Upload
tony-fabeen
View
157
Download
5
Embed Size (px)
DESCRIPTION
Citation preview
PKI and OpenSSLAll about Digital Certification Processes
Tony Fabeen@tonyfabeen
Who am i
Minimal Security for Systems
ConfidentialityIntegrityAccess ControlAuthenticationetc.
Internet Security
HTTPS
HTTPS ?
Secure
SSLSecure Sockets Layer
TLSTransport Layer Security
SSL mechanismsCriptographyHashingDigital Signing
Cryptography
Symmetric Key Encryptionor Secret Key Crypto System
Asymmetric Key Encryption
Hashing
Digital Signing
What is PKI ?
PKI (Public Key Infrastructure)Is a structure responsible to
authenticate, identify Users andServices ensuring that information
exchanged between them will not berevealed to untrusted ones.
Not just technical stuff.It's a set of :
PeopleStandardsProceduresHardwareSoftware
Used on Digital Certificates Management.
Who manages ?
Certificate Authority(CA)
Certificate Autority (CA)CreateDistributeUseStoreRevoke
PKI Brazil
ICP - Brasil
ICP Brasil Hierarchy
ICP Brasil Hierarchy
CertificatesMain reason for PKI.
Contains information wich associatea Certificate owner to its Public Key
Cross Certification
CertificateRevogation List
(CRL)
Solutions Supported by PKI
SSL Connections
Smartcards
How To ?
OpenSSL
Open Source SSL/TLSimplementation
BSDLinuxOpenVMSSolarisWindows
Programming Languagessupport
CC++RubyPHPNodeJSetc.
OpenSSLcommands
Create a CA Request$ openssl req -new \> -config etc/devinsampa-ca.conf \> -out ca/devinsampa-ca.csr \> -keyout ca/devinsampa-ca/private/devinsampa-ca.key
Create a CA Certificate$ openssl ca -selfsign \ > -config etc/devinsampa-ca.conf \ > -in ca/devinsampa-ca.csr \ > -out ca/devinsampa-ca.crt \ > -extensions devinsampa_ca_ext
Create a new Request
$ openssl req -new \> -config etc/email.conf \> -out certs/tony.csr \> -keyout certs/tony.key
Create an e-mail certificate
$ openssl ca \> -config etc/devinsampa-ca.conf \> -in certs/tony.csr \> -out certs/tony.crt \> -extensions email_ext
Revoke Certificate
$ openssl ca \ > -config etc/devinsampa-ca.conf \> -revoke ca/devinsampa-ca/01.pem \> -crl_reason superseded
Create CRL
$ openssl ca -gencrl \> -config etc/devinsampa-ca.conf \> -out crl/devinsampa-ca.crl
Output Formats
Create DER Certificate
$ openssl x509 \
> -in certs/tony.crt \
> -out certs/tony.cer \
> -outform der
Create DER CRL
$ openssl crl \> -in crl/devinsampa-ca.crl \> -out crl/devinsampa-ca.crl \> -outform der
Referenceshttp://openssl.org/docs/apps/req.htmlhttp://openssl.org/docs/apps/ca.htmlhttp://openssl.org/docs/apps/x509.htmlhttp://openssl.org/docs/apps/crl.htmlhttp://www.iti.gov.br/
Questions
Thanks !@tonyfabeen