Public Key Infrastructure (PKI) Certifiactes

Using OpenSSL

 

 

Documentation: http://www.openssl.org/docs/apps/pkcs8.html 

 

Certificate Requests Commands:

 

To generate a certificate request and sign it from CA.

 

In the following: replace <student>  with  your  <login name>

 

% mkdir <student>_cert_request
% cd    <student>_cert_request
% cp   /home/cs772/public_html/PKI/shell_scripts/students/* .

 

This copies all the shell scripts and files needed.

 

% gencertreq  <student>


That will create two files:

 <student>_certreq.pem  &   <student>_privatekey.pem

 

To  print  <student>_certreq.pem 

 

% printcertreq  <student>


Submit file <student>_certreq.pem to CA to be signed:

 

% mkdir  submit 

% cp     <student>_certreq.pem  submit

% cd     submit

% submit cs772

 

The  CA will sign your certificate and sends an email  to copy:

 

      <student>_cert.pem  &  ca_cert.pem

 

Then you can print these two certificates using:

 

 % printcert   <student>

% printcert    ca

 

Certificate Authority (CA) Commands

 

To setup the necessary environment to create CA keys and root certificate,  and to sign  the students certificate requests.

 

To create CA keys and root certificate

 

Copy the ca shell scripts in any directory you choose.

% cp /home/cs772/public_html/PKI/shell_scripts/ca/*   .

 

Edit  file myopenssl.cnf  to replace cs772 with  your <login name>

 

Then create the needed files and directories:

% setup

 

 

 Then create CA keys (ca_key.pem)  &  certificate (ca_cert.pem:.

%  genca

 


Print certificate  ca_cert.pem:

% printcert    ca

 

To sign certificate  requests

 

To  sign a request from a single student under:

submitted_requests/<student>_cerreq.pem

 

% issuecert  <student>


This  produces:

signed_requests/<student>_cert.pem

issued_certs/xx.pem  where <xx> is serial number of cert.

 

To sign more than one certificate put the names in a file called: list and then use:

 

% batch_issuecert

 

 

 

Application of PKI:

 

Secure Multipurpose Internet Mail Exchange (SMIME)                     

 

Use unix Mail  to send and read your mail. 
In reading a mail  message: write the message to a file (e.g., w file)


Copy all the shell scripts and files needed.

% cd <student>_cert_request

% cp /home/cs772/public_html/PKI/shell_scripts/securemail/* .

 

Encrypted mail : to send/receive encrypted messages.

Send:   

% sendencmail   <receiver>   <file>

The sender should have:  <receiver>_cert.pem

<file> is the message to be encrypted.

This produce <file>.enc which is encrypted with a secret key.

The secret key is encrypted with the public key in  <receiver>_cert.pem

 

Read: 

First read your mail and save the msg in <file> then use the following command:

% readencmail   <receiver>   <file>

The recipient should have:

<receiver>_cert.pem> &  <receiver>_privatekey.pem

This decrypt mail in  <file> using the supplied certificate and private key.

First, the secret key is decrypted using <receiver>_privatekey.pem       

Then <file> is decrypted with the  secret key.

       

           

Signed mail to send/receive signed  messages

Send:   

% sendsignmail   <receiver>   <file>   <sender>

The sender should have:

 <sender>_cert.pem   &  <sender>_privatekey.pem
To  sign  <file>  using the <sender> certificate and private key.

The signed message as well as  the <sender> certificate are written to the output <file> .sig

 

Read:   

First read your mail and save the msg in <file> then  use the following command:

% readsignmail     <file>

The recipient should have:  ca_cert.pem

This verifies signed <file> using the sender’s certificate and the CA certificate. 

and outputs the sender’s information and the  message content.

 

 

Signed +Encrypted mail  to send/receive signed and encrypted  messages

Send:   

% sendsign_encmail  <receiver>  <file>  <sender>

The sender should have:  <receiver>_cert.pem,

<sender>_cert.pem  &  <sender>_privatekey.pem

This  signs the  <file>  using the <sender> certificate and private key.

The signed file as well as  the <sender> certificate are written to the output <file> .sig which is  then encrypted to   <file>.enc  using a secret key.

The secret key is encrypted with the public key in  <receiver>_cert.pem

 

Read:   

First read your mail and save the msg in <file> then  use the following command:

% readsign_encmail   <receiver>  <file>

The reciepient should have: <receiver>_cert.pem,    <receiver>_privatekey.pem  &  ca_cert.pem

This first decrypts mail in  <file> using the receiver certificate and private key.

The secret key is decrypted using <receiver>_privatekey.pem       

Then <file> is decrypted using the   secret key.

It then verifies the signed <file> using the sender’s and CA certificates.

Finally it outputs the sender’s information and the  message content.

 

 

Sign then Encrypt Versus  Encrypt then Sign?

 

Sign then Encrypt:

·       A wants to send B a message M as signed then encrypted message.

    Sign M as M’ and then encrypt M’ as M” and mail M” to B.

·       B decrypts M” to M’ and verify that M’ was sent as M from A.

·       if  B wants to forwards the message M’ to C,

   B can forwards the signed message M’ to C.

   C can reads the message M and verify that A is the author.

 

Encrypt then Sign:

·       A wants to send B a message M as encrypted then signed message.

   Encrypt M as M’ and then sign M’ as M” and mail M” to B.

·       B verifies M” was signed by A and then M’ decrypted to read M.

·       If B wants to forward the message to C, then he can send M”.

C can verify that M” was signed by A.

However C can NOT decrypt M’ to read the message M since he does not have the private key of B!