Pki and OpenSSL

2,216 views

Published on

Published in: Technology, Education

Pki and OpenSSL

  1. 1. PKI and OpenSSL All about Digital Certification Processes Tony Fabeen @tonyfabeen
  2. 2. Who am i
  3. 3. Minimal Security for Systems Confidentiality Integrity Access Control Authentication etc.
  4. 4. Internet Security HTTPS
  5. 5. HTTPS ?
  6. 6. Secure
  7. 7. SSL Secure Sockets Layer
  8. 8. TLS Transport Layer Security
  9. 9. SSL mechanisms Criptography Hashing Digital Signing
  10. 10. Cryptography
  11. 11. Symmetric Key Encryption or Secret Key Crypto System
  12. 12. Asymmetric Key Encryption
  13. 13. Hashing
  14. 14. Digital Signing
  15. 15. What is PKI ?
  16. 16. PKI (Public Key Infrastructure) Is a structure responsible to authenticate, identify Users and Services ensuring that information exchanged between them will not be revealed to untrusted ones.
  17. 17. Not just technical stuff. It's a set of : People Standards Procedures Hardware Software Used on Digital Certificates Management.
  18. 18. Who manages ? Certificate Authority (CA)
  19. 19. Certificate Autority (CA) Create Distribute Use Store Revoke
  20. 20. PKI Brazil ICP - Brasil
  21. 21. ICP Brasil Hierarchy
  22. 22. ICP Brasil Hierarchy
  23. 23. Certificates Main reason for PKI. Contains information wich associate a Certificate owner to its Public Key
  24. 24. Cross Certification
  25. 25. Certificate Revogation List (CRL)
  26. 26. Solutions Supported by PKI
  27. 27. SSL Connections
  28. 28. Smartcards
  29. 29. How To ?
  30. 30. OpenSSL
  31. 31. Open Source SSL/TLS implementation BSD Linux OpenVMS Solaris Windows
  32. 32. Programming Languages support C C++ Ruby PHP NodeJS etc.
  33. 33. OpenSSL commands
  34. 34. Create a CA Request $ openssl req -new > -config etc/devinsampa-ca.conf > -out ca/devinsampa-ca.csr > -keyout ca/devinsampa-ca/private/devinsampa-ca.key
  35. 35. Create a CA Certificate $ openssl ca -selfsign > -config etc/devinsampa-ca.conf > -in ca/devinsampa-ca.csr > -out ca/devinsampa-ca.crt > -extensions devinsampa_ca_ext
  36. 36. Create a new Request $ openssl req -new > -config etc/email.conf > -out certs/tony.csr > -keyout certs/tony.key
  37. 37. Create an e-mail certificate $ openssl ca > -config etc/devinsampa-ca.conf > -in certs/tony.csr > -out certs/tony.crt > -extensions email_ext
  38. 38. Revoke Certificate $ openssl ca > -config etc/devinsampa-ca.conf > -revoke ca/devinsampa-ca/01.pem > -crl_reason superseded
  39. 39. Create CRL $ openssl ca -gencrl > -config etc/devinsampa-ca.conf > -out crl/devinsampa-ca.crl
  40. 40. Output Formats Create DER Certificate $ openssl x509 > -in certs/tony.crt > -out certs/tony.cer > -outform der Create DER CRL $opensslcrl > -incrl/devinsampa-ca.crl > -outcrl/devinsampa-ca.crl > -outformder
  41. 41. References http://openssl.org/docs/apps/req.html http://openssl.org/docs/apps/ca.html http://openssl.org/docs/apps/x509.html http://openssl.org/docs/apps/crl.html http://www.iti.gov.br/
  42. 42. Questions
  43. 43. Thanks ! @tonyfabeen tony.fabeen@gmail.com

×