Customizing X.509 Certificate Fields
Charles D. Short
CS526 – S2008
University of Colorado, Colorado Springs
Dr. C. Edward Chow
5/5/2008
CDS - UCCS CS526 - S2008
1
Discussion
•
•
•
•
•
•
•
•
Project Goal
Background
OpenSSL
OpenSSL commands
openssl.cnf File
Project .cnf Files
Certificate Process
Install Server Certificate
5/5/2008
•
•
•
•
•
•
•
Install Client Certificate
Client Certificate
Certificate challenge
Server Acknowledgement
Server Response
Lessons Learned
Future Research
CDS - UCCS CS526 - S2008
2
Project Goal
• Determine and detail how to insert custom
field information into an X.509 certificate.
5/5/2008
CDS - UCCS CS526 - S2008
3
Background
• An X.509 certificate can be used for authentication
between a client and server to insure client identity
but does not provide any additional fields for
information which may be useful to custom
applications running on the server.
• This project will detail how to insert additional
information into the client certificate which may then
be used by a server based application to provide
services based upon this information.
5/5/2008
CDS - UCCS CS526 - S2008
4
Test Environment
5/5/2008
CDS - UCCS CS526 - S2008
5
OpenSSL
• Open source project
• Based on SSLeay library developed by Eric A.
Young and Tim J. Hudson
• Provides cryptographic toolkit
– Secure Sockets Layer (SSL)
– Transport Layer Security (TLS)
– General purpose cryptography library
• http://www.openssl.org/
5/5/2008
CDS - UCCS CS526 - S2008
6
OpenSSL Commands
– ca
• Certificate Authority
– Sign certificate requests
– Generate Certificate Revocation List (CRL)
– Maintain issued certificate database
– req
• Create and process certificate requests
– Certificate request creation
– Certificate signing
– Certificate display
– x509
• Multi purpose certificate utility
– Display certificate information
– Convert certificates to various forms
– Sign certificate requests
– Edit certificate trust settings
5/5/2008
CDS - UCCS CS526 - S2008
7
openssl.cnf File
• Divided into sections that begin with bracketed
identifiers such as [ ca ]
• Sections correspond to openssl commands ca,
req, x509
• Directives consist of <attribute> = <value>
• Provides field values
• Provides field defaults
• Provides field attributes
• Provides user prompts
5/5/2008
CDS - UCCS CS526 - S2008
8
openssl.cnf File (cont)
• CA Section
–
–
–
–
[ ca ]
[ CA_default ]
[ policy_match ]
[ policy_anything ]
• REQ Section
– [ req ]
– [ req_distinguished_name ]
– [ req_attributes ]
• X.509 EXTENSION DIRECTIVES
–
–
–
–
[ usr_cert ]
[ v3_req ]
[ v3_ca ]
[ crl_ext ]
• http://www.technoids.org/openssl.cnf.html
5/5/2008
CDS - UCCS CS526 - S2008
9
Project .cnf Files
• Certificate Authority
– http://cs.uccs.edu/~cdshort/cs526/certreq.txt
• Server
– http://cs.uccs.edu/~cdshort/cs526/serverreq.txt
• Client
– http://cs.uccs.edu/~cdshort/cs526/clientreq.txt
5/5/2008
CDS - UCCS CS526 - S2008
10
Certificate Creation Process
• Create certificate authority
•
openssl req -config certreq.cnf -x509 -newkey rsa:2048 –keyout cakey.pem -out cacert.pem
• Create server certificate request
•
openssl req -config serverreq.cnf -newkey rsa:1024 –keyout servertempkey.pem –out serverreq.pem
• Sign server certificate
•
openssl ca -config certreq.cnf -in serverreq.pem -out servercrt.pem
• Create client certificate
•
openssl req -config clientreq.cnf -newkey rsa:1024 -out clientreq.pem -keyout clientkey.pem
• Sign client certificate
•
openssl ca -config certreq.cnf -in clientreq.pem -out clientcrt.pem
5/5/2008
CDS - UCCS CS526 - S2008
11
Install Server Certificate
• Move Certificates and Keys
– sudo cp servercrt.pem /etc/ssl/certs
– sudo cp serverkey.pem /etc/ssl/private
– sudo cp cacert .pem /etc/ssl/certs
• Edit /etc/apache2/sites-available/default
– SSLEngine on
– SSLCertificateFile /etc/ssl/certs/servercrt.pem
– SSLCertificateKeyFile
• Edit /etc/apache2/ports.conf
– Listen 443
• Edit /etc/apache2/httpd.conf
– SSLVerifyClient require
– SSLVerifyDepth 1
– SSLCACertificateFile /etc/ssl/certs
• Enable SSL
– sudo a2enmod ssl
•
Restart Web Server
– sudo /etc/init.d/apache2 restart
5/5/2008
CDS - UCCS CS526 - S2008
12
Install Client Certificate
• Combine client certificate and key
– cat clientkey.pem clientcrt.pem > clientcrtandkey.pem
• Convert PEM to PFX
– openssl pkcs12 -export -out clientcert.pfx -in clientcrtandkey.pem -name "UbuntuWS1
Client certificate”
• Import using Internet Explorer
– tools/internet options/content/certificates/import
5/5/2008
CDS - UCCS CS526 - S2008
13
Client Certificate
5/5/2008
CDS - UCCS CS526 - S2008
14
Certificate Challenge
5/5/2008
CDS - UCCS CS526 - S2008
15
Server Acknowlegment
5/5/2008
CDS - UCCS CS526 - S2008
16
Server Response
5/5/2008
CDS - UCCS CS526 - S2008
17
Server PHP Code
<!-- Display Client Certificate Fields -->
<head>
<title>Client Certificate Subject Distinguished Name Field:</title>
</head>
<body>
<h1><b>Client Certificate Subject Distinguished Name:</b></h1>
<hr>
<?php
print("ClientSDN: $_SERVER[SSL_CLIENT_S_DN]<br><br>");
?>
5/5/2008
CDS - UCCS CS526 - S2008
18
Lessons Learned
•
•
•
•
Documentation is scarce
Documentation is confusing
Certificate fields are obscure
Flexibility is limited
5/5/2008
CDS - UCCS CS526 - S2008
19
Future Research
• Explore the addition of fields outside of the
Distinguished Name (DN) section.
• Explore the creation of a different certificate
format.
• Modify MOD_SSL code to process new
certificate contents.
• Modify Client browser to process new
certificate contents.
5/5/2008
CDS - UCCS CS526 - S2008
20
References
•
•
•
•
•
•
•
•
•
•
http://www.openssl.org/
http://www.openssl.org/docs/apps/ca.html
http://www.openssl.org/docs/apps/req.html
http://www.openssl.org/docs/apps/x509.html
http://www.technoids.org/openssl.cnf.html
http://www.oid-info.com/standards.htm
http://www.zaphu.com/2007/08/21/ubuntu-lamp-server-guide-configure-apache-mysqland-cgi-bin/
http://cs.uccs.edu/~cs526/secureWebAccess/secureWebAccess.htm
https://help.ubuntu.com/6.06/ubuntu/serverguide/C/httpd.html
http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6
5/5/2008
CDS - UCCS CS526 - S2008
21
Questions?
5/5/2008
CDS - UCCS CS526 - S2008
22