Public Key Infrastructure (PKI) Certifiactes using OpenSSL 

 Documentation: ttp://www.openssl.org/docs/apps/pkcs8.html
 

Certificate Requests Commands:

In the following: replace wahab with  your <login name>

% mkdir wahab_cert_request
% cd   wahab_cert_request
% cp /home/cs472/public_html/PKI/openssl/shells/students/* .
 This copies all the shell scripts and files needed.

% gencertreq.sh wahab
That will create two files:  wahab_certreq.pem &   wahab_privatekey.pem

% printcertreq.sh wahab
This prints wahab_certreq.pem

% submit cs472
Submit file: wahab_certreq.pem

% cp /home/cs472/public_html/PKI/openssl/signed_requests/wahab_cert.pem .
Do this after the CA has signed  your certificate and notifies you via email.

% certoreq.sh wahab
This generates wahab_certreq.pem using the your original public/private keys. Submit this request for the CA to sign as you did for the original request.

Certificate Authority (CA) Commands

To setup the necessary environment to create CA keys and root certificate,
and to sign  and resign the students certificate requests.

% cp /home/cs472/public_html/PKI/openssl/shells/ca/*  .
Copy the ca shell scripts in any directory you choose.
Edit  file myopenssl.cnf  to replace cs472 with  your <login name>

% setup.sh
Create the needed files and directories.

genca.sh
Create CA keys (ca_key.pem)  &  certificate (ca_cert.pem).

% printcert.sh ca_cert

print certificate  ca_cert.pem

% issuecert.sh  wahab
This  signs a request from student whose  login is wahab
under submitted_requests/wahab_cerreq.pem
and produces signed_requests/wahab_cert.pemissued_certs/xx.pem 
where xx is serial number of cert.

% printcert.sh  signed_requests/wahab_cert
% printcert.sh  issued_certs/xx
print  wahab_cert.pemxx.pem
% resign.sh wahab




Application of PKI
Secure Multipurpose Internet Mail Exchange  (SMIME)


Use unix Mail  to send and read your mail. 
In reading a mail  message: write the message to a file (e.g., w
file)


Encrypted mail
Send:    % sendencmail.sh   wahab file
              The sender should have  wahab_cert.pem
Read:  % readencmail.sh   wahab file
The reciepient should have wahab_cert.pem  &wahab_privatekey.pem
  Signed mail
Read:    % readsignmail.sh     file
              The reciepient should have ca_cert.pem
Signed +Encrypted mail
Send:    % sendsign_encmail.sh    wahab  file   cs472
             The sender should have:
 wahab_cert.pem, cs472_cert.pem & cs472_privatekey.pem
Read:     % readsign_encmail.sh   wahab  file
The reciepient should have:
wahab_cert.pem, wahab_privatekey.pem  &  ca_cert.pem


 

Shell Scripts for OpenSSl PKI

for students

gencerreq.sh:

openssl req -newkey rsa:1024 -keyout $1_privatekey.pem -keyform PEM -out $1_certreq.pem  -outform PEM


 certoreq.sh:

openssl x509 -x509toreq -in $1_cert.pem -out $1_certreq.pem -signkey $1_privatekey.pem

printcert.sh:

openssl x509 -in $1.pem -text -noout


printcertreq.sh:

openssl req -in $1_certreq.pem -text -noout


for CA
setup.sh:
cp /home/cs472/randomfile .
cp /home/cs472/randomfile    /home/cs472/.rnd
mkdir    issued_certs     ca_private_key
mkdir    submitted_requests    signed_requests
chmod    og-rwx ca_private_key
echo "01" > serial
touch   index.txt

genca.sh:

openssl req -x509 -newkey rsa -out ca_cert.pem  -outform PEM


issuecert.sh:

openssl ca  -in submitted_requests/$1_certreq.pem -out signed_requests/$1_cert.pem -notext

 
resign.sh:

openssl x509 -req -in $1_certreq.pem -out $1_cert.pem -signkey ca_privatekey.pem -days 365

myopenssl.cnf:
[ ca ]
default_ca   = wahabca

[ wahabca ]
dir    =/home/cs472/public_html/PKI/openssl
certificate   = $dir/ca_cert.pem
database   = $dir/index.txt
new_certs_dir   = $dir/issued_certs
private_key   = $dir/ca_private_key/ca_key.pem
serial    = $dir/serial
RANDFILE  = $dir/randomfile
default_days     = 365
default_crl_days = 7
default_md       = md5 
policy    = wahabca_policy
x509_extensions  = certificate_extensions

[ wahabca_policy ]
commonName   = supplied
stateOrProvinceName  = supplied
countryName   = supplied
emailAddress   = optional
organizationName  = supplied
organizationalUnitName  = optional

[ certificate_extensions ]
basicConstraints  = CA:true

[ req ]
default_bits   = 1024
default_keyfile  = /home/cs472/public_html/PKI/openssl/ca_private_key/ca_key.pem
default_md   = md5
prompt = no

distinguished_name  = root_ca_distinguished_name

x509_extensions  = root_ca_extensions

[ root_ca_distinguished_name ]
commonName   = Dr. Wahab
stateOrProvinceName  = Virginia
countryName   = US
emailAddress   = wahab@cs.odu.edu
organizationName  = Old Dominion University

[ root_ca_extensions ]
basicConstraints  = CA:true
 


smime

sendencmail.sh:

# syntax: sendencmail.sh  <receipient-login>   <file>
openssl smime -encrypt -in $2 -des3 -out $2.enc $1_cert.pem 
Mail $1 < $2.enc

readencmail.sh: sendsignmail.sh:

# syntax: sendsignmail.sh  <receipient-login>   <file> <sender_login>
openssl smime -sign -in $2 -out $2.sig -signer $3_cert.pem -inkey $3_privatekey.pem
Mail $1 < $2.sig

readsignmail.sh:
openssl x509 -in file.pem -text -noout | grep Subject:
more $1.txt

sendsign_encmail.sh:
# syntax: sendsign_encmail.sh  <receipient-login>   <file>    <sender_login>
openssl smime -sign -in $2 -out $2.sig -signer $3_cert.pem -inkey $3_privatekey.pem
openssl smime -encrypt -in $2.sig -des3 -out $2.enc $1_cert.pem
Mail $1 < $2.enc
readsign_encmail.sh:
# syntax: readsign_encmail.sh  <receipient-login>   <file>
openssl smime -decrypt -out $2.sig -des3 -in $2 -recip $1_cert.pem  -inkey $1_privatekey.pem
openssl smime -CAfile ca_cert.pem -verify  -in $2.sig -out $2.txt signer file.pem

openssl x509 -in file.pem -text -noout | grep Subject:
more $2.txt