Creating a PKI in Ubuntu
A PKI (Public Key Infrastructure) is the solution to a problem called "Man-in-the-Middle Attack". You can learn more about this problem in our post Public Key Infrastructure. In this post, we will see how to easily set up a PKI on Ubuntu.
Configuring a PKI in OpenSSL
The first thing we need to do is find the example configuration file for OpenSSL, which could be located in /etc/ssl/openssl.cnf. To verify the actual location of this configuration file, we can run the following command:
openssl version -a
This command will give a result similar to the following:
OpenSSL 1.1.1 11 Sep 2018
built on: Thu Jun 20 17:36:28 2019 UTC
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-cn9tZy/openssl-1.1.1=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific
The second-to-last line in this case contains the value of OPENSSLDIR, where the configuration file, certificates, and other important files will be located.
The OpenSSL configuration file contains a default configuration. For testing purposes, you should not change anything. However, you should verify that there is a [ ca ] section similar to the following:
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
This file first indicates that the default CA (Certificate Authority) is defined in the CA_default section. In this section, you will see that all files point to ./demoCA, in this case /usr/lib/ssl/demoCA. However, this folder and its subfolders are not created. To do this, you can run the following command to create the directory structure:
mkdir -p demoCA/certs
mkdir demoCA/crl
mkdir demoCA/newcerts
mkdir demoCA/private
You also need to create the certificate database file and the serial file that will keep track of the last signed certificate's serial number:
touch demoCA/index.txt
echo "C001" > demoCA/serial
Once this is done, we can proceed with the creation of the Certificate Authority.
Creating the Certificate Authority
To create the Certificate Authority, we will use the -x509 standard, which defines how the certificate information should be encoded. It all starts with the trusted entity and a root certificate, which we can generate by executing the following command:
openssl req -new -x509 -keyout demoCA/private/cakey.pem -out demoCA/cacert.pem
This command will create the private key cakey.pem and the self-signed certificate cacert.pem, which includes the public key of the Certificate Authority. Since we are creating a certificate, we will be prompted for some information similar to the following:
Generating a RSA private key
...................+++++
.................................................................................+++++
writing new private key to 'cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CO
State or Province Name (full name) [Some-State]:Antioquia
Locality Name (eg, city) []:Medellin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Pleets
Organizational Unit Name (eg, section) []:Tech Dept.
Common Name (e.g. server FQDN or YOUR name) []:https://pleets.org
Email Address []:example@pleets.org
ChatGPT
The certificate created earlier is the certificate that will be used to sign other certificates (user certificates). It is also possible to create intermediate certificate authorities that will sign user certificates (we won't cover this configuration in this post).
Creating a User Certificate
Before performing this signing, i.e., before the trusted entity issues a certificate to us, each user must create a certificate signing request which can be done with the following command:
openssl req -new -keyout userkey.pem -out usercert-req.pem
This command will create the private key userkey.pem and the associated certificate request usercert-req.pem. Since we are creating a certificate, we will be prompted for the information that a certificate should have:
Generating a RSA private key
..............................+++++
....................................+++++
writing new private key to 'userkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CO
State or Province Name (full name) [Some-State]:Antioquia
Locality Name (eg, city) []:Medellin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Pleets
Organizational Unit Name (eg, section) []:Tech
Common Name (e.g. server FQDN or YOUR name) []:Dario Rivera
Email Address []:example@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
It is important to understand the difference between a CSR (Certificate Signing Request) and a certificate itself. What we did earlier was to create a certificate signing request (CSR) that needs to be signed by the CA.
All this information is sent to the trusted entity for certification, in this case, your own CA. Before signing, it is recommended to review the certificate information again to ensure everything is correct. You can do this with the following command:
openssl req -text -in usercert-req.pem -noout
To sign this certificate with the trusted entity, we need to use the following command:
openssl ca -in usercert-req.pem -out usercert.pem
If everything goes well, the output of this command should be similar to the following:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 49153 (0xc001)
Validity
Not Before: Aug 30 05:38:48 2019 GMT
Not After : Aug 29 05:38:48 2020 GMT
Subject:
countryName = CO
stateOrProvinceName = Antioquia
organizationName = Pleets
organizationalUnitName = Tech
commonName = Dario Rivera
emailAddress = fermius.us@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
89:3D:33:63:A9:76:31:9D:0D:47:11:8D:41:A2:74:C4:EE:19:BB:02
X509v3 Authority Key Identifier:
keyid:09:15:1A:A3:42:C4:79:4E:A0:30:F2:47:C6:5A:C5:55:16:5D:CC:0E
Certificate is to be certified until Aug 29 05:38:48 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
This indicates that the certificate usercert.pem has been generated correctly. To convert this certificate to an installable format in the browser, you can use the following command:
openssl pkcs12 -export -in usercert.pem -inkey userkey.pem > usercert.p12
Finally, as a test, notice that if we had entered a different organizationName than the initial one (Pleets), we would have received the following response:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
The organizationName field is different between
CA certificate (Pleets) and the request (ENCOM)
This indicates that a certificate cannot sign certificates for organizations other than its own. I hope you have learned a lot from this post. Until next time.