This Blog Is Not Updated Any More.

Check out my new blog on Medium: http://facilelogin.com

Topics: Identity and Access Management, Blockchain, Ethereum, Bitcoin, Security, PSD2, GDPR



Tuesday, October 28, 2008

OpenSSL on WINDOWS

This post explains all the steps you need to create your own CA.

Let me summarize what we intend to do here.

First we will create a public cert and a private key for CA.

Then we'll create a public/private key pair for the server [say WSAS].

Next step is to generate CSR [Certificate Signing Request] for the server and submit it to the CA.

CA signs the certificate.

Then we need to convert both CAs public cert as well as the server's signed cert from PEM to DER.

After the conversion, the server will import the CA's public cert and server's signed certificate to it's key store.

That's it and we are done.

Let's get started.

First you need to download Visual C++ 2008 Redistributables from here and install it locally.

Then download and install OpensSSL from here.

Also make sure you have added [JAVA_HOME]\bin to the PATH env variable.

Let's create the folder structure for our example.

Make sure you have the following folder structure.

[SAMPLE]\ca
[SAMPLE]\ca\certs
[SAMPLE]\ca\crl
[SAMPLE]\ca\newcerts
[SAMPLE]\ca\private
[SAMPLE]\ca\index.txt
[SAMPLE]\wsas

Copy [OPENSSL_HOME]\bin\openssl.cfg to [SAMPLE]\.

Copy [OPENSSL_HOME]\bin\PEM\demoCA\serial to [SAMPLE]\ca.

Lets edit [SAMPLE]\ca\openssl.cfg - add the following section to the end of the file - make sure you do not violate the existing file structure.

####################################################################
[ WSO2WSAS_CA ]

dir = ./ca
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts

certificate = $dir/cacert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber

crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand

x509_extensions = usr_cert


default_days = 365
default_crl_days = 30
default_md = sha1
preserve = no

policy = policy_anything

[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
Find the following section in [SAMPLE]\ca\openssl.cfg - and edit as below.

####################################################################
[ ca ]
#default_ca = CA_default
default_ca = WSO2WSAS_CA

####################################################################
Lets create public/private key pair for CA first. Once you are asked to input, do it approriately.

[SAMPLE]\>openssl req -x509 -newkey rsa:1024 -keyout ca\private\cakey.pem -out ca\cacert.pem -config openssl.cfg
Now we can create the public/private key pair for server and generate the CSR.

[SAMPLE]\>keytool -genkey -alias wso2wsas -keyalg RSA -keystore wsas\wso2wsas.jks

[SAMPLE]\>keytool -certreq -keystore wsas\wso2wsas.jks -alias wso2wsas -file wsas\wso2wsas.cert.req
Next, CA can sign the server cert.

[SAMPLE]\>openssl ca -config openssl.cfg -out wsas\wso2wsas.pem -infiles wsas\wso2wsas.cert.req
Now we need to convert both CAs public cert as well as the server's signed cert from PEM to DER.

[SAMPLE]\>openssl x509 -outform DER -in wsas\wso2wsas.pem -out wsas\wso2wsas.cert

[SAMPLE]\>openssl x509 -outform DER -in ca\cacert.pem -out wsas\wso2wsasca.cert
After the conversion, the server can import the CA's public cert and server's signed certificate to it's key store.

[SAMPLE]\>keytool -import -file wsas\wso2wsasca.cert -alias wso2wsasca -keystore wsas\wso2wsas.jks

[SAMPLE]\>keytool -import -file wsas\wso2wsas.cert -alias wso2wsas -keystore wsas\wso2wsas.jks
That's it and we are done.

0 comments: