Re: Newbie question - Signing CSR's (picture enclosed)

2003-08-20 Thread Rohan Pinto 
So...

if the CASr has been generated
and the CSR has been sent to the CA (running openssl)
whats the command (in openssl) to sign this CSR ??
anything on the lines of..

./openssl -some parameters- request.CSR -some parameters-
signedCSR.cer ??

Rohan
- Original Message -
From: Charles B Cranston [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, August 19, 2003 12:50 PM
Subject: Re: Newbie question - Signing CSR's (picture enclosed)


 Sometimes a picture is worth a thousand words:

 The Standard Model of Certificate generation:

 On the server machine: Generate CSR operation


+-+   +-+
| Private Key |   | Certificate Signing Request |
+--+--+   | |
   v  |   ++|
  |   | Public Key ||
  |   ++|
  | |
  |Distinguished Name |
  | |
   Note: hash is signed   |   ++|
   by private key above   |   |Hash||
  |   ++|
  +--+--+
 |
 | Sent to CA for signing
 v
  +-+
 CA can use public key   | Certificate |
 from CSR to check   | |
 signature on hash to|   ++|
 prevent alteration of   |   | Public Key ||
 CSR by adversary|   ++|
  | |
  | Issuer Distinguished Name |
  | |
  | Subject DistinguishedName |
  | |
 Note: hash is signed|   ++|
 by private key of root  |   |Hash||
  |   ++|
  +--+--+
 |
 | Returned to server
 v

 In secure site operation:

 Server presents certificate to client

 Client uses public key of root (obtained from preconfigured root
 certificate) to check hash to ensure certificate has not been forged.

 Client rolls a random number and encrypts it with the public key from
 the server certificate, then returns it to the server.

 Server decrypts this with server private key and both sides use it
 as a symmetric key for conventional (e.g., DES) cryptography.

 Eavesdropper does not have access to private key so cannot decrypt.
 Man-in-the-middle attacker does not have access to private key so
 cannot decrypt.

 --
 Charles B (Ben) Cranston
 mailto: [EMAIL PROTECTED]
 http://www.wam.umd.edu/~zben

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Newbie question - Signing CSR's

2003-08-20 Thread Rohan Pinto 
I keep getting a error when i try this.

i generated privkey.pem by using

./openssl genrsa -out privkey.pem 2048

AND cacert.pem by using
./openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095

Then I generated a CSR from my webserver (on a different domain/different
box different instalce altogether) named it mev.csr.pem
transfered that file over to the box running openssl.

 ./openssl x509 -req -in mev.csr.pem -CA cacert.pem  -CAkey
rivkey.pem  -days 1024 -out mev.cert.pem
Signature ok
subject=/C=US/ST=California/L=San Jose/O=MEV DEMO LAB
SERVER/OU=RandD/CN=www.mev.com
Getting CA Private Key
Enter PEM pass phrase:
cacert.srl: No such file or directory
2279:error:02001002:system library:fopen:No such file or
directory:bss_file.c:245:fopen('cacert.srl','r')
2279:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247:

looks like it's looking for a file cacert.srl, but I never specified this
filename,

any insight on this

Rohan
- Original Message -
From: Charles B Cranston [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, August 19, 2003 12:21 PM
Subject: Re: Newbie question - Signing CSR's


 Rohan Pinto wrote:
  I wrote
 What you need to do is:

 1. create a root certificate
 2. install that root certificate into all your web browsers
 3. create a CSR on the server
 4. use the root to sign that CSR into a server certificate

  This is the part that i would need help on. I have created a root
  certificate, I've imported that into all my web browsers and also on the
  webserver. I have also crested a cSR from the webserver. I dont know how
to
  sign the CSR  If I could get some advise on jow to sign a CSR i
would at
  leats get an understanding of the flow. From what i have understood so
  far... I used the rootCA private key while signing the CSR. The
webservers
  public key is sittign somewhere on the webserver. i would need to use
that
  key to sign the CSR. The question is. how do i get that key?. Also I
am
  confused as i believed that the webservers key would be embedded in the
CSR.

 You are doing fine until you get to signing the CSR with the
 webserver's public key which is sitting somewhere on the webserver.

 Important theoretical points

 1. The CSR IS the webserver's public key, plus some ID info

 2. The CSR is made INTO the Certificate by signing with the
 root's private key (not any server key nor any public key)

 3. The webserver's PRIVATE key is the one sitting somewhere on
 the webserver

 4. The Certificate IS the webserver's public key (as obtained
 from the CSR) and is SIGNED using the root's private key.
 Why?  So the root's public key, which EVERYBODY has access to,
 can be used to VERIFY that the certificate has not been forged.

 So, take the CSR from the webserver machine to the machine where
 you are running OpenSSL.  Sign the CSR into a certificate using
 the private key from the root certificate.  This can be done with
 either the ca tool (or something like CA.PL which calls it) or
 with the x509 tool.  Take the certificate back and install it
 into the webserver.  The way to do this varies from webserver to
 webserver but go to

 http://www.ssl.com/support/installation.jsp

 and look at the menu over on the right hand side.  Find your
 webserver software and see if they have good installation
 documentation.  This is a VERY well done web site.

 5. install the server certificate on the server

  Wish i could get some pointers on the the steps to sign a CSR thats
  generated from a webserver (which resides on abcd.com domain) using
   openssl that resides on (xyz.com)

 on xyz.com:

 ftp abcd.com
 get server.csr.pem
 quit
 openssl x509 -req -in server.csr.pem \
  -CA root.cert.pem -CAkey root.key.pem more options \
  -out server.cert.pem
 ftp abcd.com
 put server.cert.pem

 Under more options there is -CAserial to set a serial number,
 maybe -sha1 to use SHA instead of MD5 as a hash, -days to set the
 certificate lifetime, etc.  Some of these things can be set in the
 OpenSSL configuration file.  I'd look at man x509.

 Alternatively, signing can be done with the ca tool, but I'm
 not so familiar with it.  It requires an infrastructure of a data
 file and a serial number file and directories of various things etc
 and since I based our database on Oracle it seemed too high-level and
 high-maintenance to use.  Unfortunately it seems I need to use it
 for my personal identity and privacy PKIs since x509 doesn't seem
 to know how to process a SPKIX file.

 Sorry about my somewhat fuzzy (and in some places WRONG) answer
 before.  I should REALLY learn not to type anything in before noon.

 --
 Charles B (Ben) Cranston
 mailto: [EMAIL PROTECTED]
 http://www.wam.umd.edu/~zben

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List