In this tutorial, I will discuss the creation of a certification authority and configuration of a HTTPS connection on a webserver using Openssl.
Table of Contents:
– What is OpenSSL?
– Creating a certificate authority
– Creating a certificate for a webserver
– Configuring HTTPS on the webserver
What is OpenSSL?
OpenSSL is a cryptographic library that enables users to perform various functions such as encryption of data through various cryptographic algorithms and achieving secure communication through HTTPS and TLS based communication.
- Kali Linux virtual machine. which has OpenSSL already installed in it. Kali Linux Image file can be downloaded from here.
- I will use Virtual box on Windows 10 for running the kali Linux Virtual machine
- It is recommended to run the updated version of virtual box software to avoid any difficulties while following the tutorial. it can be downloaded from here.
A. Creating a Certificate Authority (CA):
- “openssl.cnf” is present in ./etc/ssl folder as shown in Fig. 01, I will copy this file to the home folder of my machine.
2. “openssl.cnf” is copied into the home folder of my machine as shown in Fig. 02.
3. I ran the following command to generate the self-signed certificate for the CA:
$openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
4. Then I entered relevant information for the creation of root CA as shown in Fig. 04.
5. “ca.crt” is the public key certificate of the root CA and “ca.key” is the private key of the CA as shown in Fig. 05. They both were created in the previous step
B. Creating a certificate for a webserver
Step 1: Generate public/private key pair for the webserver:
- I created a public-private key pair for my web server by executing the command given below, the key pair was stored in the “server.key” file.
“$openssl genrsa -out server.key 2048”
Step 2: Generating a Certificate Signing Request (CSR):
- Now after creating the RSA key pair for my webserver I created a Certificate Signing Request on behalf of the webserver for the already created root CA by executing the following command:
“$openssl req -new -key server.key -out server.csr -config openssl.cnf”
The credentials for the root CA requested in this step should match the credentials entered while creating the root CA or else the certificate for the webserver would not be generated. For Common Name I will give the name of my webserver which is ‘MZJserver.com’ in my case. A challenge password and an optional company name are also asked which are sent along with the CSR to the CA.
2. We can see that server.csr file is successfully created as shown in Fig. 08 as a result of executing the command mentioned in the previous step.
Step 3: Generating the certificate for the webserver
- To generate the certificate for the webserver from the already created root CA. I executed the given command given below:
“$openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf”
It can be seen in Fig 09 that the certificate for my web server is created, it asks the CA to sign the certificate when the certificate is signed by the CA. Now it asks to commit changes upon saying yes to the commit request certificate database gets updated as shown in Fig. 09.
2. Fig. 10 shows the ‘server.crt’ created by the root CA for my webserver.
C. Configuring HTTPS on the webserver
For configuring HTTPS on my webserver by using the generated certificate I will follow the following steps:
- I first entered my webserver i.e. “MZJserver.com” in the “hosts” file of my machine while hosting it on the localhost. I entered the following entry in ./etc/hosts file:
2. Next, I launched my webserver with its certificate generated in the previous step. I executed the following set of commands given below one by one. So that the webserver is launched via openssl s_server command as shown in Fig. 12.
$cp server.key server.pem$cat server.crt >> server.pem # Combine the secret key and certificate into one file$openssl s_server -cert server.pem -www # Launch the webserver using server.pem
3. Now I opened the Firefox browser in my Kali Linux machine and entered my webserver’s address “https://MZJserver.com:4433/ “, I loaded it in my browser. I was shown an error as shown in Fig. 13 indicating that my certificate for the webserver is not from a trusted CA as its certificate is not present in browser’s list for certificates of trusted CAs.
4. Now I will add the certificate for my root CA in my browser’s list of accepted certificates.
5. I will go into Edit -> Preference -> Privacy & Security -> View Certificates of my Firefox browser as shown in Fig. 14 to Fig. 16.
6. By clicking the “view certificates…” button shown in Fig. 15, a window “Certificate Manager” opens as shown in Fig. 16 having different options. I will use the “Import…” button to import the certificate of my root CA into the list of accepted certificates of my browser. While importing the certificate of my root CA, I checked the following option “Trust this CA to identify websites”.
7. After uploading the certificate of my CA into the Firefox browser, I viewed it via the “Certificate Manager” window as shown in Fig. 18. Organization name and common name for the root CA are shown in Fig. 18.
8. I clicked on the common name of my root CA i.e. “Zaeem” as shown in Fig. 18 to view the certificate. Details of the certificate can be seen from Fig. 19 to 20.
9. I reloaded the webserver https://MZJserver.com:4433/ “in my Firefox browser now a clear lock sign can be seen before the web address as shown in Fig. 21 indicating a trusted HTTPS connection. So now the certificate of my root CA is now trusted by the browser. It also mentions the organization of my root CA on clicking the lock sign placed before the address of my webserver as shown in Fig. 21.
10. Now I can see the contents of my webserver as shown in Fig. 22 to 24, while I am connected to the webserver through a trusted HTTPS connection via my Firefox browser.
As it can be seen that I first created a root certification authority then generated a certificate for a web server which I had hosted locally , I added the public certificate of the root CA I had created in my web browser for successful configuration of an HTTPS connection for my webserver. So in conclusion I can say that OpenSSL is a powerful library that can be used to provide information security services such as confidentiality as we have seen in this tutorial where I have configured encrypted communication between my web browser and my webserver through a HTTPS connection using Openssl.