customizing x.509 certificate fields charles d. short cs526 – s2008 university of colorado,...
Post on 22-Dec-2015
220 views
TRANSCRIPT
Customizing X.509 Certificate Fields
Charles D. ShortCS526 – S2008
University of Colorado, Colorado SpringsDr. C. Edward Chow
5/5/2008 CDS - UCCS CS526 - S2008 1
Discussion
• Project Goal• Background• OpenSSL• OpenSSL commands• openssl.cnf File• Project .cnf Files• Certificate Process• Install Server Certificate
• Install Client Certificate• Client Certificate• Certificate challenge• Server Acknowledgement• Server Response• Lessons Learned• Future Research
5/5/2008 CDS - UCCS CS526 - S2008 2
Project Goal
• Determine and detail how to insert custom field information into an X.509 certificate.
5/5/2008 CDS - UCCS CS526 - S2008 3
Background
• An X.509 certificate can be used for authentication between a client and server to insure client identity but does not provide any additional fields for information which may be useful to custom applications running on the server.
• This project will detail how to insert additional information into the client certificate which may then be used by a server based application to provide services based upon this information.
5/5/2008 CDS - UCCS CS526 - S2008 4
OpenSSL
• Open source project• Based on SSLeay library developed by Eric A.
Young and Tim J. Hudson • Provides cryptographic toolkit
– Secure Sockets Layer (SSL)– Transport Layer Security (TLS)– General purpose cryptography library
• http://www.openssl.org/
5/5/2008 CDS - UCCS CS526 - S2008 6
OpenSSL Commands– ca
• Certificate Authority– Sign certificate requests– Generate Certificate Revocation List (CRL) – Maintain issued certificate database
– req• Create and process certificate requests
– Certificate request creation– Certificate signing– Certificate display
– x509• Multi purpose certificate utility
– Display certificate information– Convert certificates to various forms – Sign certificate requests – Edit certificate trust settings
5/5/2008 CDS - UCCS CS526 - S2008 7
openssl.cnf File
• Divided into sections that begin with bracketed identifiers such as [ ca ]
• Sections correspond to openssl commands ca, req, x509
• Directives consist of <attribute> = <value> • Provides field values• Provides field defaults• Provides field attributes• Provides user prompts
5/5/2008 CDS - UCCS CS526 - S2008 8
openssl.cnf File (cont)• CA Section
– [ ca ] – [ CA_default ]– [ policy_match ] – [ policy_anything ]
• REQ Section– [ req ] – [ req_distinguished_name ]– [ req_attributes ]
• X.509 EXTENSION DIRECTIVES – [ usr_cert ] – [ v3_req ]– [ v3_ca ] – [ crl_ext ]
• http://www.technoids.org/openssl.cnf.html
5/5/2008 CDS - UCCS CS526 - S2008 9
Project .cnf Files
• Certificate Authority– http://cs.uccs.edu/~cdshort/cs526/certreq.txt
• Server– http://cs.uccs.edu/~cdshort/cs526/serverreq.txt
• Client– http://cs.uccs.edu/~cdshort/cs526/clientreq.txt
5/5/2008 CDS - UCCS CS526 - S2008 10
Certificate Creation Process
• Create certificate authority• openssl req -config certreq.cnf -x509 -newkey rsa:2048 –keyout cakey.pem -out cacert.pem
• Create server certificate request• openssl req -config serverreq.cnf -newkey rsa:1024 –keyout servertempkey.pem –out
serverreq.pem
• Sign server certificate• openssl ca -config certreq.cnf -in serverreq.pem -out servercrt.pem
• Create client certificate• openssl req -config clientreq.cnf -newkey rsa:1024 -out clientreq.pem -keyout clientkey.pem
• Sign client certificate• openssl ca -config certreq.cnf -in clientreq.pem -out clientcrt.pem
5/5/2008 CDS - UCCS CS526 - S2008 11
Install Server Certificate• Move Certificates and Keys
– sudo cp servercrt.pem /etc/ssl/certs– sudo cp serverkey.pem /etc/ssl/private– sudo cp cacert .pem /etc/ssl/certs
• Edit /etc/apache2/sites-available/default – SSLEngine on– SSLCertificateFile /etc/ssl/certs/servercrt.pem– SSLCertificateKeyFile
• Edit /etc/apache2/ports.conf – Listen 443
• Edit /etc/apache2/httpd.conf– SSLVerifyClient require– SSLVerifyDepth 1– SSLCACertificateFile /etc/ssl/certs
• Enable SSL– sudo a2enmod ssl
• Restart Web Server– sudo /etc/init.d/apache2 restart
5/5/2008 CDS - UCCS CS526 - S2008 12
Install Client Certificate
• Combine client certificate and key– cat clientkey.pem clientcrt.pem > clientcrtandkey.pem
• Convert PEM to PFX– openssl pkcs12 -export -out clientcert.pfx -in clientcrtandkey.pem -name "UbuntuWS1
Client certificate”
• Import using Internet Explorer – tools/internet options/content/certificates/import
5/5/2008 CDS - UCCS CS526 - S2008 13
Server PHP Code<!-- Display Client Certificate Fields --><head><title>Client Certificate Subject Distinguished Name Field:</title></head><body><h1><b>Client Certificate Subject Distinguished Name:</b></h1><hr><?php print("ClientSDN: $_SERVER[SSL_CLIENT_S_DN]<br><br>");?>
5/5/2008 CDS - UCCS CS526 - S2008 18
Lessons Learned
• Documentation is scarce• Documentation is confusing• Certificate fields are obscure• Flexibility is limited
5/5/2008 CDS - UCCS CS526 - S2008 19
Future Research
• Explore the addition of fields outside of the Distinguished Name (DN) section.
• Explore the creation of a different certificate format.
• Modify MOD_SSL code to process new certificate contents.
• Modify Client browser to process new certificate contents.
5/5/2008 CDS - UCCS CS526 - S2008 20
References• http://www.openssl.org/ • http://www.openssl.org/docs/apps/ca.html• http://www.openssl.org/docs/apps/req.html• http://www.openssl.org/docs/apps/x509.html• http://www.technoids.org/openssl.cnf.html• http://www.oid-info.com/standards.htm• http://www.zaphu.com/2007/08/21/ubuntu-lamp-server-guide-configure-apache-mysql-
and-cgi-bin/• http://cs.uccs.edu/~cs526/secureWebAccess/secureWebAccess.htm• https://help.ubuntu.com/6.06/ubuntu/serverguide/C/httpd.html• http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6
5/5/2008 CDS - UCCS CS526 - S2008 21