Public Key Infrastructure
Certificate Authority (CA) is a trusted third party that issues digital certificates. The digital certificate certifies the ownership of a public key.
Comodo, Symantec, GoDaddy, GlobalSign, DigiCert are leading CAs.
Let’s simulate this process.
First of all, we need a certificate authority. We can use the above mentioned commercial services. We can set up CA by ourselves as follows.
Certificate Authority should have a root certificate. These certificates are stored in our machines already (commercial ones). we can create a root certificate and store it in our browser.
First, we can generate a private key with 2048 bits long, encrypted with 3 DES
openssl genrsa -des3 -out rootCA.key 2048
I think inside the private key, there should be information about the public key. Then the public key is sent as the root certificate.
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
This root certificate includes the certificate authority information and the public key of the CA.
Let’s create an SSL certificate for a user.
openssl req -new -nodes -out server.csr -newkey rsa:2048 -keyout server.key
server.key is the public key and server.csr is the Certificate Signing Request to be sent to the certificate authority.
The certificate signing request (server.csr) should be sent to the CA and a certificate will be issued by adding a digital signature on the certificate by CA using his private key.
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext
v3.ext file includes some additional information like for which domain names the certificate is issued.
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEnciphermentsubjectAltName = @alt_names[alt_names]DNS.1 = sadil.com
DNS.2 = krishal.com
After getting the certificate, the user can send the public key with the certificate to his client.
openssl pkcs12 -inkey server.key -in server.crt -export -out server.pfx
If our CA is registered as a trusted party in the client’s browser everything is ok. For that root Certificate ( rootCA.pem ) have to be stored in the browser.