Masterclass in openSSL

Описание к видео Masterclass in openSSL

In this masterclass video you have 1 hour in depth education in using openSSL in Linux. We first look at self-signed openSSL certificates but see their limitation. From there on we go through and create the full PKI hierarchy of the openSSL Root Certificate , an intermediate CA and server keys. We see how we sign the sub CA with the root CA and the sub CA is used to sign the certificates. We see how clients can trust the root CA and we end the masterclass demonstration on openSSL by starting an openSSL test server before configuring nginix with https.

00:00 Intro
02:06 SSH Trust and Encryption
03:30 Create the directory structure
07:30 Self Signed Keys
13:30 Private Keys
18:47 Create the Root CA Certificate
26:35 Create the Intermediate CA
36:15 Create the Server Certificate
44:30 Test the PKI Structure

The root-ca conf file follows. You can edit this file to become the sub-ca .conf. Change the directory variable and the policy

[ca]
#/root/ca/root-ca/root-ca.conf
#see man ca
default_ca = CA_default

[CA_default]
dir = /root/ca/root-ca
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index
serial = $dir/serial
RANDFILE = $dir/private/.rand

private_key = $dir/private/ca.key
certificate = $dir/certs/ca.crt

crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl
crl_extensions = crl_ext
default_crl_days = 30

default_md = sha256

name_opt = ca_default
cert_opt = ca_default
default_days = 365
preserve = no
policy = policy_strict

[ policy_strict ]
countryName = supplied
stateOrProvinceName = supplied
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
Options for the req tool, man req.
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
Extension to add when the -x509 option is used.
x509_extensions = v3_ca

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
countryName_default = GB
stateOrProvinceName_default = England
0.organizationName_default = TheUrbanPenguin Ltd

[ v3_ca ]
Extensions to apply when createing root ca
Extensions for a typical CA, man x509v3_config
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
Extensions to apply when creating intermediate or sub-ca
Extensions for a typical intermediate CA, same man as above
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
#pathlen:0 ensures no more sub-ca can be created below an intermediate
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ server_cert ]
Extensions for server certificates
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

Комментарии

Информация по комментариям в разработке