Creating a Certificate Authority with OpenSSL and ECDSA

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone in this video I'd like to take a look at using open SSL to create a certificate authority and then using that certificate authority to create a signed host certificate so this can be useful for several situations one of them is just development where you just need a certificate authority and maybe a few host certificates to use for testing but it's also useful for maybe production environments if you want some sort of internal PKI that you don't need to be globally trusted so you don't want to go out and pay for a certificate and you don't need to then having this skill is potentially pretty useful and it doesn't require for instance some Active Directory certificate services you can do it with open SSL for free so let's take a look at how to do this first thing I want to point out is that I have these notes up on our github page so if you want to refer back to them when you're doing these these activities you can do that so I've got a single document here for ECDSA and then a sort of a matching document for RSA depending on which type of asymmetric cryptography you'd like to use in this video we're going to demonstrate ECDSA but I did put both up because people have their preferences so we're going to in this video make a certificate authority and then we will make a single host certificate and sign it using that certificate authority so the first step we have to do when we're using asymmetric crypto or in this case not asymmetric crypto but specifically elliptic curve cryptography is we have to pick which curve we want to use so let me kind of rearrange the screens here like thus and let's let's begin demonstrating this i'm on linux this will work these commands will work exactly the same on Mac OS on Windows there might be a little bit of wonkiness with the command line so you might have to like quote certain things that you wouldn't otherwise have to quote I'm not sure but I have gotten this to work on PowerShell it just requires a little bit more finessing but we're going to demonstrate this on Linux this is just a some virtual machine running in the cloud somewhere so let's let's start this up first thing we want to do when we're creating a certificate authority with elliptic curve cryptography is we want to see what curves we have available to us and the way to do that you can run OpenSSL EC per M and then - list underscore curves and then on UNIX platforms you can actually pipe that into less so it doesn't just spit out this huge list at you at once right so you can actually kind of poke through it so when we do this notice that there are a lot of options here so lots of different curves have been defined but the one that we're interested in see if we can find it here maybe if we go back up is prime 256 v1 yeah right here so prime 256 v1 is what we're going to use it's kind of widely supported across most browsers basically every browser so that's one reason to use it there are plenty of other options but of course you'd have to sort of do your research as to which one applies to you there is absolutely a security versus performance trade-off that you have to make and I think that prime 256 v1 is kind of one of the sort of curves that is in the sweet spot right it's in the middle ground so we are going to use prime 256 v1 and first thing we have to do for our certificate authority is just generate a private key so for an elliptic curve private key we're going to use EC paramah ghin and then we're going to use the flag or yeah flag I guess Gen key to generate key and we have to tell it what elliptic curve we want to use which is prime 256 b1 and then we have to tell it where to output that key to so if we do out CA key it should now be right here in our local directory so CA key and if we print that out using cat here is our elliptic key or elliptic curve key so you can see our EC parameters as well as the private key here all right so that's the first step and now we have to take that key and use it to make a self-signed certificate so I'm going to scroll down here because open SSL one thing about it the command-line syntax can be pretty involved and it's very so I'm definitely going to be referring to my own notes as I go through this but will will try to explain some of these flags as we go through so again open SSL but this time we're going to make a self signed certificate and to do that we say rec but then we say x.509 so the - x.509 here says don't output a certificate signing request actually just output a self signed certificate so in the case of a host we want a CSR a certificate signing request that we'd then give to the CA but because we are making the CA we have no CA to send a CSR to so at some point you know in the PKI heart hierarchy we have to have a self signed certificate some way so that's what we're doing now we're going to make a sort of a request but we're really not outputting a request we're just going to make a self signed certificate for the certificate authority so long story short the - x.509 here just says make a self signed certificate don't make a signing request okay so we say - x.509 and this is going to be new and we can specify a hashing algorithm that we want to use I'm just going to use sha-256 there's plenty of options you can use sha 384 or 512 but we're going to use sha 256 I'm gonna say no des so that means we're not going to encrypt any private keys if applicable maybe not the best option to use in production you probably do want to have those keys encrypted and password protected but for a demo we're just going to leave it unencrypted so no des and then we specify the key that we want to use which is CA key we want to then specify the validity period of the certificate so because this is a CA we can kind of use a longer validity period than we would for hosts because especially with CAS you don't want to be constantly turning over those certificates so 10 years is what we'll do 365 times 10 and then we're going to say output this to see a dot cert and finally if you want to if you just ran that command as is it would start prompting you for like the the country and the state in the locality and so on and so forth alternatively if you want to just get this down in one command you can use the - subject well up subj which means subject and you can specify this in the command line so that's what we'll do and we're gonna say the country is the United States the state in my case is Arizona the locality in my case is going to be Tempe and then like canonical name for the CA we'll just say see a demo when we just double checked I'm getting the syntax right here oh yeah we want to add an organization probably so we could say oh is SW for storm wind I think I've got that syntax right so let's run it could not load root dot that's not that's not promising it's a little ok x.509 keys CA key ok very much not promising so let's do some troubleshooting here otherwise I might have to kind of come back to this video okay okay so let's see if we can do this I wouldn't would it be vide Etsy / open / SSL maybe / open SSL Kampf and let's just delete the RAM file here so what that I think this will work but basically there was some sort of MIS configuration in the the configuration file here on Linux so what I did was I went into the configuration file for openness to sell and deleted it so you can tell this is the first time I've actually used this particular server and hopefully that will work but let's see it does so if you ever run into that random error that I've never seen before you can go into the open SSL configuration file and delete that brand file entry so it's kind of weird I've never seen that before but luckily Google saves the day as usual so back to back to our regular regularly scheduled programming we do an LS here we now have a certificate if we cat out the certificate there's our certificate that's our CA certificate so now we have to actually we've got our CA setup we have to make a host certificate and the steps are kinda similar but they they do differ so we will basically run the same command that we did for the certificate authority to make the private key so it's gonna be open SSL eCPM - gen key - name prime prime 256 v1 and the output will be in this case host key and if we do a cat not a cart for the cat a post key alright we've got our our host key now so we'll clear the screen and now we're going to run a slightly different command so previously when we use this ret command for the certificate authority we use the - x.509 to tell it that we wanted to make a self-signed certificate but for this we don't want to do that we want to make a certificate signing request so we're going to say rec new sha-256 the key is our hosts key so host key we're gonna say no des once again and we want to output it to host dot CSR so the certificate signing request and once again we want to provide it with maybe that subject information instead of having to do it interactively so /c for the country is the US state is Arizona the locality is going to be Tempe the organization will be Stormwind or just SW and then our canonical name will be or common name I guess will be host dot to the demo all right so that's that and if we do an LS it's there if we cat out the certificate signing request notice in the header here it says begins certificate request so that gets us most of the way there but we then have to turn off caps lock clear the screen and then we have to actually take that CSR and feed it into the certificate authority to get a signed certificate out so the way we can do that is open SSL x.509 notice that this is not - x.509 this is just x.509 so this is where open SSL can get kind of weird sometimes a command requires - sometimes it doesn't and that's why I decided to make this video because it can get very confusing and having just a set of notes like this hopefully will be a little helpful but in this case it's x.509 - request we're gonna use sha-256 we could specify the days so for this host certificate maybe two years roughly and the input file is going to be our certificate signing request we have to tell it to our what certificate the certificate authority is using so it's C 8 on cert and then our CA key which is what's going to be used for actually signing the certificate when we make it and one kind of warning capitalization does matter so key is lowercase here and it's just going to be C a key and C a create serial so it will create a serial number and then we want to output this as host dot cert so let's see will this work yeah it looks like it did so let's again cat that out so we'll say host cert and there we go we've got our our certificate for this host that has been signed by a certificate of authority so what you could do is take the certificate authorities certificate and install it on machines that you want to trust these certificates that signs right so if you installed the certificate authority certificate it will sort by default you know trust this particular certificate or any other certificate that is signed by that CA so I can make it that can become nice especially in development environments one last thing that I want to point out though if we scroll down just a bit more if we can't out the the hosts private key this format sometimes isn't going to play well so say you're spinning up a web server so this is something that I ran into recently when I was using he was acting so it's like a rest framework for for web servers I was trying to load the the private key on to a web server but it wasn't taking the private key in this format the the particulars crate that I was using to to implement cryptography didn't like this format so what you can do if you run into any sort of issues with your private key for the host is you can actually convert it into a different format so in this case we're going to use pkcs 8 we're going to say 2 pkcs 8 basically 2pk 8 and we're going to input the host key and we'll output you know host maybe an underscore pkcs 8 that key so this is a private key file still it's just in a different format and we'll say no crypt I'm not sure if it would even prompt us to encrypt it but just to be safe let's just do that now if we do an LS we've now got a host key and a host pkcs a key if we cap those outs yeah we'll do a host yeah we'll just do each of them sequentially host key host piqué piqué CSAP so this is the host key this is the format that this sort of starts with where it's got the EC parameters and then the EC private key but again some servers won't like that private key format so if you run into an issue if it throws an error then you can convert it into PK CSA which is really just taking the elliptic curve private key by itself notice that this is all the same year or looks like it's encoded differently possibly but it's taking that private key and basically chopping off the EC parameters and kind of changing the header here and in doing so it's it maybe more compatible with certain certain bits of software so you may want to do that or at least be aware that that's an option so what we did here we made a CA using elliptic key cryptography using a particular curve then we using that CA and a certificate signing request that we generated separately from that we created this signed certificate for a host you could do this as many times as you want for these host certificates as long as the systems that you're interested in have the CA certificate installed the host certificates that are signed by it will be trusted so it is a little bit in-depth but that's why I basically made these these cheat sheets and I'm going to continue to add to this little open SSL notes repository with items like this as well as with maybe notes on compiling open ssl with less features with only secure options for cryptography things like that but yeah this is the ECDSA md file and alternatively if you want to do RSA encryption you can come to the RSA file and it's just a slightly different syntax very similar just with a few variations so I hope that's helpful hopefully the syntax didn't completely scare you off because open SSL is really great it's the backbone of the internet and Internet Security so it's good to know how to actually interact with it at the command line that said it can be a bit of a bear the syntax can absolutely be a bit difficult and unintuitive and just very verbose so hopefully again hopefully these notes are helpful so thanks for joining me and I will see you in the next video
Info
Channel: StormWind Studios
Views: 3,807
Rating: undefined out of 5
Keywords:
Id: LIlyb_rRnPY
Channel Id: undefined
Length: 17min 48sec (1068 seconds)
Published: Tue Jul 21 2020
Related Videos
"Zero Trust SSH" - Jeremy Stott (LCA 2020)
linux.conf.au
12K
14. SSL and HTTPS
MIT OpenCourseWare
164K
CA Server - OpenSSL
Tech Tutorials - David McKone
589
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.1M
Rust Crash Course | Rustlang
Traversy Media
644K
WiBisode: Create Your Own Root Certificate Authority
Kevin WiBit
6K
FortiGate 60F HA Cluster Build
Fortinet Guru
1.1K
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
A First Look at Windows 11
StormWind Studios
185
Digital Certificates Explained - How digital certificates bind owners to their public key
Destination Certification
22K
OpenSSL Certification Authority (CA) on Ubuntu Server
Networklessons.com
71K
Create Your Own Certificate Authority with XCA
InfoSec Tutorials
3.6K
Vitamin D in Israel
Dr. John Campbell
610K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.