Openssl

From docwiki
Jump to: navigation, search


Motivation

As we know: The traffic on the internet is constantly monitored and there are a lot of bad guys out there who want to hack into your systems. Encrypting the information is thus a must. With openssl we have a general purpose tool that helps you with all tasks regarding SSL encryption.

Here you get a quick overview of how to handle certificate with openssl.

SSL Terminology

When you build a service that is protected with SSL there are 2 options:

  1. Only the server has a certificate and anyone can connect, yet the traffic is encrypted.
  2. The Client also presents a certificate to the server and the server can allow or deny access based on that certificate.

Let's first try to understand the first case:

SSL/TLS works with public key encryption. The server has a public and a private key. When a client connects the public key is sent and that can be used to encrypt the information so that only the server can decypher it with its public key. In reality this is only used to negotiate an additional symmetric key that is only used during the session.

Now this works but there is one major weakness in this: Anyone can generate a pair of key. Even some hacker who diverted the network traffic and intercepts it. So you might think that you are on the website of your bank but in reality you are connected to somewhere else.

So there is a need to be able to decide which public key is legitimate. In SSH this is mainly solved by remembering the finger prints of the keys of your hosts. But that solution does not scale well.

So the public key is distributed with a so called certificate that is signed by a trusted authority.

This certificate contains public key, the name of the server, information about the owner and the period of validity, a reference to a certificate authority that has signed this key and the digital signature of that authority.

So the client can verify which authority has signed that key. The certificates of the authorities are stored and distributed within the common browsers. Usually the certificates of the servers are not signed directly but there are some intermediate instances in between. This is to be able to better protect the original (root) certificates.

When you have a private key you can turn that into a certificate request (CRQ). You send your .crq file to the authority and that will, after verifying your identity sign the request you request and send you a certificagte (CERT) or .crt ).

There are 2 common formats of how to distribute certificate and certificate requests. The one is DER (used in the windows world) and PEM format (used everywhere else).

The DER format is binary while the PEM format is base64 encoded text.

The relevant ISO norm is X509 and so those certificates are often refered to as x509.

Microsoft also sometimes uses .pkcs12 or .p12 files, which contain both private key and certificate.

For testing purposes people sometimes choose not to go through the process of getting their certificate signed by a CA (Certificate Authority) but simply choose to sign it with its own key. This is a so called self signed certificate.

If clients want to establish their identity via certificates as well (see point number 2 above) then the process is the same: You need to generate a key-pair for you and get your certificate signed. While server certificates have the name of the server included, in the case of client certificate, the email address is usually used.

openssl

Here are a few ways to use the openssl tool:

$ openssl req -new -nodes -newkey rsa:4096 -keyout mein.key -out mein.csr

The tool asks you a lot of questions. Important is the name of the server (the subjet or CN (common name)) which should match your server name.

The above creates a new certificate request (mein.csr) and also a new key (mein.key). The key will use RSA public key encryption with a keylength of 4096. The key will not be encrypted with DES.

Now you would be ready to submit the mein.csr file to a certificate authority and wait for them to sign it. Then they would return you a .crt file with your certificate. Now if you only need this for testing you can use a self signed certificate:

We pretend to be our own CA and sign the certificate with its own key:

$ openssl x509 -req -in mein.csr -signkey mein.key -out mein.crt -days 365

So now we have the mein.crt that contains a self signed certificate. All files are in PEM format.

$ cat mein.key
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDQF0GJJrXBDAIm
...
...
GHXwOGgSCRUYpjk/EIUUj4xQSLBGUQ==
-----END PRIVATE KEY-----

$ cat mein.crt
-----BEGIN CERTIFICATE-----
MIIFLzCCAxcCFCo25Ldy4esktmkw79sZxH1x0GCRMA0GCSqGSIb3DQEBCwUAMFQx
...
...
FLs5p2fVO1Xj4cpxuMgguiDFnxr3iWxnbMN9AStoJ2jE/Eo=
-----END CERTIFICATE-----


openssl also allows you to inspect that files to see the technical details. For this use the -text option. E.g.

$  openssl x509 -in mein.crt -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            2a:36:e4:b7:72:e1:eb:24:b6:69:30:ef:db:19:c4:7d:71:d0:60:91
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = AT, ST = Some-State, O = Internet Widgits Pty Ltd, CN = test.example.org
        Validity
            Not Before: Apr  1 17:23:29 2020 GMT
            Not After : Apr  1 17:23:29 2021 GMT
        Subject: C = AT, ST = Some-State, O = Internet Widgits Pty Ltd, CN = test.example.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
.....

SSL in Apache Configuration

Each program has their own way of how you configure the files where it can get the certificate and they key. Here is an example of how to do it in an Apache virtual host:

<VirtualHost 12.34.56.78:443>
SSLEngine on
SSLCertificateFile /opt/cert/mein.crt
SSLCertificateKeyFile /opt/cert/mein.key
ServerName test.example.org
DocumentRoot /var/www-test/
</VirtualHost>

openssl as a client to connect to ssl server ports

If you want to test a sever port and see which certificate they present you can use openssl as a client to connect to server ports. E.g.:

$ openssl s_client -connect www.orf.at:443

You will be presented with a ton of information. You can cut and paste the server certifcate from there and you see the chain of trust: Which CAs have signed that certificate.

Let's Encrypt

Is an NGO that was founded after the Snowden revelations. Since normal CAs would charge you money for the certifcate signing, a lot of smaller sites had no HTTPS connection. In order to provide free certificates for all Let's Encrypt was founded.

Let's encrypt only verifies that you have control over your web server by asking you to put some text file under a certain URL. When you can do this they give you a signed certificate for your server. The whole process can more or less be automated.

Exercises

  • Use openssl to create you own pair of private key and certificate.
  • Use openssl to connect to an https port of a server of your choice and inspect their certificate.