Diploma Thesis - Mirko Richter - Experiences - Openssl

Maven | Professur Rechnernetze

Project Documentation

Experiences: Usage of Openssl

This document describes work items and experiences made when using openssl.

Workitems

Workitem	Description
Create Root-Certificate and Certification Authority	Create ROOT-CA directory structure \| --- diplomCA \| --- certs \| --- crl \| --- newcerts \| --- private The root directory of this structure is later referenced as %CA_HOME% Downloaded openssl 0.9.7e for win generated ROOT-certificate using command: openssl req -new -x509 -keyout cakey.pem -out cacert.pem creating of the file serial in directory %CA_HOME%/diplomCA; filling it with '011E' as initial value creating the empty file index.txt in directory %CA_HOME%/diplomCA copied the private key of the ca (cakey.pem) into the directory %CA_HOME%/diplomCA/private copied the ca-certificate (cacert.pem) into the directory %CA_HOME%/diplomCA copied the file openssl.cnf from the directory %OPENSSL_HOME%\bin as diplomssl.cnf to %CA_HOME% for configuration modified the var dir inside the file diplomssl.cnf to the value ./diplomCA
Create Publisher CA	Create PUBLISHER-CA directory structure \| --- publisherCA \| \| \| --- certs \| \| \| --- crl \| \| \| --- newcerts \| \| \| --- private \| --- trustedCerts The root directory of this structure is later referenced as %PUBLISHER_HOME% generated new certificate-request for my uddi-publisher-certificate openssl req -new -keyout publisher_privkey.pem -out publisher_certreq.pem -days 365 signing the certificate-request with my former created CA (execute command in root dir of CA!) openssl ca -in %PUBLISHER_HOME%/publisher_certreq.pem -out %PUBLISHER_HOME%/publisher_cert.pem -config diplomssl.cnf moved publisher_cert.pem to %PUBLISHER_HOME%/publisherCA moved publisher_privkey.pem to %PUBLISHER_HOME%/publisherCA/private creating of the file serial in directory publisher_1/publisherCA; filling it with '011E' as initial value creating the empty file index.txt in directory %PUBLISHER_HOME%/publisherCA copied the file openssl.cnf from the directory %OPENSSL_HOME%\bin as publisherssl.cnf to %PUBLISHER_HOME% configuration modified the var dir inside the file publisherssl.cnf to the value ./publisherCA modified the var certificate inside the file publisherssl.cnf to the value $dir/publisher_cert.pem modified the var private_key inside the file publisherssl.cnf to the value $dir/private/publisher_privkey.pem copied the certificate of my CA (%CA_HOME%/diplomCA/cacert.pem) to dir %PUBLISHER_HOME%/trustedCerts and renamed it to ae697688.0 (hash of subject) the hash of the certificate's subject can be calcultated as follows: openssl x509 -hash -in %CA_HOME%/diplomCA/cacert.pem Verification of the publisher's certificate openssl verify -CApath %PUBLISHER_HOME%/trustedCerts %PUBLISHER_HOME%/publisherCA/publisher_cert.pem says: %PUBLISHER_HOME%/publisher_cert.pem: OK
Create Certificate for a concrete Webservice	Create WS certificate directory structure \| --- trustedCerts The root directory of this structure is later referenced as %WS_HOME% generated new certificate-request for my uddi-publisher-certificate openssl req -new -keyout %WS_HOME%/ws_privkey.pem -out %WS_HOME%/ws_certreq.pem -days 365 signing the certificate-request with my former created PUBLISHER (execute command in root dir of PUBLISHER-CA!) openssl ca -in %WS_HOME%/ws_certreq.pem -out %WS_HOME%/ws_cert.pem -config publisherssl.cnf copied the certificate of my PUBLISHER-CA (%PUBLISHER_HOME%/publisherCA/publisher_cert.pem) to dir %WS_HOME%/trustedCerts and renamed it to e466422c.0 (hash of subject) the hash of the certificate's subject can be calcultated as follows: openssl x509 -hash -in %PUBLISHER_HOME%/publisherCA/publisher_cert.pem copied the already to its subject-hash renamed CA-certificate (%PUBLISHER_HOME%/trustedCerts/ae697688.0) to %WS_HOME%/trustedCerts Verification of the ws's certificate openssl verify -CApath %WS_HOME%/trustedCerts %WS_HOME%/ws_cert.pem says: %WS_HOME%/ws_cert.pem: OK