|The Open–source PKI Book: A guide to PKIs and Open–source Implementations|
|Prev||Chapter 4. General implementation overview||Next|
The user generates a key pair for a certificate to be used by that user or any entity that needs to be authenticated by the CA. We also show the signing procedure.
Use this command to generate the RSA key pair
User% openssl genrsa –des3 –out user.key 2048
the openssl component to generate an RSA key–pair,
the symmetric algorithm to encrypt the key–pair,
the filename to store the key–pair,
size of RSA modulus in bits.
Execution of the above command presents the user with the following dialogue:
1112 semi-random bytes loaded Generating RSA private key, 2048 bit long modulus .+++++ ........................................................++++++++++++ e is 65537 (0x10001) Enter PEM pass phrase: enter the pass–phrase here Verifying password - Enter PEM pass phrase: re–enter pass–phrase here
This creates an RSA key pair stored in the file user.key. The key pair is encrypted with 3DES with a password supplied by the user during key generation. The N in RSA is 2048 bits long.
The reader should note that this is the same procedure as the generation of the CA key–pair. For sample key–pairs, please see the appendices listed in the Section called Generate the RSA key–pair for the CA.
The user generates a certificate request with this command. The CSR is sent to the CA for signing. The CA returns the the signed certificate.
User% openssl req –new –key user.key –out user.csr
the openssl component to generate a certificate request,
this is a new certificate,
the key–pair file to be used,
the filename that the new certificate request will be written onto
By executing the above command, we are presented with the following dialogue:
Using configuration from /usr/local/ssl/openssl.cnf Enter PEM pass phrase: type the pass–phrase here You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:Surrey Locality Name (eg, city) :Egham Organization Name (eg, company) [MyCo Ltd]:Arts Building Ltd Organizational Unit Name (eg, section) :Dept. History Common Name (eg, YOUR name) :Simos Xenitellis Email Address :S.Xenitellis@rhbnc.ac.uk Please enter the following 'extra' attributes to be sent with your certificate request A challenge password :. An optional company name :. User%
This command creates a certificate request stored in the file user.csr. In this phase, the user enters the values of the fields for the X.509 Certificate as shown. For a certificate request in PEM format, please see the Section called Sample certificate request in PEM format in Appendix B. For a TXT or human–readable version, please check the Section called Sample certificate request in TXT format in Appendix B.
The CA receives the certificate request, and depending on the policy used, will decide whether to sign the CSR. If it trusts the user, it signs the CSR as follows:
CA_Admin% ./sign.sh user.csr CA signing: user.csr -> user.crt: Using configuration from ca.config Enter PEM pass phrase: enter the pass–phrase Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'GB' stateOrProvinceName :PRINTABLE:'Surrey' localityName :PRINTABLE:'Egham' organizationName :PRINTABLE:'Arts Building Ltd' organizationalUnitName:PRINTABLE:'Dept. History' commonName :PRINTABLE:'Simos Xenitellis' emailAddress :IA5STRING:'S.Xenitellis@rhbnc.ac.uk' Certificate is to be certified until Feb 6 13:30:41 2001 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: user.crt <-> CA cert user.crt: OK CA_Admin%
This command produces a file called user.crt, the Certificate of the user. The sign.sh script can be found in the modssl package, described above, at the /pkg.contrib/ directory. This script uses openssl as a backend. We use the script and not the manual procedure because with the latter we would have to perform rather several steps and this would be out of the scope of this book. In a future version of this document, we shall revisit this issue.