Masterclass in openSSL
HTML-код
- Опубликовано: 3 авг 2024
- In this masterclass video you have 1 hour in depth education in using openSSL in Linux. We first look at self-signed openSSL certificates but see their limitation. From there on we go through and create the full PKI hierarchy of the openSSL Root Certificate , an intermediate CA and server keys. We see how we sign the sub CA with the root CA and the sub CA is used to sign the certificates. We see how clients can trust the root CA and we end the masterclass demonstration on openSSL by starting an openSSL test server before configuring nginix with https.
00:00 Intro
02:06 SSH Trust and Encryption
03:30 Create the directory structure
07:30 Self Signed Keys
13:30 Private Keys
18:47 Create the Root CA Certificate
26:35 Create the Intermediate CA
36:15 Create the Server Certificate
44:30 Test the PKI Structure
The root-ca conf file follows. You can edit this file to become the sub-ca .conf. Change the directory variable and the policy
[ca]
#/root/ca/root-ca/root-ca.conf
#see man ca
default_ca = CA_default
[CA_default]
dir = /root/ca/root-ca
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index
serial = $dir/serial
RANDFILE = $dir/private/.rand
private_key = $dir/private/ca.key
certificate = $dir/certs/ca.crt
crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl
crl_extensions = crl_ext
default_crl_days = 30
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 365
preserve = no
policy = policy_strict
[ policy_strict ]
countryName = supplied
stateOrProvinceName = supplied
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
Options for the req tool, man req.
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
countryName_default = GB
stateOrProvinceName_default = England
0.organizationName_default = TheUrbanPenguin Ltd
[ v3_ca ]
Extensions to apply when createing root ca
Extensions for a typical CA, man x509v3_config
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
Extensions to apply when creating intermediate or sub-ca
Extensions for a typical intermediate CA, same man as above
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
#pathlen:0 ensures no more sub-ca can be created below an intermediate
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ server_cert ]
Extensions for server certificates
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
Wow, it's a long time without seeing an enjoyable, deep and detailed pki video presented by somebody who really knows what he is talking about and making himself crystal clear by explaining every if and why' s!
Thank you
A million-dollar stuff is now freely available to everyone. Thank you!!!!
This is an outstanding video. For anyone viewing in 2022, note that browsers now require the subjectAltName extra, so cert signing requests formed without this will not be accepted. This shows as the somewhat unhelpful error "NET::ERR_CERT_COMMON_NAME_INVALID".
Some great little nuggets in this tutorial. I feel like I'm learning a lot more than some of the other courses I've looked at. Still overwhelmed by it.
We'll get there
Can only imagine how offended the fourth horseman is right now :-)
Apart from the above, this is a fantastic little lecture.
ooops Sorry number 4
Thank you! I watch this video for the second time in the last few years, this is my go-to for a refresher in openSSL.
Tip: do not forget to change $dir, $private_key, $certificate and $crl vars if copy/pasting from the description to the sub-ca config
(messed up my root-ca and sub-ca db/serial here when signing the certificate for the server... solution: used 'openssl ca -revoke /root/ca/root-ca/newcerts/###.pem -config /root/ca/sub-ca/sub-ca.conf' to revoke the signed cert and signed the server cert again with the correct vars for the sub-ca)
great tutorial and wonderful channel, 🐧
This is brilliant! Thank you. I didn't know about openssl running a server to test. Learned something new.
This video is absolutely phenomenal. Thank you.
Thank you. It is not complete. I could have added more but I am glad you liked it
Awesome content! It will help me with LPIC 303 exam! Much appreciated!
Excellent video and tutorial. You made it fun to learn. Kudos!
Well I watched about half of the video and I was so lost that I just stopped... :-)
It was not you, it was me. I have no idea what I would use this for so I did not see the point of finishing...
What I did watch was very well done. I am sure that someone needing this information will be happy as a lark! Lol
Thanks you for the video!
LLAP
I understand
This is how you set things up securely for your local/remote self hosted web_server .. Openssl can also be used to encrypt files , thats worth learning for anyone, check out the 'enc' function : ) .. Likely this will lead you to gpg and its encryption function + key management. Or maybe its just me that gets sucked down these various linux terminal rabbit holes lol . -education is never wasted
@@DDBAA24 Well I don't use servers or Web servers so yep it's not for me.
I don't have a use for SSH other than updating my other computers in a terminal on my local 4 computer setup... :-)
It wasn't my intention to say that "education is wasted" it is not! I just don't have a use case for this. Like I said, I'm sure some will find useful... :-)
LLAP
48:30 If you working with a debian system, you need to do the following to make this work:
as "root" copy your "ca.crt" into the directory "/usr/local/share/ca-certificates/"
cp ~/ca/root-ca/certs/ca.crt /usr/local/share/ca-certificates/
next you need to update the ca-certificates
dpkg-reconfigure ca-certificates
you can choose either "yes" or "ask" and after the script finishes you see:
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Adding debian:ca.crt
done.
done.
This is where the magic happens...!
This is such a great video! Very nice explanation and demonstration!
Thank you
wow this video is gold, amazing explanation, thanks
Very good tutorial apart from two things: a) Use of CN for the server hostname was deprecated like literally 20 years before this tutorial was created. And Firefox and Chrome stopped allowing it mere months after the tutorial appeared. b) The author should warn people that "openssl ca" is not a command you want to use in a production environment because it's quite buggy and it's very easy to corrupt your index database or similar. Openssl's own documentation admits as much.
what a great explanation thank you so much!
Amazing that this is free, big thank you sir 👍
Wow, this course is so good, thanks a lot :)
Thank you for this. I'm a junior sysadmin and the company I work for recently created a new CA to sign certs for a large number of iOS devices. I didn't undertake the work, but was curious as to how they implemented it. This video has given me much greater insight into how they achieved the task. Whats also interesting is the different certificate requirements iOS has between iOS 12/13 and now 14.
Glad it was helpful!
This was awesome , Thanks Mr.Penguin
thanks
Awesome video, thank you!!! 👍
Very useful information. Well presented, and quite entertaining.
Glad you enjoyed it!
Another diamond 💎. Thanks a lot.
My pleasure 😊
I mostly use OpenSSL to merge end user certs + intermediate certs + key files to create PFX for IIS server upload but this was interesting content as well
Such a nice video.... It is very helpful. Thank you very much.
If I'm being honest, I'm probably not going to understand it properly until I actually use it in my live env, and my env is just a simple server I want to make on my Raspberry Pi 4. But I know how important security is and will learn it. Thank you for this guide!
Hola eres un gran maestro y tienes un canal estupendo
thanks for clear explanation.
Great video!
Thank you so much. I am glad you liked it
Quality mate keep it up
amazing ! thank you
Awesome video..!
You know your stuff !
"Does anyone need a coffee?" - "I certaintly do"
LOL
Super , I implemented the same on my work to create local root-CA Intermediate-CA .Thanks a lot !!!
Nice vide, TNX
Thank you
Thank you very much for this such a great video. The comments too are very much helpful. I have one query in this. With the server all set with private key and certificate how does the server sends the public key to the clients and how does that show up in the communication.
Hallo ,
Why there is no "buy me Coffee" button here. You deserve one and for all your videos. Please consider it.
Amazing tutorial!! If possible can you make a tutorial about cfssl?
Super
11:06 I had to use "-newkey" instead of "- - newkey". Didn't dig into why this is, but thought it'd be worth putting here for someone else.
Thanks
No problem
What happens when the expiry time is like 10K years?
PS: I followed the whole tutorial. Thanks for the detailed info to demystify the CA certs thing!
Thank you for this excellent explanation on buiding CA/Inter/Server certs with OpenSSL, can you provide an update that includes the use of Subject Alternate Names?
One detail thats missing I can’t seem to make work - subject alternative names. I can get SANs for the server on the CSR, but after the Sub-CA signs it, they’re gone. What am I missing in sub-ca.conf? I’d like to specify multiple fqdn’s and IP addresses as SANs
This is great. Thank you.
Exact same question here.
Same issue, do you have a solution by any chance?
Have the same problem, would love to understand what is missing in the [ server_cert ] in the sub-ca.conf.
Just had a class where we discussed PKI. Everyone (classmates and prof.) kept saying how complicated and expensive they were to implement. I knew OpenSSL existed and was wondering why a company wouldn't just do it in-house; doesn't seem that complicated (or expensive) to me... If you want a certificate for public SSL connection, sure, pay for one from one of the big vendors.
Also, can you just create different CAs for user permission levels? For instance, an intermediate CA to certify database admin keys, and another CA for database users.
👍
would you mind answering whether i need a new vm for the intermediateCA? how do i keep the rootCA offline if the intermediate is in the same vm?
It has generated the CSR in sub-root but whenever i put command to sign the csr file, I receive the following errot " wrong number of fields on line 1 (looking for field 6, got 1, '' left)
" may be any syntax error or what ?
Like.
Just taking notes here, how can I create the intermediate CA when I have the RootCA on a different machine? The command given in this video wouldn't work. @32:30
Is it as simple as entering that command on the rootca machine then moving the sub-ca.csr and sub-ca.crt to the subca machine??
The intermediateCA send a request to the CA. In the same way the server sends a signing request to the Intermediate CA/ The files are transferred to and from the signing authorities
@@theurbanpenguin What I'm saying is that he is locally referencing directories from the same machine in that command. But in a real situation we would have the rootCA on a different machine thus making that command not work
Dear Andrew, you are not using alt_names and you're using one domain name as a Common Name. What if I want to use hostname, localhost, IP address ... in addition to the domain name?
extend the subject with alt_names or create a configuration file
hi there, qq why did you switch to the root user?can't this tutorial be done as an unprivileged user?if yes then why not show the viewers how to do it as non root and it's also good practice
11:14