I have two servers and on server A I have the open SSL install and on server B, I don't have the open SSL install now if I create a key pair and generate a CSR from server A for server B and get it signed by my root authority and place it on my server B now how this will work when the private key is still present on my server A as I have done everything on server A and just place the signed certificate on server B. how server B will decrypt the traffic when it didn't have the private key.
OpenSSL genrsa -out marvels.gq.key 4096
openssl req -new -key marvels.gq.key -out marvels.gq.csr
Related
I simulate a CA on a centos7 host(azcn-gs1-nginx2), and use the CA to sign a certificate for a server(azcn-gs1-nginx1).
Below are what I do:
On CA azcn-gs1-nginx1, generate key
cd /etc/pki/CA/private/
openssl genrsa -aes128 -out testCA.key 2048
Generate CA certificate
openssl req -new -x509 -days 1825 -key /etc/pki/CA/private/testCA.key -out /etc/pki/CA/certs/testCA.crt
On the server azcn-gs1-nginx2, generate private key and certificate sign request.
openssl genrsa -out /etc/pki/tls/private/newServer.key 1024
openssl req -new -key /etc/pki/tls/private/newServer.key -out /etc/pki/tls/newServer.csr
Copy newServer.csr to CA host for signing.
scp /etc/pki/tls/newServer.csr root#azcn-gs1-nginx2:~/newServer.csr
On CA host, sign the newServer.csr, and copy back the newServer.crt
to server azcn-gs1-nginx2.
openssl x509 -req -in ./newServer.csr -CA /etc/pki/CA/certs/testCA.crt -CAkey /etc/pki/CA/private/testCA.key -CAcreateserial -out newServer.crt -days 1461
scp newServer.crt root#azcn-gs1-nginx2:/etc/pki/tls/certs/newServer.crt
Server azcn-gs1-nginx2 is a reverse proxy for a webservice. I configure the newServer.key and newServer.crt in Nginx for https.
ssl_certificate /etc/pki/tls/certs/newServer_1.crt;
ssl_certificate_key /etc/pki/tls/private/newServer.key;
I am on another Ubuntu host. I import the CA's certificate testCA.crt into Ubuntu truststore, as below:
cp testCA.crt /usr/local/share/ca-certificates/
update-ca-certificates
The Ubuntu's built-in browser is firefox. I also import testCA.crt
into firefox's truststore. Please see attached pic.
I open firefox browser and visit web server by https. Expected result is it can directly open webpage without security warning.
Unfortunately, it gives warning of "Your connection is not secure.....".
and, looks like the certificate only contains the certificate itself. It doesn't not contain CA's certificate.
Why this happen? How can I get a signed certificate with the CA's certificate in Chain?
Thanks & regards,
Jie
Thanks for your comments.
That's right.
Actually, it is very simple. The 2 .crt files of CA and server can be concatenated into one .crt. Then the certificate chain is a whole.
Right, the pictures of 2 and 3 are other problems.
Thanks,
Jie
From here, I learnt that, we need a public key and user identification:
to create CSR
Goal is to establish SSL/TLS connections between two nodes(client & server).
Based on the above diagram, my understanding is, to give public key as input to create CSR but step 4 uses private key(server-key.pem) to create CSR(server.CSR)
Step 1) Create certificate authority key(private key)
$ openssl genrsa -aes256 -out ca-key.pem 4096
Step 2) Create Certificate authority(root certificate) with the input(ca-key.pem)
$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Step 3) Create a private key for web server
$ openssl genrsa -out server-key.pem 4096
Step 4) Create Certificate signing request(CSR) by entering user identification. This will create public key in-turn.
$ openssl req -subj "/CN=dockerbuild.harebrained-apps.com" -sha256 -new -key server-key.pem -out server.csr
Step 5) Add the configuration
$ echo subjectAltName = IP:40.xx.xx.164,IP:10.0.0.4,IP:127.0.0.1,DNS:dockerbuildsys.westus.cloudapp.azure.com,DNS:dockerbuild.harebrained-apps.com > extfile.cnf
Step 6) Create server certificate
$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
Step 7) Create client private key
$ openssl genrsa -out key.pem 4096
Step 8) Create CSR for client by entering user identification
$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr
Step 9) Certificate extension file for client
$ echo extendedKeyUsage = clientAuth > extfile.cnf
Step 10) Create client certificate
$ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Step 11) Removing signing requests
$ rm -v client.csr server.csr
Step 12) Remove write permissions on keys
$ chmod -v 0400 ca-key.pem key.pem server-key.pem
Step 13) Read permissions to certificate for every user
$ chmod -v 0444 ca.pem server-cert.pem cert.pem
Step 14) Uploaded on server side, Certificate authority(ca.pem), server certificate(server-cert.pem) & server key(server-key.pem)
I have very good understanding on symmetric and asymmetric key encryption.
We use asymmetric keys to solve key distribution problem(symmetric key) between two parties
I understand that, every certificate has public key + Identity of owner(that provides certificate)
Questions:
1) Are ca-key.pem, server-key.pem & key.pem symmetric keys?
2) Why to create Certificate authority(ca.pem)? Why do we need a private key(ca-key.pem) to create Certificate authority?
3) Why do we need a private key to create CSR? Because it contradicts with the diagram(above)?
4) Why to create Certificate Signing Request(CSR) before creating a certificate? both client & server
5) Why do we need two certificates(server certificate server-cert.pem & client certificate cert.pem)?
6) Does openssl req -subj "/CN=dockerbuild.harebrained-apps.com" -sha256 -new -key server-key.pem -out server.csr create server.csr that contain a public key + user identification? If yes, how this public key different from the public key provided by certificate(server-cert.pem)?
7) If there are no symmetric keys created in the above process, then how client & server communicate with encryption?
8) How server-key.pem/server-cert.pem/ca.pem(uploaded on server) work with key.pem/cert.pem/ca.pem(on client)?
1) Are ca-key.pem, server-key.pem & key.pem symmetric keys?
These are asymmetric keys. There are no symmetric keys at all involved when creating certificates. Symmetric keys are only involved for the actual encryption in TLS.
2) Why to create Certificate authority(ca.pem)? Why do we need a private key(ca-key.pem) to create Certificate authority? Because it contradicts with the diagram(above)
A CA is a trust anchor. The private key of the CA is used to issue (sign) new certificates. The CA certificate containing the public key is trusted by the party which likes to verify the certificate. See SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate? to get a better idea how CA certificates and leaf certificates and signatures (done using the private key) play together.
It is not actually necessary to have a CA, i.e. one could use a self-signed certificate. But in this case each party who like to verify the connection using the certificate needs to have some previous knowledge of each self-signed certificate it should be able to verify. This does not scale well, i.e. it is easier to explicitly trust a CA and then derive from this trust into the certificates issues by the CA.
3) Why do we need a private key to create CSR? Because it contradicts with the diagram(above)?
The CSR gets signed to prove that you own the private key matching the public key in the CSR (and thus in the future certificate).
4) Why to create Certificate Signing Request(CSR) before creating a certificate? both client & server
Usually the CSR is created by a different party than the CA. In this case the CSR is a signed container which provides information about the certificate the party likes to have issued. It is not technically needed to create a certificate but organizationally.
5) Why do we need two certificates(server certificate server-cert.pem & client certificate cert.pem)?
We don't. Usually only the server certificate is needed to make sure that the client communicates with the correct server. Client certificates are only needed with mutual authentication where the server likes to authenticate the client too using a certificate.
6) Does server.csr contain a public key + user identification? If yes, how this public key different from the public key provided by certificate?
The public key in CSR is the same as in the certificate. There are user specific information in the certificate (the domain) but the CA must verify through other means that these information are actually correct (i.e. user owns the domain) before issuing the certificate.
7) If there are no symmetric keys created in the above process, then how client & server communicate with encryption?
The TLS handshake contains an authentication part (check that the server is the expected one based on the certificate) and a key exchange. The latter generates symmetric keys used for encrypting the application data. See How does SSL/TLS work? for the details.
8) How server-key.pem/server-cert.pem/ca.pem(uploaded on server) work with key.pem/cert.pem/ca.pem(on client)?
The private key of the server certificate is used to sign some challenge inside the TLS handshake in order to prove that the server owns the given certificate. The private key of the client certificate is used in a similar way if mutual authentication is done. The CA certificate is used to verify the certificate (again, see SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?).
I am trying to understand the relationship between the client and server in the context of an SSL connection. Am I correct in understanding that the fact that the same certificate authority (me - in example below) sign both server and client certificate makes that they can communicate. Thus, that the server only accepts communication when client authenticates with client certificate signed by the same CA as the server certificate, and this is essential to the idea of an SSL connection?
(script underneath comes directly from http://blog.nategood.com/client-side-certificate-authentication-in-ngi)
# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Create the Server Key, CSR, and Certificate
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
# We're self signing our own server cert here. This is a no-no in production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr
# Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
server {
listen 443;
ssl on;
server_name example.com;
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
ssl_client_certificate /etc/nginx/certs/ca.crt;
ssl_verify_client on;
The short answer is No. These are two separate aspects.
Here:
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
You are configuring the server certificates which need to be trusted by the client.
And here:
ssl_client_certificate /etc/nginx/certs/ca.crt;
You configure the certification authority to verify your clients' certificates against.
"Must server and client certificate be signed by same CA in SSL"
Short answer is, it can be but not necessary.
To see why, let's break down the steps but without too much technical.
From your point of view when setting up the nginx server.
You want to achieve 2 goals.
Prove the identity of your server.
For this you get a CA to sign your server certificate and
present it to a client that connects to your server
Verify the identity of the client connecting to the server
For this, you set define the list of CA that you trust that signs the client's certificate.
When a client connects to your server, you check if the client certificate presented is signed by your list of CA
That's not the end. Let's look at the client's end.
The client also wants to achieve 2 goals.
Prove the client's identity when connecting to your server
For this, the client get a CA to sign its client certificate and
present it to your server when connecting.
Here is the catch, the CA that signs the client certificate must be in your server's list of CA.
Verify the identity of your server
For this, the client has to trust the CA that signs your server's certificate.
How is this done?
Typically this list is predefine on the system or browser so it happens transparently.
But if you are writing a client, then you may have to define this list of trusted CA or just let the client know the CA that signs your server certificate.
So, it can happen that the CA signing the server and the client is the same but it is not necessary. It all depends on the list of CA defined on both the server and the client.
Server certs and Client certs are used in completely different ways.
The only similarities are:
They both contain the word certificate
They both use public & private keys for encryption
I have Tomcat-Apache set up to serve my application using 443(Apache).
Configured Apache for root certificate and key for enabling HTTPS access for my application.
On server i had to install this certificate to user personal store for HTTPS access.
Problem is if client wants to access he needs to manually install the certificate first. These are self signed certificates generated via openSSL.
openssl req -new -x509 -days 1024 -key ca.key -out ca.crt -config openssl.cnf
Is there a way to configure Apache, or install certificate in another store for client to trigger auto installation of certificate while accessing the site?
I'm setting up a mysql server and am trying to have a mysql client connect to it over SSL. I'm going to be using a self signed certificate for the same. Reading the MySQL documentation on setting up SSL I see that I have to specify the path to the following files :-
the SSL root CA
the SSL certificate
the SSL private key
In this particular case, should I be setting both the root CA and the certificate to my self signed certificate?
Example of how to create properly a Self-Signed SSL Certificate.
Su to root and create a directory that only the root account has access to.
su -
mkdir certificates
chmod 700 certificates
cd certificates
Use openssl to generate a server key
openssl genrsa -des3 -out server.key 4096
Openssl will request a pass phrase. Type in a sentence that is long and complex but that you can remember (you'll have to type it at least twice). Try to make it at least 40 characters long, with punctuation and capital and lowercase letters. The more different characters you use the better.
Then create the certificate signing request with the server key you created in step 2.
openssl req -new -key server.key -out server.csr
Sign your certificate using SSL.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
You can set your certificate for any number of days, but I recommend 365 so that you remember to update it once a year.
Once you're done, you'll have the following files:
server.crt: The self-signed server certificate
server.csr: Server certificate signing request
server.key: The private server key, does not require a password when starting Apache
Place those files where they are required for your Web server, and turn on HTTPS. (If you don't know how, contact your server administrator.)