Friday, August 5, 2011

Revoking a certificate and generating Certificate Revocation List.


Before we see the commands to revoke certificate and to generate CRL, we will try to understand what is the meaning of revoking a certificate and what is the use of CRL.

Revocation of certificate does not mean to invalidate the certificate. The certificate remains still valid even after the certificate has been revoked and user can still use the certificate.
Revocation means that the certificate is no more trustworthy. Whenever the "Certificate Authority" comes to know that the certificate’s private key has been compromised and its not safe to use the certificate anymore, the CA revokes the certificate and generates the CRL (Certificate Revocation List) and publishes the CRL on their website. So that the user’s of the certificate can see the revoked certificate and its advised not to use that certificate anymore. Since the CA does not know who all are using the certificate they issued to authenticate a particular user, the CRL is only best available solution to inform all the users that the certificate is no more trustworthy.

To revoke a certificate use the below OpenSSL command-

openssl ca -config openssl.cnf -revoke Certificates/CertificateToRevoke.cer -keyfile Keys/RootCA.key -cert Certificates/RootCA.cer

To generate a certificate revocation list use the below command-

openssl ca -config openssl.conf -gencrl -out Certificates/CA.crl -keyfile Keys/RootCA.key –cert Certificates /RootCA.cer

That's all we need to revoke a certificate. Please provide comments and suggestions to improve the post.

Sunday, July 3, 2011

Complete guide to set up a CA using OpenSSL, generate CSR from IIS7.0, create SSL certificate and Install certificates into IIS 7.0.

Before we start please note that these certificates should only be used for development environment for testing. If you need certificate for production environment which is involved in critical transaction e.g. financial transactions, I suggest you to get the SSL certificates from a trusted Certificate Authorities e.g. Verisign, Thwate, to avoid security problems.


Step I : Setup CA using OpenSSL:-


First of all we need to set up the Certificate Authority (CA) to issue certificate. It is very easy to setup CA using OpenSSL. Just follow the steps mentioned below.


1. First download OpenSSL and install it.


2. Set up the directory structure and files required by OpenSSL.


3. Create a directory D:\OpenSSL\workspace and place the openssl.conf file in the workplace.


D:\OpenSSL\workspace>
D:\OpenSSL\workspace>mkdir CSR
D:\OpenSSL\workspace>mkdir Certificates
D:\OpenSSL\workspace>mkdir Keys
D:\OpenSSL\workspace>copy con database.txt^Z
D:\OpenSSL\workspace>copy con serial.txt 01^Z


4. Generate a key for your Root CA. Execute the below OpenSSL command at workspace where you have openssl configuration file.


openssl genrsa -des3 -out  Keys/RootCA.key 2048


5. This will ask for passphrase for the key, please provide the passphrase and remember it. This will be used later.


6. The next step is to create a self-signed certificate for our CA, this certificate will be used to sign and issue other certificates.


openssl req -config openssl.conf -new -x509 -days 360 -key Keys/RootCA.key -out Certificates/RootCA.crt


7. You will be asked to provide the following information:-

Country Name (2 letter code) []:IN
State or Province Name (full name) []:Karnataka
Locality Name (eg, city) []:Bangalore
Organization Name (eg, company) []:Sample Inc
Organizational Unit Name (eg, section) []:Web
Common Name (eg, your websites domain name) []:Sample.com
Email Address []:sample@sample.com


8. Fill in this information and hit enter. Now you can see your CA’s certificate in the Certificates folder.


Now your CA is ready to sign the certificates.

Now we will see how to generate CSR in the IIS7.0 Web Server and use it to create SSL certificate which will be installed in the IIS 7.0 and we will enable the SSL on IIS 7.0 using this certificate.


Step II : How to generate CSR from IIS 7.0 :-


1. Go to start->run and type inetmgr and hit enter, it will open IIS Manager. Double click on “Server Certificates”, it will open the Server Certificates panel.

2. Click on “Create Certificate Request…” on the Actions panel in the right hand side.



3. Now you see the “Request Certificate” and fill in the information as show in the picture below and click Next.


4. Now select the Cryptographic service provider and bit length and click Next.



5. Now save the CSR file in the D:\OpenSSL\workspace\CSR and click finish.





Now you have your CSR file. It is readable file so you can open and see it if you want. It looks like this.

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIEYTCCA0kCAQAwdDELMAkGA1UEBhMCSU4xEjAQBgNVBAgMCUthcm5hdGFrYTES
MBAGA1UEBwwJQmFuZ2Fsb3JlMRMwEQYDVQQKDApTYW1wbGUgSW5jMQwwCgYDVQQL
DANXZWIxGjAYBgNVBAMMEVNhbXBsZUNlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAkatvSR7sL+1eVIVtwM95Nk4rG570kG5Zc0CVW2Mn
nqoZpccvMoTNlpVTGfoMniZzoLd8w3Uabq5JMfn+jSD4swum9kof59VdodPQO5dy
mmtOvbm+8p1Uc3jZDjDeygZ4Dr9E6rOgXCLh9ObuQzPmg9vxexVI5OZE+o+jIjTU
as/e6utRAGEHEtEaVkpID2zGVtoCiPnfDD1KPPl/JsQec2K+w62CM84rBgkewYtL
ke1SAq+ZRKkEfYmHo2d3uBV7csmqeX6L8jXEZp8qa8DHFIQjpsZDV1oNP5HgOX+o
7XHYSbZMtvptnw2qCqpkQzj21yQN5EpNdrXqMqfL7of3oQIDAQABoIIBpjAaBgor
BgEEAYI3DQIDMQwWCjYuMS43NjAwLjIwQgYJKwYBBAGCNxUUMTUwMwIBBQwLTWFu
bW9oYW4tUEMMFE1hbm1vaGFuLVBDXE1hbm1vaGFuDAtJbmV0TWdyLmV4ZTByBgor
BgEEAYI3DQICMWQwYgIBAR5aAE0AaQBjAHIAbwBzAG8AZgB0ACAAUgBTAEEAIABT
AEMAaABhAG4AbgBlAGwAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUABy
AG8AdgBpAGQAZQByAwEAMIHPBgkqhkiG9w0BCQ4xgcEwgb4wDgYDVR0PAQH/BAQD
AgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZI
hvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUD
BAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcN
AwcwHQYDVR0OBBYEFIXgkK2n7HWtMeqA26IHESmWIFQDMA0GCSqGSIb3DQEBBQUA
A4IBAQBaZFyVqlEkscyvrlQ71sEignkKIsK/TwpDWKYF+ptNkOs21fMO9Q8N9OXP
6akh9IYBvLFxtGUuebeX4/sVCrk/mWK1mym1SqgvG6YEv68c7YiFQDViXSN+OTeT
S9/IqoOA8QwFZF/BPMUwNMJ8tmduUY+48H4cbZJEdtOtarn5HubTPNyuH2t0hzKo
TtQUI/v69fFudwxdaJRoTAxrnLpw7s2Fxg7orMUPtXsw87ufMZuw72ZGhQZsUHXU
5ESitPYPRf7QwkW6Tk6NwvGWK4gWhM7MT+HCdfJnPXmNzeFMri27rEVWCaBKSsdA
79/BkmHry0aYmbDT5g1pnh5oLGkc
-----END NEW CERTIFICATE REQUEST-----



Step III : Create SSL certificate using our CA and generated CSR:-

Execute the below OpenSSL command. It will create a SSL certificate named SampleCert.crt.

D:\OpenSSL\workspace>openssl ca -policy policy_anything -config openssl.conf -cert Certificates/RootCA.crt -in CSR/CSR.txt -keyfile Keys/RootCA.key -days 360 -out Certificates/SampleCert.crt

Now we have created the SSL certificates for IIS 7.0 Web Server. Now we will see how to install it on the IIS 7.0 and how to enable SSL on IIS 7.0.


Step IV : Installing SSL certificates in IIS 7.0:-

1. Now again get back to the IIS Manager and Server Certificates.On Actions panel click on “Complete Certificate Request…”.




2.  Now provide the certificate which we just created and type in a friendly name for your certificate and click Ok.



3.  Now you can see you certificate listed in the Server Certificates.






Step V : How to enable SSL on IIS7.0:-


1. Now again to go to IIS manager and on Connections panel, navigate till your website e.g. Default Web Site in this case. Click on Binding on the Actions panel on right hand side.







2. You will see the Site Bindings Box as below. 







3. Click on the Add… button. And select https and then select your certificate from SSL certificates drop down box and click on the Ok.






Now you can access your site with SSL enabled e.g. https://localhost/.

I hope this is useful. Please provide your comments and suggestions to improve my posts.

Friday, July 1, 2011

Creating server/client certificate pair using OpenSSL.

The server/client certificate pair can be used when an application trying to access a web service which is configured to authenticate the client application using the client ssl certificates.

You can follow steps below to create server and client certificate using OpenSSL.

Before creating server/ client certificate, we need to setup a self-signed Certificate Authority (CA) which can be used to sign the server/client certificates. First two steps will set up the CA. To create directory structure needed to setup CA please see here.

  1. Create a private key of CA.
openssl genrsa -des3 -out  Keys/RootCA.key 2048

  1. Create self-signed certificate of CA.
openssl req -config openssl.conf -new -x509 -days 360 -key Keys/RootCA.key -out Certificates/RootCA.crt

  1. Create private key for the server.
openssl genrsa -des3 -out Keys/server.key 2048

  1. Create CSR for the server.
openssl req -config openssl.cnf -new -key Keys/server.key -out CSR/server.csr

  1. Create server certificate.
openssl ca -config openssl.cnf -days 360 -in CSR/server.csr -out Certificates/server.crt -keyfile Keys/RootCA.key -cert Certificates/RootCA.crt -policy policy_anything

  1. Create private key for the client.
openssl genrsa -des3 -out Keys/client.key 2048

  1. Create CSR for the client.
openssl req -config openssl.cnf -new -key Keys/client.key -out CSR/client.csr

  1. Create client certificate.
openssl ca -config openssl.cnf -days 360 -in CSR/client.csr -out Certificates/client.crt -keyfile Keys/RootCA.key -cert Certificates/RootCA.crt -policy policy_anything

  1. Finally export the client certificate to pkcs format.
openssl pkcs12 -export -in Certificates/client.crt -inkey Keys/client.key -certfile Certificates/RootCA.crt -out Certificates/clientcert.p12

Please provide your comments and suggestions to improve the post.

Thanks,
Manmohan.

Thursday, June 2, 2011

Creating SSL Certificates using OpenSSL.NET.

If you are using OpenSSL.NET to create SSL certificate programmatically and don't know where to start this article might help you.
First of all what is OpenSSL? OpenSSL is a cryptographic toolkit which is used to secure communication over web. OpenSSL provides a rich set of command line tools to create and manage SSL certificates.
But if you want to do it programmatically, then .NET provides a small but usefull wrapper for OpenSSL that is known as OpenSSL.NET.


Now without wasting much of your time, I will show you how to create a SSL X509 certificate using OpenSSL.NET.
First of all you must download OpenSSL.NET. Once you have downloaded it, you will see three dll files in the package i.e.  ManagedOpenSsl.dll, ssleay32.dll and libeay32.dll.

Before starting, make sure that you have added the refference to ManagedOpenSsl.dll in your project in visiual studio and  ssleay32.dll and libeay32.dll are available in the your current working directory or in your path.

Now we are done with setting up OpenSSL.NET and here is the code to create the SSL certificates.

###################################################
// Create a configuration object using openssl.cnf file.
OpenSSL.X509.Configuration cfg = new OpenSSL.X509.Configuration("Path to your openssl configuration file i.e. openssl.cnf");


// Create a root certificate authority which will have a self signed certificate.
OpenSSL.X509.X509CertificateAuthority RootCA = OpenSSL.X509.X509CertificateAuthority.SelfSigned(cfg, new SimpleSerialNumber(),"Disinguish name for your CA", DateTime.
Now, TimeSpan.FromDays(365));


// If you want the certificate of your root CA which you just create, you can get the certificate like this.
X509Certificate RootCertificate = rootCA.certificate;


// Here you need CSR(Certificate Signing Request) which you might have already got it from your web server e.g. IIS7.0.How to generate CSR on IIS 7.0


string strCSR = System.IO.File.ReadAllText(@"Path to your CSR file");

// You need to write the CSR string to a BIO object as shown below.
OpenSSL.Core.BIO ReqBIO = OpenSSL.Core.BIO.MemoryBuffer();
ReqBIO.Write(strCSR);


// Now you can create X509Rquest object using the ReqBIO.
OpenSSL.X509.X509Request Request = new OpenSSL.X509.X509Request(reqBIO);


// Once you have a request object, you can create a SSL Certificate which is signed by the self signed RootCA.
OpenSSL.X509.X509Certificate certificate = RootCA.ProcessRequest(Request, DateTime.Now, DateTime.Now + TimeSpan.FromDays(365));


// Now you can save this certificate to your file system.
FileStream fs = new FileStream("Path to your file where you want to create the certificate with file name", FileMode.Create, FileAccess.ReadWrite);
BinaryWriter bw = new BinaryWriter(fs);
BIO bio = BIO.MemoryBuffer();

certificate.Write(bio);
string certString = bio.ReadString();
bw.Write(certString);

##############################################

Finally make sure that you close all you BIO objects and File streams.

Now you have a X509 Certificate and you install it in your web server.

Hope this is helpful. Please provide your valuable comments and suggestions to improve my posts.