Public Key Infrastructure (PKI) Certifiactes using OpenSSL 

 Documentation: ttp://

Certificate Requests Commands:

In the following: replace wahab with  your <login name>

% mkdir wahab_cert_request
% cd   wahab_cert_request
% cp /home/cs472/public_html/PKI/openssl/shells/students/* .
 This copies all the shell scripts and files needed.

% wahab
That will create two files:  wahab_certreq.pem &   wahab_privatekey.pem

% wahab
This prints wahab_certreq.pem

% submit cs472
Submit file: wahab_certreq.pem

% cp /home/cs472/public_html/PKI/openssl/signed_requests/wahab_cert.pem .
Do this after the CA has signed  your certificate and notifies you via email.

% wahab
This generates wahab_certreq.pem using the your original public/private keys. Submit this request for the CA to sign as you did for the original request.

Certificate Authority (CA) Commands

To setup the necessary environment to create CA keys and root certificate,
and to sign  and resign the students certificate requests.

% cp /home/cs472/public_html/PKI/openssl/shells/ca/*  .
Copy the ca shell scripts in any directory you choose.
Edit  file myopenssl.cnf  to replace cs472 with  your <login name>

Create the needed files and directories.
Create CA keys (ca_key.pem)  &  certificate (ca_cert.pem).

% ca_cert

print certificate  ca_cert.pem

%  wahab
This  signs a request from student whose  login is wahab
under submitted_requests/wahab_cerreq.pem
and produces signed_requests/wahab_cert.pemissued_certs/xx.pem 
where xx is serial number of cert.

%  signed_requests/wahab_cert
%  issued_certs/xx
print  wahab_cert.pemxx.pem
% wahab

Application of PKI
Secure Multipurpose Internet Mail Exchange  (SMIME)

Use unix Mail  to send and read your mail. 
In reading a mail  message: write the message to a file (e.g., w

Encrypted mail
Send:    %   wahab file
              The sender should have  wahab_cert.pem
Read:  %   wahab file
The reciepient should have wahab_cert.pem  &wahab_privatekey.pem
  Signed mail
Read:    %     file
              The reciepient should have ca_cert.pem
Signed +Encrypted mail
Send:    %    wahab  file   cs472
             The sender should have:
 wahab_cert.pem, cs472_cert.pem & cs472_privatekey.pem
Read:     %   wahab  file
The reciepient should have:
wahab_cert.pem, wahab_privatekey.pem  &  ca_cert.pem


Shell Scripts for OpenSSl PKI

for students

openssl req -newkey rsa:1024 -keyout $1_privatekey.pem -keyform PEM -out $1_certreq.pem  -outform PEM

openssl x509 -x509toreq -in $1_cert.pem -out $1_certreq.pem -signkey $1_privatekey.pem

openssl x509 -in $1.pem -text -noout

openssl req -in $1_certreq.pem -text -noout

for CA
cp /home/cs472/randomfile .
cp /home/cs472/randomfile    /home/cs472/.rnd
mkdir    issued_certs     ca_private_key
mkdir    submitted_requests    signed_requests
chmod    og-rwx ca_private_key
echo "01" > serial
touch   index.txt

openssl req -x509 -newkey rsa -out ca_cert.pem  -outform PEM

openssl ca  -in submitted_requests/$1_certreq.pem -out signed_requests/$1_cert.pem -notext

openssl x509 -req -in $1_certreq.pem -out $1_cert.pem -signkey ca_privatekey.pem -days 365

[ ca ]
default_ca   = wahabca

[ wahabca ]
dir    =/home/cs472/public_html/PKI/openssl
certificate   = $dir/ca_cert.pem
database   = $dir/index.txt
new_certs_dir   = $dir/issued_certs
private_key   = $dir/ca_private_key/ca_key.pem
serial    = $dir/serial
RANDFILE  = $dir/randomfile
default_days     = 365
default_crl_days = 7
default_md       = md5 
policy    = wahabca_policy
x509_extensions  = certificate_extensions

[ wahabca_policy ]
commonName   = supplied
stateOrProvinceName  = supplied
countryName   = supplied
emailAddress   = optional
organizationName  = supplied
organizationalUnitName  = optional

[ certificate_extensions ]
basicConstraints  = CA:true

[ req ]
default_bits   = 1024
default_keyfile  = /home/cs472/public_html/PKI/openssl/ca_private_key/ca_key.pem
default_md   = md5
prompt = no

distinguished_name  = root_ca_distinguished_name

x509_extensions  = root_ca_extensions

[ root_ca_distinguished_name ]
commonName   = Dr. Wahab
stateOrProvinceName  = Virginia
countryName   = US
emailAddress   =
organizationName  = Old Dominion University

[ root_ca_extensions ]
basicConstraints  = CA:true


# syntax:  <receipient-login>   <file>
openssl smime -encrypt -in $2 -des3 -out $2.enc $1_cert.pem 
Mail $1 < $2.enc

# syntax:  <receipient-login>   <file> <sender_login>
openssl smime -sign -in $2 -out $2.sig -signer $3_cert.pem -inkey $3_privatekey.pem
Mail $1 < $2.sig
openssl x509 -in file.pem -text -noout | grep Subject:
more $1.txt
# syntax:  <receipient-login>   <file>    <sender_login>
openssl smime -sign -in $2 -out $2.sig -signer $3_cert.pem -inkey $3_privatekey.pem
openssl smime -encrypt -in $2.sig -des3 -out $2.enc $1_cert.pem
Mail $1 < $2.enc
# syntax:  <receipient-login>   <file>
openssl smime -decrypt -out $2.sig -des3 -in $2 -recip $1_cert.pem  -inkey $1_privatekey.pem
openssl smime -CAfile ca_cert.pem -verify  -in $2.sig -out $2.txt signer file.pem

openssl x509 -in file.pem -text -noout | grep Subject:
more $2.txt