SSL/TLS enabling - openssl - ssl

From here, I learnt that, we need a public key and user identification:
to create CSR
Goal is to establish SSL/TLS connections between two nodes(client & server).
Based on the above diagram, my understanding is, to give public key as input to create CSR but step 4 uses private key(server-key.pem) to create CSR(server.CSR)
Step 1) Create certificate authority key(private key)
$ openssl genrsa -aes256 -out ca-key.pem 4096
Step 2) Create Certificate authority(root certificate) with the input(ca-key.pem)
$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Step 3) Create a private key for web server
$ openssl genrsa -out server-key.pem 4096
Step 4) Create Certificate signing request(CSR) by entering user identification. This will create public key in-turn.
$ openssl req -subj "/CN=dockerbuild.harebrained-apps.com" -sha256 -new -key server-key.pem -out server.csr
Step 5) Add the configuration
$ echo subjectAltName = IP:40.xx.xx.164,IP:10.0.0.4,IP:127.0.0.1,DNS:dockerbuildsys.westus.cloudapp.azure.com,DNS:dockerbuild.harebrained-apps.com > extfile.cnf
Step 6) Create server certificate
$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
Step 7) Create client private key
$ openssl genrsa -out key.pem 4096
Step 8) Create CSR for client by entering user identification
$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr
Step 9) Certificate extension file for client
$ echo extendedKeyUsage = clientAuth > extfile.cnf
Step 10) Create client certificate
$ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
Step 11) Removing signing requests
$ rm -v client.csr server.csr
Step 12) Remove write permissions on keys
$ chmod -v 0400 ca-key.pem key.pem server-key.pem
Step 13) Read permissions to certificate for every user
$ chmod -v 0444 ca.pem server-cert.pem cert.pem
Step 14) Uploaded on server side, Certificate authority(ca.pem), server certificate(server-cert.pem) & server key(server-key.pem)
I have very good understanding on symmetric and asymmetric key encryption.
We use asymmetric keys to solve key distribution problem(symmetric key) between two parties
I understand that, every certificate has public key + Identity of owner(that provides certificate)
Questions:
1) Are ca-key.pem, server-key.pem & key.pem symmetric keys?
2) Why to create Certificate authority(ca.pem)? Why do we need a private key(ca-key.pem) to create Certificate authority?
3) Why do we need a private key to create CSR? Because it contradicts with the diagram(above)?
4) Why to create Certificate Signing Request(CSR) before creating a certificate? both client & server
5) Why do we need two certificates(server certificate server-cert.pem & client certificate cert.pem)?
6) Does openssl req -subj "/CN=dockerbuild.harebrained-apps.com" -sha256 -new -key server-key.pem -out server.csr create server.csr that contain a public key + user identification? If yes, how this public key different from the public key provided by certificate(server-cert.pem)?
7) If there are no symmetric keys created in the above process, then how client & server communicate with encryption?
8) How server-key.pem/server-cert.pem/ca.pem(uploaded on server) work with key.pem/cert.pem/ca.pem(on client)?

1) Are ca-key.pem, server-key.pem & key.pem symmetric keys?
These are asymmetric keys. There are no symmetric keys at all involved when creating certificates. Symmetric keys are only involved for the actual encryption in TLS.
2) Why to create Certificate authority(ca.pem)? Why do we need a private key(ca-key.pem) to create Certificate authority? Because it contradicts with the diagram(above)
A CA is a trust anchor. The private key of the CA is used to issue (sign) new certificates. The CA certificate containing the public key is trusted by the party which likes to verify the certificate. See SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate? to get a better idea how CA certificates and leaf certificates and signatures (done using the private key) play together.
It is not actually necessary to have a CA, i.e. one could use a self-signed certificate. But in this case each party who like to verify the connection using the certificate needs to have some previous knowledge of each self-signed certificate it should be able to verify. This does not scale well, i.e. it is easier to explicitly trust a CA and then derive from this trust into the certificates issues by the CA.
3) Why do we need a private key to create CSR? Because it contradicts with the diagram(above)?
The CSR gets signed to prove that you own the private key matching the public key in the CSR (and thus in the future certificate).
4) Why to create Certificate Signing Request(CSR) before creating a certificate? both client & server
Usually the CSR is created by a different party than the CA. In this case the CSR is a signed container which provides information about the certificate the party likes to have issued. It is not technically needed to create a certificate but organizationally.
5) Why do we need two certificates(server certificate server-cert.pem & client certificate cert.pem)?
We don't. Usually only the server certificate is needed to make sure that the client communicates with the correct server. Client certificates are only needed with mutual authentication where the server likes to authenticate the client too using a certificate.
6) Does server.csr contain a public key + user identification? If yes, how this public key different from the public key provided by certificate?
The public key in CSR is the same as in the certificate. There are user specific information in the certificate (the domain) but the CA must verify through other means that these information are actually correct (i.e. user owns the domain) before issuing the certificate.
7) If there are no symmetric keys created in the above process, then how client & server communicate with encryption?
The TLS handshake contains an authentication part (check that the server is the expected one based on the certificate) and a key exchange. The latter generates symmetric keys used for encrypting the application data. See How does SSL/TLS work? for the details.
8) How server-key.pem/server-cert.pem/ca.pem(uploaded on server) work with key.pem/cert.pem/ca.pem(on client)?
The private key of the server certificate is used to sign some challenge inside the TLS handshake in order to prove that the server owns the given certificate. The private key of the client certificate is used in a similar way if mutual authentication is done. The CA certificate is used to verify the certificate (again, see SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?).

Related

how to remove or revoke openssl self signed certificates

Recently i have created self signed ssl certificates with the following commands
STEP 1: Create the server private key
openssl genrsa -out main.key 2048
STEP 2: Create the certificate signing request (CSR)
openssl req -new -key main.key -out main.csr
STEP 3: Sign the certificate using the private key and CSR
openssl x509 -req -days 365 -in tls.csr -signkey main.key -out main.crt
i haven't added ssl certificate info, in to my apache default file in : site-enabled config folder
but after an apache restart it took effect and i am able get https connection, but with a warning.
now i want to remove those self signed certificate. is that possible ?
i tried to revoke those certificates with this command - openssl ca -config /root/tls/openssl.cnf -revoke /certs/server-1.crt
but the above command didnt work .
i am currently very new to ssl certificate generation. any help is appreciated.

RSA 2048 self signed certificate not being accepeted by NLB TCP listener

i am trying to create a self signed certificate using openssl following the docs https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-ssl.html
i tried to add the generated private and public pem files to my NLB TCP listener as a self signed certificate and it is failing with the below exception.
Error creating listener The imported certificate's configuration is not compatible and will not appear in the list of available certificates for your listeners. Select or upload a different certificate and try again.
I saw that NLB allows RSA 2048 certs. Not sure why the console is showing the error display.
You need to generate a RSA 1024 or 2028 certificate. check the valid certificates that ACM supports. i used the below commands to generate the self signed certificate
openssl genrsa -out private-key.pem 1024
openssl rsa -in private-key.pem -pubout -out public-key.pem
openssl req -new -x509 -key private-key.pem -out cert.pem -days 3600
mention the country, state and domain name. I initially missed the domain name because of which NLB listener wasn't accepting the certificate.

SSL/TLS certificate management (key, crt, and pem)

I have a question about TLS/SSL (self-signed certificates)
I am trying to open a connection using several tools (ncat, socat) by using TLS/SSL.
Of course first i need to generate certificate. (Key is a KEY, and Cert is a CERT, PEM is an encoded format). I have found 2 different ways.
1) openssl req -new -x509 -keyout test-key.pem -out test-cert.pem.
2) openssl req -newkey rsa:2848 -nodes -keyout test.key -x589 -out test-cert.crt
cat test-key.key test-cert.crt > test-pem.pem
My questions:
Why at the end of the day we combine CERT with KEY? Should not CERT already have KEY inside?
Why on most tutorials, we send(by listener on socat/ncat) key with cert, if cert already have a key?
(Assume we do not verify cert)
Thanks for support.
SOLVED.
Should not CERT already have KEY inside?
The certificate has the public key inside. The key file is the private key. The public key can be visible to others (as does the rest of the certificate), the private key should be kept secret.

Use of CA certificate in Certificate creation

I have read an article on how to create a local SSL certificate. The steps are basically as below:
1. create a key pair
openssl genrsa -des3 -out applicant.key 2048
2. create a certificate signing request
openssl req -new -sha256 -nodes -out applicant.csr -key applicant.key -config someCert.csr.cnf
3. create a cert for the applicant using the ca.key(private key) and cacert.pem (CA certificate)
openssl x509 -req -in applicant.csr -CA cacert.pem -CAkey ca.key -CAcreateserial -out applicant.crt -days 500 -sha256 -extfile localdomain.v3.ext
I got a few question regarding the steps.
a) When we create the key in step 1, is it a key pair or just private key?
b) When creating a certificate signing request in step 2, do we need a public key or private key?
c) When create a cert from CA, why do we need both ca private key and ca certificate? I believe the ca private key is used for digital signature, but what's the purpose of CA certificate?
When we create the key in step 1, is it a key pair or just private key?
applicant.key contains both the public and private elements. You can see them with openssl rsa -text -nout -in applicant.key, or in a more basic form with dumpasn1 or similar.
When creating a certificate signing request in step 2, do we need a public key or private key?
Both. You need the public key as that is going to be certified by the CA. You need the private key as you sign the CSR with this to provide Proof of Possession of the public key.
When create a cert from CA, why do we need both its private key and ca certificate?
Again, both. You need the private key in order to sign the certificate. You also need the CA certificate so that the CA can extract information used during the signing process from it.
As a minimum, this is the Subject field of the CA certificate which is used as the Issuer field of the signed certificate.
Another example is the AuthorityKeyIdentifier extension in the CA certificate, whose value is used as the SubjectKeyIdentfier extension in the applicant's certificate.
However, CAs are at liberty to use whatever they need. For example, Microsoft CAs will check the expiry date on the CA certificate and not issue an applicant a certificate that expires past this date (it truncates the validity of the certificate). In order to do that, it needs access to the CA certificate.

How to get a certificate from a CA?

I need to get a certificate from a certificate authority with .crt extension.
I used openssl commands but it generates a self-signed certificate which is not suitable for my use.
$ openssl genrsa -out client.key 4096
$ openssl req -new -x509 -text -key client.key -out client.cert
How can I obtain a certificate form a CA in Ubuntu 16.04? I need .key and .crt files.
These are the steps you would need to do to get a certificate signed by a CA.
Generate a Asymmetric Key Pair.
openssl genrsa -out localhost.key 2048
Generate a PKCS#10 (Certificate Signing Request) from the Key Pair.
openssl req -new -sha256 -key localhost.key -out localhost.csr
Send the above generated request to the CA (different CA's have different ways of receiving your request).
CA replies with a PKCS#7 (Certificate Chain) or just the signed certificate (you will usually get the entire certificate chain, but if you just got only the peer certificate, you can check with them where you can get the CA certificate chain to construct the chain yourself).
You can convert the above received PKCS#7 to PEM format
openssl pkcs7 -in localhost.p7r -inform DER -out localhost.pem
-print_certs
Associate the above PEM certificate chain to the private key you generated in the step 1.
openssl pkcs12 -export -inkey localhost.key -in localhost.pem -name
sslCertificate -out localhost.pfx
You now have a PKCS#12 keystore that you can use to secure your server.
So to answer you question, this is how you could proceed with step 3.
There are many well known Certificate Authorities out there (GeoTrust, Entrust, Verisign, GoDaddy, Comodo, etc, ...). Each CA could be different on their pricing depending on what kind of certificate you are requesting. You can visit their official web page(s) to know more about what they have to offer. Once you have decided which CA to go with, you use their service to request a certificate to be signed (usually online on their site).