and creating a certificate revocation list.
Certificate Revocation (Slide Twenty Seven)
- Making sure our Apache server doesn't accept the revoked certificate.
Citation (Slide Twenty Eight)
Acknowledgments & Suggested References (Slide Twenty Nine)
Acknowledgments & Suggested References (Slide Thirty)
|
|
|
| |
It is properly said that the Devil can "quote Scripture to
his purpose." The Bible is full of so many stories of
contradictory moral purpose that every generation can
find scriptural justification for nearly any action it
proposes - from incest, slavery, and mass murder to the
most refined love, courage, and self-sacrifice. And this
moral multiple personality disorder is hardly restricted to
Judaism and Christianity. You can find it deep within
Islam, the Hindu tradition, indeed nearly all the world's
religions. Perhaps then it is ... people who are morally
ambiguous.
Scripture is said to be divinely inspired - a phrase with
many meanings. But what if it's simply made up by
fallible humans? Miracles are attested, but what if they're
instead some mix of charlatanry, unfamiliar states of
consciousness, misapprehensions of natural phenomena,
and mental illness? The fact that so little of the finds of
modern science is prefigured in Scripture to my mind
casts further doubt on its divine inspiration.
But of course I might be wrong.
-Carl Sagan
|
|
|