Description
Installing OpenSSL. In this lab, we will use openssl commands and libraries. We have already installed openssl binaries in our VM 1. It should be noted that if you want to use openssl libraries in
your programs, you need to install several other things for the programming environment, including the
header files, libraries, manuals, etc. We have already downloaded the necessary files under the directory
/home/seed/openssl-1.0.1. To configure and install openssl libraries, go to the openssl-1.0.1
folder and run the following commands.
Hint : I attached demo_openssl_api file for task 4 .......
Unformatted Attachment Preview
Purchase answer to see full attachment
Explanation & Answer
I attached the answer in a .odt document and .pdf as well. Let me know if you have any further questions
Task 1
The Configuration File
1) Login to ubuntu terminal.
2) Copy openssl.cnf file to ~/openssl using the linux command:
cp /usr/lib/ssl/openssl.cnf ~/openssl
3) Create relevant directories, subdirectories and files.
Certificate Authority (CA)
1) Executing the command: openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
from the directory where openssl.cnf in located.
2) Giving PEM pass phrase and again to verify. (password = 12qw34er)
3) Provide necessary informations.
4) Files ca.key and ca.crt at ~/openssl
Task 2:
Step 1
1) Issuing the command: openssl genrsa -aes128 -out server.key 1024
2) Enter pass phrase for server.key and again to verify (password = 12qw34er)
3) Run the command: openssl rsa -in server.key -text
To see the contents of created server.key
sajun@ubuntu:~/openssl$ openssl rsa -in server.key -text
Enter pass phrase for server.key:
Private-Key: (1024 bit)
modulus:
00:cb:8b:1c:cb:17:b1:48:b0:e3:5c:5e:f2:bf:14:
73:27:88:f0:e7:6d:3c:5c:ea:d1:e8:40:3b:77:3a:
4e:b3:9f:78:87:43:63:e1:db:7d:f1:d8:33:01:4e:
9f:d7:91:67:5c:9f:b3:65:3c:ee:f1:77:b6:50:b1:
f9:c8:aa:53:73:db:83:b9:d4:1f:69:9b:4f:12:5e:
c7:47:f3:2c:c2:d9:5e:21:f2:14:c9:9d:5a:a1:1a:
63:29:8b:88:59:44:de:eb:73:5d:d3:f4:cf:32:f3:
4e:e4:cd:a7:6f:93:8a:93:04:b6:c3:b0:cb:de:b3:
b8:75:89:23:dc:08:cc:a4:31
publicExponent: 65537 (0x10001)
privateExponent:
00:b7:d2:5b:df:a2:f7:0d:f2:0a:73:9a:a0:5a:27:
2a:d4:72:9d:36:34:76:06:68:5f:c8:03:72:70:fb:
ec:a5:d6:08:b1:08:10:85:a2:87:bc:c9:87:4e:cf:
e6:15:76:10:c6:1a:c8:96:4e:90:70:ec:af:6f:73:
3c:65:98:45:a2:48:f4:c8:35:bd:ea:72:43:ff:d5:
8e:53:2b:3f:24:9c:ad:f6:2c:d0:c9:ab:b2:f5:6e:
fd:6f:97:6d:8d:7a:23:c4:ed:d7:6a:9f:6b:6f:40:
ee:f0:b2:86:d6:f6:09:b3:b0:9d:ec:09:66:fb:65:
52:cc:75:c4:11:0f:41:ef:ed
prime1:
00:ec:7b:1e:b1:f2:c4:0d:2b:9b:57:05:e1:95:3a:
6d:00:3a:66:98:66:d5:5e:e3:cf:4e:8b:d2:cb:4a:
1e:08:60:65:9d:29:b4:21:e9:3e:5a:ac:8a:f3:87:
ff:0d:7d:19:96:7c:24:29:5d:01:bb:b6:ae:09:76:
2d:7d:a9:a7:4f
prime2:
00:dc:58:04:6e:16:34:d4:43:24:91:08:df:34:3a:
5e:7b:72:84:70:06:27:28:b5:a9:2d:86:12:b7:08:
b1:8d:1a:71:be:41:e4:db:aa:54:21:9c:46:8b:db:
e5:f5:ae:46:b7:22:17:79:e3:fa:bf:39:52:31:e2:
d8:31:ca:1c:7f
exponent1:
4c:11:5a:91:51:0e:e1:51:aa:99:36:8a:16:af:81:
8a:76:3e:b4:3d:37:db:5b:1a:3f:20:d9:00:8d:69:
d5:b5:f4:59:b6:a5:7b:d7:04:38:b4:91:c9:be:70:
3b:8d:87:22:91:f2:2b:e0:00:03:ba:c2:86:c6:9d:
e1:73:26:1f
exponent2:
4f:e3:35:8f:f8:4b:25:1e:46:d6:b2:c1:c2:3c:db:
5e:a4:91:71:d0:39:48:60:3c:bb:3d:9d:f1:70:9c:
77:0d:3c:69:ff:98:0b:30:81:1a:42:7f:ad:5b:87:
cf:80:65:31:26:92:1e:66:52:d6:1b:e1:3a:27:05:
bd:5f:8a:df
coefficient:
7c:d2:5c:3a:50:df:18:5a:28:87:da:ec:7c:60:0c:
39:68:3e:d1:d3:22:1f:70:72:60:21:a9:bf:c0:3e:
43:cf:7e:7e:3a:4a:0f:bf:3c:79:9c:28:d4:cd:6e:
1e:c3:8a:83:35:68:44:60:3c:94:41:9d:9b:90:f5:
1d:0f:46:50
writing RSA key
-----BEGIN RSA PRIVATE KEY----MIICXAIBAAKBgQDLixzLF7FIsONcXvK/FHMniPDnbTxc6tHoQDt3Ok6zn3iHQ2Ph
233x2DMBTp/XkWdcn7NlPO7xd7ZQsfnIqlNz24O51B9pm08SXsdH8yzC2V4h8hTJ
nVqhGmMpi4hZRN7rc13T9M8y807kzadvk4qTBLbDsMves7h1iSPcCMykMQIDAQAB
AoGBALfSW9+i9w3yCnOaoFonKtRynTY0dgZoX8gDcnD77KXWCLEIEIWih7zJh07P
5hV2EMYayJZOkHDsr29zPGWYRaJI9Mg1vepyQ//VjlMrPyScrfYs0MmrsvVu/W+X
bY16I8Tt12qfa29A7vCyhtb2CbOwnewJZvtlUsx1xBEPQe/tAkEA7HsesfLEDSub
VwXhlTptADpmmGbVXuPPTovSy0oeCGBlnSm0Iek+WqyK84f/DX0ZlnwkKV0Bu7au
CXYtfamnTwJBANxYBG4WNNRDJJEI3zQ6XntyhHAGJyi1qS2GErcIsY0acb5B5Nuq
VCGcRovb5fWuRrciF3nj+r85UjHi2DHKHH8CQEwRWpFRDuFRqpk2ihavgYp2PrQ9
N9tbGj8g2QCNadW19Fm2pXvXBDi0kcm+cDuNhyKR8ivgAAO6wobGneFzJh8CQE/j
NY/4SyUeRtaywcI8216kkXHQOUhgPLs9nfFwnHcNPGn/mAswgRpCf61bh8+AZTEm
kh5mUtYb4TonBb1fit8CQHzSXDpQ3xhaKIfa7HxgDDloPtHTIh9wcmAhqb/APkPP
fn46Sg+/PHmcKNTNbh7DioM1aERgPJRBnZuQ9R0PRlA=
-----END RSA PRIVATE KEY----sajun@ubuntu:~/openssl$
Step 2
1) Run the command: openssl req -new -key server.key -out server.csr -config openssl.cnf
From ~/openssl
2) Enter pass phrase for server.key (12qw34er)
3) Provide necessary informations.
4) Enter a challenge password: 12qw34er
sajun@ubuntu:~/openssl$ openssl req -new -key server.key -out server.csr -config openssl.cnf
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:Western
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SSE
Organizational Unit Name (eg, section) []:SSE
Common Name (e.g. server FQDN or YOUR name) []:SSE
Email Address []:SSE@SSE.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12qw34er
An optional company name []:SSE
Step 3
1) Execute the command: openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key \
-config openssl.cnf
From ~/openssl
2) Enter pass phrase for ca.key (12qw34er)
sajun@ubuntu:~/openssl$ openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key \
> -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1529225 (0x175589)
Validity
Not Before: Apr 28 12:37:30 2017 GMT
Not After : Apr 28 12:37:30 2018 GMT
Subject:
countryName
= AU
stateOrProvinceName
= Western
organizationName
= SSE
organizationalUnitName = SSE
commonName
= SSE
emailAddress
= SSE@SSE.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3C:CA:85:CB:E5:0F:E6:5E:B0:91:0B:60:71:F9:2E:6B:8F:97:BA:89
X509v3 Authority Key Identifier:
keyid:E4:E8:45:C4:20:4C:F0:78:12:A0:33:26:84:AB:E7:8B:F8:57:5C:2F
Certificate is to be certified until Apr 28 12:37:30 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Note : OpenSSL do not refuse to generate certificates, so no policy change is done.
Task 3
1) Get sudo privileges and open the file /etc/hosts using the command:
sudo nano /etc/hosts
(We have to provide sudo password)
2) Add following entry
127.0.0.1 PKILabServer.com
3) Save changes (Ctrl+O) and Exit (Ctrl+X)
4) Combine the secret key and certificate into one file
Commands:
cp server.key server.pem
cat server.crt >> server.pem
5) Launch the web server using server.pem
Command:
openssl s_server -cert server.pem -www
Note: We can use -accept option to change the default port 4433.
E.g. - openssl s_server -cert server.pem -accept 44330 -www : Then we have to access
https://pkilabserver.com:44330/
6) Enter pass phrase for server.pem (12qw34er)
7) Open the browser and access to https://pkilabserver.com:4433/
Gives the following error message
8) Fixing the error
(I) Edit -> Preference -> Advanced -> View Certificates > Import > Locate & Select ca.crt
(II) Advanced > Add Exception > Confirm Security Exception
9) Point the browser to https://pkilabserver.com:4433
Gives the response from the openssl s_server internal web...