CA means Certificate Authority. In case of gmail, it is thawte consulting Ltd. CAs are commercially available & they charge for their service. Some are free while government agencies & Universities manage their own CAs. You can build your own too.
The real question --> How the whole thing works?
Well, CA issues digital certificates & generates public - private key pair. Digital certificate contains public key & site owner's identity. The private key is kept secret with the CA. So, when you open up a secure https site, the CA is there to confirm its authenticity & it tells you that it is the actual server or spot you are looking for. Its an example of trusted 3rd party. Its like, you send a sms to your girlfriend & your girlfriend checks your signature to confirm that its from you, just a crude example.
***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***
So, how to create your own CA.
There are 2 steps in it -->
1. Generating a Certificate signing request
2. Creating a CA signed certificate
Going through the first step:
-> login as root
>su -i
password :
-> Setting default values for the certificate.
edit the file.
>vi /etc/pki/tls/openssl.cnf
Append some lines under "[CA_default]" in the file as given below.
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certificate = $dir/my_ca.crt # The CA certificate
crl = $dir/my_ca.crl # The current CRL
private_key = $dir/private/my_ca.key # The private key
Similarly under [ req_distinguished_name ], Edit as per your specification.
[ req_distinguished_name ]
countryName_default = IN
stateOrProvinceName_default = Delhi
localityName_default = SouthEx
0.organizationName_default = Some_Company
-> Creating supporting directories
>cd /etc/pki/CA/
> mkdir certs newcerts crl
-> Create empty certificate index & create serial no. file for certificates
>touch /etc/pki/CA/index.txt
>echo 01 > /etc/pki/CA/serial
-> Generate private key.
>cd /etc/pki/CA
>umask 077 // (changing default mask value)
>openssl genrsa -out private/my_ca.key -des3 2048
my_ca.key is the name of key & 2048 is the length of key, rsa is the algo used.
After the command is executed, a pass phrase will be asked, like this one
__________________________________________________ _______________
Generating RSA private key, 2048 bit long modulus
.................................................. .........+++
....................................+++
e is 65537 (0x10001)
Enter pass phrase for private/my_ca.key:
Verifying - Enter pass phrase for private/my_ca.key:
__________________________________________________ _______________
Enter pass phrase twice.
Now going into the 2nd step:
-> Create self signed certificate.
>cd /etc/pki/CA
>openssl req -new -x509 -key private/my_ca.key -days 365 > my_ca.crt
After executing this command, it will prompt you for the pass phrase, you typed in the previous step & then you have to enter some general information related to the certificate. As you have changed some default values in the file /etc/pki/tls/openssl.cnf, you don't need to change those.
It appeared like this for me. In the above command 365 days is the expiry date of the certificate.
__________________________________________________ _______________
[root@localhost CA]# openssl req -new -x509 -key private/my_ca.key -days 365 > my_ca.crt
Enter pass phrase for private/my_ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]:
State or Province Name (full name) [Delhi]:
Locality Name (eg, city) [SouthEx]:
Organization Name (eg, company) [Some_Company]:
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:VIK
Email Address []:vik@gmail.com
[root@localhost CA]#
__________________________________________________ _______________
Now CA certificate is ready. It should be made available to clients for download. We can use http (Apache) for this job.
-> install httpd & mod_ssl
>yum install httpd* OR >rpm -ivh httpd*
>yum install mod_ssl* OR >rpm -ivh mod_ssl*
Incase of redhat yum resolves dependencies automatically
-> restart http service & put it under chkconfig
>service httpd restart
>chkconfig --level 345 httpd on
-> If firewall is enabled, unblock the traffic through port 80 & 443, mostly the ports are open but just to make sure.
>iptables -A INPUT -p tcp --dport 80 -j ACCEPT
>iptables -A INPUT -p tcp --dport 443 -j ACCEPT
>service iptables save
-> Now, link it to your already configured apache server (& dns). Create a directory /var/www/html/certs/ & copy the self signed certificate there & make sure it is world readable with SElinux type "httpd_sys_content_t". Issue the following commands.
>chmod -R 555 /var/www/html/certs/
>cp /etc/pki/CA/my_ca.crt /var/www/html/certs/
>chcon -t httpd_sys_content_t /var/www/html/certs/
/var/www/html/www.example.com/html/ is your document root of the site & www.example.com is your server name.
Its done! If someone wants, I can write a simple tutorial on configuring apache + dns (with or without chroot & HTTP OR HTTPS).
Now after all these steps, I assume your dns & apache are working properly (dig example.com returns ANSWER:NOERROR), try to browse your server, it will prompt for adding certificate that you created just now. Add the certificate to you browser.
Your browser has an inbuilt list of well known certificates that you can see.
>tools > option (or edit > preferences as per the version of firefox)
>advanced > encryptions > view certificates.
Sometimes when we try to access a random site, mozilla firefox alerts for adding exception.
Its because, your browser can't validate that site & its CA, you can browse that site after adding it as exception & taking the responsibilities of all threats.
***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***---***
Possible threats!
let me generate a situation, assume I run a cyber cafe and I created a fake site of paypal and linked it with a self signed certificate of my own, as I did above. And I added that certificate to the default browsers of all my pcs.
I configured it such that, when you enter the url - www.paypal.com, it directs you to my fake site signed with my own CA.
Ya, I know you don't remember the CA for the genuine paypal site & you are not aware enough to check the name of CA to make sure its genuine.--PERFECT!!
So, when you click login, it sends your username & password to my remote secret database file & the browser directs you to a fake connection timeout page. It makes you believe that there is some problem with the internet connection. After that, when you click try again or try refreshing the page, it will direct you to the actual paypal site. Ahh, the internet connection is back!! & someone succeeded in his bad game!
So, be sure to check the CA, when you access https sites through public computers. Atleast you can remember some CAs of email site that are important to you & bank sites that ask your credit/debit/ATM card credentials.
Check this out.. they are apparently implementing to some extent what I have discussed in this post
I hope it's quite informative.
Thanks for reading it!
Browser concerned in the Article : Mozilla Firefox
OS concerned in the Article : Redhat linux Server Enterprise Edition 5.2 (might work on other linux distribution)
sources of information :
http://en.wikipedia.org/wiki/Certificate_authority
Redhat Security Specialist Study books.
No comments:
Post a Comment