Masterclass in openSSL

Показать описание

In this masterclass video you have 1 hour in depth education in using openSSL in Linux. We first look at self-signed openSSL certificates but see their limitation. From there on we go through and create the full PKI hierarchy of the openSSL Root Certificate , an intermediate CA and server keys. We see how we sign the sub CA with the root CA and the sub CA is used to sign the certificates. We see how clients can trust the root CA and we end the masterclass demonstration on openSSL by starting an openSSL test server before configuring nginix with https.

00:00 Intro
02:06 SSH Trust and Encryption
03:30 Create the directory structure
07:30 Self Signed Keys
13:30 Private Keys
18:47 Create the Root CA Certificate
26:35 Create the Intermediate CA
36:15 Create the Server Certificate
44:30 Test the PKI Structure

The root-ca conf file follows. You can edit this file to become the sub-ca .conf. Change the directory variable and the policy

[ca]
#see man ca
default_ca = CA_default

[CA_default]
dir = /root/ca/root-ca
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index
serial = $dir/serial
RANDFILE = $dir/private/.rand

crlnumber = $dir/crlnumber
crl_extensions = crl_ext
default_crl_days = 30

default_md = sha256

name_opt = ca_default
cert_opt = ca_default
default_days = 365
preserve = no
policy = policy_strict

[ policy_strict ]
countryName = supplied
stateOrProvinceName = supplied
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
# Options for the req tool, man req.
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
countryName_default = GB
stateOrProvinceName_default = England

[ v3_ca ]
# Extensions to apply when createing root ca
# Extensions for a typical CA, man x509v3_config
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions to apply when creating intermediate or sub-ca
# Extensions for a typical intermediate CA, same man as above
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
#pathlen:0 ensures no more sub-ca can be created below an intermediate
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ server_cert ]
# Extensions for server certificates
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

Рекомендации по теме

Комментарии

Wow, it's a long time without seeing an enjoyable, deep and detailed pki video presented by somebody who really knows what he is talking about and making himself crystal clear by explaining every if and why' s!

qsyecjb

A million-dollar stuff is now freely available to everyone. Thank you!!!!

sreekanthk

This is an outstanding video. For anyone viewing in 2022, note that browsers now require the subjectAltName extra, so cert signing requests formed without this will not be accepted. This shows as the somewhat unhelpful error

oddlytimbotwillison

Some great little nuggets in this tutorial. I feel like I'm learning a lot more than some of the other courses I've looked at. Still overwhelmed by it.
We'll get there

purplemonkeydishwasher

Can only imagine how offended the fourth horseman is right now :-)

Apart from the above, this is a fantastic little lecture.

kettelman

Well I watched about half of the video and I was so lost that I just stopped... :-)
It was not you, it was me. I have no idea what I would use this for so I did not see the point of finishing...
What I did watch was very well done. I am sure that someone needing this information will be happy as a lark! Lol
Thanks you for the video!
LLAP

BrucesWorldofStuff

This is brilliant! Thank you. I didn't know about openssl running a server to test. Learned something new.

arifsali

Thank you! I watch this video for the second time in the last few years, this is my go-to for a refresher in openSSL.

bmircea

48:30 If you working with a debian system, you need to do the following to make this work:
as "root" copy your "ca.crt" into the directory
cp ~/ca/root-ca/certs/ca.crt
next you need to update the ca-certificates
dpkg-reconfigure ca-certificates
you can choose either "yes" or "ask" and after the script finishes you see:
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in
Adding debian:ca.crt
done.
done.

guidoslomka

Very good tutorial apart from two things: a) Use of CN for the server hostname was deprecated like literally 20 years before this tutorial was created. And Firefox and Chrome stopped allowing it mere months after the tutorial appeared. b) The author should warn people that "openssl ca" is not a command you want to use in a production environment because it's quite buggy and it's very easy to corrupt your index database or similar. Openssl's own documentation admits as much.

ald

Thank you for this. I'm a junior sysadmin and the company I work for recently created a new CA to sign certs for a large number of iOS devices. I didn't undertake the work, but was curious as to how they implemented it. This video has given me much greater insight into how they achieved the task. Whats also interesting is the different certificate requirements iOS has between iOS 12/13 and now 14.

danielfulford

If I'm being honest, I'm probably not going to understand it properly until I actually use it in my live env, and my env is just a simple server I want to make on my Raspberry Pi 4. But I know how important security is and will learn it. Thank you for this guide!

tockar

Hola eres un gran maestro y tienes un canal estupendo

albertomel

I mostly use OpenSSL to merge end user certs + intermediate certs + key files to create PFX for IIS server upload but this was interesting content as well

logicawe