, , , ,

What are those?

Private keys, certificate, certificate agents and root certificate enable security between client server communication.  At a typical handshake phase of ssl / tls session, the server provides certificate and corresponding certificate agent list to the client. Certificate of server includes it’s public key and domain with other useful information. With certificate and it’s certificate agent list, it is checked that the server is in fact the identity which he claims to be (authenticity). This process is done with starting checking server certificate with the very immediate low level certificate agent that handled the sign request of server. Then following the certificate agent list, each lower level certificate agent is checked with certificate of higher level, which should at the very end depend to a root certificate that reside in system. After controlling authenticity, client will generate a random symmetric key and encrypt it with servers public key. Server will be able to decrypt it with it’s private key and get the symmetric key that will be used from then on.

Therefore a certificate chain should finalize with a well known root. In order to depend on a well known root, you need to go to one of certificate agents that are already at the very end signed by the root, and make them sign your certificate, which will cost money and time. Other alternative for internal use or testing, generate your own chain and insert this specific root to the trusted root store of the system. Notice that changing trusted root store of a system is generally a bad idea with possible security consequences. Having said this, if you need these for testing purposes, here is how you can generate a root certificate, varying number of certificate agents, and an endpoint key certificate pair.

Create a root

It will be wise to protect already existing configuration and keys in our environment, therefore create a temporary working directory workbench/certificates in my case. We will need a configuration template. openssl.cnf will do the job, find and copy it with name root.cnf.

certificates - finding openssl configuration template

This will be used as configuration of root certificate agent.

certificates - copy openssl cnf as root cnf

In order to be tidy, give a corresponding directory name for root certificate agent, root, in this case.

certificates - directory structure in root configuration

And make signing available by setting basisConstraints=CA:TRUE which defaults to false

certificates - making root a certificate agent

Then we may generate the private key of root as;

certificates - generate root private key and certificate sign request

Before self signing the request, we should prepare environment for outputs and configurations. We should have a ./root and .root/newcerts directory. this will keep the certificates that are signed by root certificate agent.

certificates - create root and newcerts directory

Then we should have a datebase file called index.txt

certificates - create index file

And a counter that is incremented each time a new certificate is issued.

certificates - create root serial

Then we are ready to self sign the certificate request

certificates - create self signed root certificate

Certificate may be checked by

certificates - displaying root certificate

And output will be as;

certificates - root certificate family

Create certificate agent A certificates : CaA

Now we will create security keys of certificate agent A, CaA. Start with creating configuration file CaA.cnf,

certificates - CaA creating environment

and necessary environment.

certificates - CaA directory

Create private key and sign request.

certificates - CaA generate private key and sign request

Generate certificate of CaA with information of root

certificates - CaA generate certificate using root

veryfying certificate of  CaA

certificate - CaA verify certificate of CaA

Notice that database of root contains two entries, one for self signing, and one for signing CaA,

certificates - index db of root after signing CaA certificate

We should have following directory snapshot,

certificates - CaA generated family

Create certificate agent B certificates : CaB

Same steps may be repeated to form certificate agent B, CaB.

sifa@debian:~/workbench/certificates$ cp root.cnf CaB.cnf
sifa@debian:~/workbench/certificates$ mkdir CaB
sifa@debian:~/workbench/certificates$ mkdir CaB/newcerts
sifa@debian:~/workbench/certificates$ touch CaB/index.txt
sifa@debian:~/workbench/certificates$ echo 01 >> CaB/serial
sifa@debian:~/workbench/certificates$ openssl req -new -newkey rsa:1024 -nodes -out CaB.csr -keyout CaB_private.pem -config CaB.cnf
sifa@debian:~/workbench/certificates$ openssl ca -keyfile CaA_private.pem -cert CaA_certificate.pem -out CaB_certificate.pem -in CaB.csr -config CaA.cnf

We may verify that jack.dalton signed certificate of william.dalton;

certificates - CaB certificate verification

Here, we will make a different modification in CaB.cnf (uncomenting copy_extensions=copy), which will make keep alternative names of endpoint,

certificates - CaB configuration

Create endpoint certificates

Endpoint certificate creation will be very similar, except the certificate belong to avarel. As he is not careful, he will add many alternate names with wildcards by modifying endpoint.cnf as;

certificates - endpoint alternate names

certificates - endpoint v3req

The remaining steps are same, except omitting generation of certificate folder, sequence and index database, since endpoint will not generate any certificates.

sifa@debian:~/workbench/certificates$ cp root.cnf endpoint.cnf
sifa@debian:~/workbench/certificates$ openssl req -new -newkey rsa:1024 -nodes -out endpoint.csr -keyout endpoint_private.pem -config endpoint.cnf
sifa@debian:~/workbench/certificates$ openssl ca -keyfile CaB_private.pem -cert CaB_certificate.pem -out endpoint_certificate.pem -in endpoint.csr -config CaB.cnf
sifa@debian:~/workbench/certificates$ openssl x509 -in endpoint_certificate.pem -text -noout

certificates - endpoint certificate verification

After operation we should have whole chain of certificates from endpoint to root, to use in our tests.

certificates - final certificate family