Creating simple Public Key Infrastructure with OpenSSL

What a hard time for me because as you can read at Indonesian page category (for you that understand of course) i’ve been attack by some strange disease since a day before and feeling so weak until now, but however i just can stop playing with my SlackWorld. and now i’ll give my report after trying to create some simple PKI using installed Openssl in my slackware. i assume that you have a basic knowledge in PKI, if you don’t you can read a cool book called “Network Security with OpenSSL” and the book is look like this :

before i begin to give you my exploration i’ll give the scenario that i’m trying to do. for better undertanding i’ll give it with vizualitation method. ok let see the picture below :

ha3 the left side suppose to be client 1 i’m sory …..

as you can see there will be a Root CA with one CA server below it and there will be 2 client where one of them will be signed by Server CA and another will be directly signed by Root CA. I’m sure you’re not having a problem to understanding the concept do you? good….

okay we’ll do this step by step..

STEP 1: Preparing file and directory needed by openssl for creating CA
root@darkstar:/etc/ssl# mkdir demoCA —–> for Root CA directori
root@darkstar:/etc/ssl# cd demoCA/
root@darkstar:/etc/ssl/demoCA# mkdir newcerts —–> storing the certificate
root@darkstar:/etc/ssl/demoCA# mkdir private —–> storing the root CA key
root@darkstar:/etc/ssl/demoCA# chmod 700 private/
root@darkstar:/etc/ssl/demoCA# echo “01″ > serial —–> setificate index number
root@darkstar:/etc/ssl/demoCA# touch index.txt —–> indexing the saved certificate

no more explanation i think because i’ve write down it there in the right side of each step, for more explanation just read the recommendation book okay….

STEP 2 : Generating key and certificate for Root CA

and now we are going to maka a new key and certificat for CA root
root@darkstar:/etc/ssl# openssl req -x509 -newkey rsa:4096 -out cacert.pem -outform PEM -keyout demoCA/private/cakey.pem

STEP 3 : Generating key and certificate request for client 1

root@darkstar:/etc/ssl# openssl req -new -newkey rsa:2408 -keyout key1.pem -out req.pem

STEP 4 : Signing the client 1certificate by Root CA

root@darkstar:/etc/ssl# openssl ca -in req.pem

STEP 5 : Generating key and certificate request for Server CA

root@darkstar:/etc/ssl# openssl req -new -newkey rsa:2408 -keyout serverCA.pem -out serverCAreq.pem

STEP 6 : Signing the Server CA certificate by Root CA
root@darkstar:/etc/ssl# openssl ca -in serverCAreq.pem -extensions v3_ca -out serverCAcert.pem

STEP 6 : Generating key and certificate request for client 2

root@darkstar:/etc/ssl# openssl req -new -newkey rsa:2408 -keyout key2.pem -out req2.pem

STEP 7 : Singing the client 2 certificate by Server CA

root@darkstar:/etc/ssl# openssl ca -in req3.pem -keyfile serverCAkey.pem -cert serverCAcert.pem

and it’s finished and the question is “what for all this stuff created?” the anwer is in the next post where we’ll continuing this with making a simple HTTPs connection okay…

Tidak ada komentar

No Spam / Ads or Outside Links