Virginia Tech Certification Authority

Technical PKI FAQ

General Technical Information

Certificate Signing Request (CSR)Creation Information

Server Information

How to's

Mac


What is OpenSSL?

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.


Can I setup a simple client and server to test my new certificates?

Yes, OpenSSL provides simple server and client services to test the use of SSL using certificates. S-server provides basic server facilities that can be used by s-client to connect (via TCP/IP). Once the server and client are connected and have successfully opened a socket, both the client and server can pass characters to each other forming a primitive talk session. View http://www.openssl.org/docs/apps/openssl.html for the OpenSSL toolkit documentation.


What is PKCS #12?

PKCS #12 or Public Key Cryptography Standard #12 is a standard for securely storing private keys and certificates. It is often used by browsers including Netscape and Microsoft Internet Explorer for transporting keys when using import and export functions. View http://www.rsasecurity.com/rsalabs/node.asp?id=2138 for PKCS #12 documentation.


How are certificates stored?

Certificates are kept in special repositories called keystores and can be distributed in several different formats:
1. X509 format (.cer and .crt file-extension for Windows) certificate is widely supported. This file represents the individual certificate.
2. Cryptographic Message Syntax -PKCS #7 Format (.p7b file extension for Windows) This format is used for exporting complete chain.
3. Personal Information Exchange syntax -PKCS #12 Format (.pfx and .p12 file extensions for Windows). This format is used for exporting the public/private key pair. Very helpful in importing key pairs to the browsers.
4. Certificate Signing Request (CSR) Syntax -PKCS #10 Format. This format is used for generating signing requests to trusted certificate signing authorities.

Top

 

What's the MAC, it keeps saying it is OK?

This is an integrity check. When used with the correct password it can be used to verify that the file has not been corrupted. My PKCS #12 application (and NS/MSIE) currently uses the same password for integrity (MAC) and privacy (encryption) by default. If you use the two pass option you can set and input separate passwords: such files cannot be imported into current versions of MSIE or NS.

Top

 

What are iteration counts?

The algorithm used to generate keys from passwords and the MAC has an optional iteration count. This determines how many times part of the algorithm is repeated. It's a way of slowing down the key derivation process to make it harder to make dictionary attacks on the password. The OpenSSL PKCS #12 "-info" option now prints information about iteration counts.

Top

 

What iteration counts are used in OpenSSL PKCS #12?

By default, both iteration counts are set to 2048. If you use the -nomaciter option the MAC iteration count is also set to 1. Some software such as MSIE4 need this option because they do not support mac iteration counts. If you use the -noiter option the iteration count is set to 1; since this makes dictionary attacks on the password easier. This is not recommended.

Top

 

How can I display the content of a certificate using OpenSSL?

$openssl x509 -in cert.pem -noout -text

Top

 

How can I display the certificate MD5 fingerprint using OpenSSL?

$openssl x509 -in cert.pem -noout -fingerprint

Top

 

How can I convert a certificate from PEM to DER format using OpenSSL?

$openssl x509 -in cert.pem - inform PEM -out cert.der -outform DER

Top

 

How can I tell PEM format from DER?

You can start by editing the file, If the file starts with "------begin ------" and the file contains data that looks like this:

M+WetKOXAYamLPgkm6ubt3/90JPVh8BPR92d+a9yY54j+wi2VaX768KKzXfQp+MSG
Yna1NtDWloAkzDuIbkaPDw6CMl0lD5jRsHDNRh5qvhU+G6okGrQIV8291E3rbDVM
mEvchRSK8TUBH0o39ZFtnrdzqs02jsE/ke9Dc78w67W3ffCIFWMr50sKpRr9nyiB
XSkEuSWmvvo2vMX4yvlBWAeMTSTEKDOWkiJ6g4M9oE57C7Rp2l0A+XC1I29E4mjr
KBv3G9LFe18fgU77+PYH85qAbDgTCknc5JhofacbkSFsvPn4p41nmvoKbtIKBBxH
UVMFfq342wkq9Yo/g+4tIWsrA23om5xVhXmMtnS+ACl0YUDcotkYJMnb+dr MWO+am
of/NAKjpDCm37UpJrGd6LdQGeN7+l0HNpkVQ0JYcJCShpO2y5+hNCGY5CJQm7g
LNLzdpLqryuMHG3IOWxiTc/BFv73hr5aGTkM2IQcDqh5YBzeVuycgRBM3yVG05Vk
T2x65/bkffSGs0MOb19vhLscxZjVMuo4R+mMCkTuiEx0a63o202HpQvHIkXuvms2
L9W9yqMrVOzA3aZ5N/diA7ziNXbYL3EZauWCVrigdkmE7XMxO+2Y/OGXDnif895==

"-----end ------"

then it is a PEM format. If the file looks like a binary file where there is nothing understandable, then it is DER

Top

 

Can I use the IIS Certificate Wizard to make a CSR for the VTCA?

Yes, however, you must remove the current server certificate before the the option to create a CSR is available. You may want to backup or export your current certificate before removing it. Your certificate must have at least a 2048 key.

Follow the directions at
https://www.thawte.com/ssl-digital-certificates/technical-support/keygen/iis6_keygen.html

Top

 

Can I use Certificates issued by Virginia Tech on IIS 5.0 and 6.0, if so how?

Yes, you can use certificates issued by Virginia Tech CA's with IIS version 5.0 and 6.0. You can follow these steps to do so:

  1. Generate a Certificate Signing Request (CSR) using OpenSSL as outlined in this FAQ
  2. Read and do the procedures for the type of subscription you need:
  3. After You received an email notice instructing you how to retrieve your signed certificate you will need to do the following:
    1. Make a PKCS #12 file using your certificate and the corresponding private key.
    2. Import the PKCS #12 or .p12 file into your certificate store.
  4. Import the Global Qualified Server chain into your certificate store. Navigate to http://www.pki.vt.edu/developer/rootca.html#globalqualifiedserver and in the CA: Virginia_Tech_Global_Qualified_Server_CA section click on the "Download to Internet Explorer" link on the following two CA certificates: CN= Trusted Root CA G2; CN=Virginia Tech Global Qualified Server CA.
  5. Enable SSL on your server using the procedure at How can I configure SSL on IIS web server?

Top

 

How can I generate RSA key pair and make a PKCS #10 request using OpenSSL?


  1. Generate the RSA key pair and certificate signing request (CSR) as follows (use the default file names key.pem and req.pem or substitute your own file names):
    $openssl req -newkey rsa:2048 -keyout key.pem -out req.pem -nodes

    If you wish to encrypt your private key then do not include the -nodes option.

  2. Detailed directions are at OpenSSL + Related

Top

 

How can I package my certificate and its corresponding private key into a PKCS #12 file?

You will receive your certificate from IMS in DER format. You must convert it to PEM format.
$openssl x509 -inform DER -in download.cer -outform PEM -out download.pem

Then you can package your certificate to a PKCS #12 file using the below OpenSSL command:

openssl pkcs12 -export -inkey key.pem -in download.pem -out myserver.p12 -name "my test cert"

Where:
download.cer is: The certificate you received from IMS
key.pem: The key you created when you made your CSR request
myserver.p12:is the output file where the PKCS #12 file will be stored
my test cert: just a friendly name that can be anything you like

Top

 

How to Import a Server Certificate for Use in Internet Information Services 5.0 or 6.0?

  1. Open the Certificates (Local Computer) snap-in and navigate to Personal, and then Certificates.
    Note: Certificates may not be listed. If it is not, that is because there are no certificates installed.
  2. Right-click Certificates (or Personal if that option does not exist.)
  3. Choose All Tasks, and then click Import.
  4. When the wizard starts, click Next. Browse to the PFX or p12 file you created containing your server certificate and private key. Click Next.
  5. Enter the password you gave the PFX or p12 file when you created it. Be sure the Mark the key as exportable option is selected if you want to be able to export the key pair again from this computer. As an added security measure, you may want to leave this option unchecked to ensure that no one can make a backup of your private key.
  6. Click Next, and then choose the Certificate Store you want to save the certificate to. You should select Personal because it is a Web server certificate. If you included the certificates in the certification hierarchy, it will also be added to this store.
  7. Click Next. You should see a summary of screen showing what the wizard is about to do. If this information is correct, click Finish.
  8. You will now see the server certificate for your Web server in the list of Personal Certificates. It will be denoted by the common name of the server (found in the subject section of the certificate).
  9. To complete the installation and configuration of the server certificate, the CA certificates chain MUST also be installed on the server. Please refer to your server documentation on how to configure your server to use trusted CA chains. You can save the vtglobalqualifiedserver_chain to a local file by right clicking on the preceding link.

Top

 

How to Export a Server Certificate stored in Internet Information Services 5.0 or 6.0?

  1. Open a blank Microsoft Management Console (MMC).
  2. Add the Certificates snap-in.
  3. When you are prompted, select Computer Account and Local Computer.
  4. Expand Personal, and then expand Certificates. A certificate with the name of your Web site appears in the "Issued To " column.
  5. Right-click your certificate, click All Tasks, and then click Export.
  6. In the Export window, click Next.
  7. Click Yes, export the private key, and then click Next.
    NOTE: If you do not have the option to click Yes in the Export Private Keys window, the private key has already been exported to another computer or the key never existed on this computer. You cannot use this certificate on ISA Server. You must request a new certificate for this site for ISA Server.
  8. Select Personal Information Exchange, and then click to select the check boxes for all three options.
  9. Assign a password and confirm it.
  10. Assign a file name and location.
  11. Click Finish. Make sure that you safeguard the file that you just created, because your ability to use the SSL protocol depends upon this file.
  12. Copy the file that you created to ISA Server.

Top

 

How can I configure SSL on IIS web server?

This procedure assumes that your site has already has a certificate assigned to it.

  1. Log on to the Web server computer as an administrator.
  2. Click Start, point to Settings, and then click Control Panel.
  3. Double-click Administrative Tools, and then double click Internet Services Manager.
  4. Select the Web site from the list of different served sites in the left pane.
  5. Right-click the Web site, folder, or file for which you want to configure SSL communication, and then click Properties.
  6. Click the Directory Security tab.
  7. Click Edit.
  8. Click Require secure-channel (SSL) if you want the Web site, folder, or file to require SSL communications.
  9. Click Require 128-bit encryption to configure 128-bit (instead of 40-bit) encryption support.
  10. To allow users to connect without supplying their own certificate, click Ignore client certificates.

    Alternatively, to allow a user to supply their own certificate, use Accept client certificates.
  11. To configure client mapping, click Enable client certificate mapping, and then click Edit to map client certificates to users.

    If you configure this functionality, you can map client certificates to individual users in Active Directory. You can use this functionality to automatically identify a user according to the certificate they supplied when they access the Web site. You can map users to certificates on a one-to-one basis (one certificate identifies one user) or you can map many certificates to one user (a list of certificates is matched against a specific user according to specific rules. The first valid match becomes the mapping).
  12. Click OK.

Top

 

How can I configure SSL to use 128-bit encryption or better using mod_SSL on Apache web server?

This facility is called Server Gated Cryptography (SGC) and details you can find in the README.GlobalID document in the mod_ssl distribution. In short: The server has a Global ID server certificate, signed by a special CA certificate from Verisign which enables strong encryption in export browsers. This works as following: the browser connects with an export cipher, the server sends its Global ID certificate, the browser verifies it and subsequently upgrades the cipher suite before any HTTP communication takes place. The question now is: How can we allow this upgrade, but enforce strong encryption. Or in other words: Browsers either have to initially connect with strong encryption or have to upgrade to strong encryption, but are not allowed to keep the export ciphers. Although VTCA does not issue certificates with SGC, the following does the trick:

httpd.conf
# allow all ciphers for the initial handshake,
# so export browsers can upgrade via SGC facility
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
< Directory /usr/local/apache/htdocs>
# but finally deny all browsers which haven't upgraded
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
< /Directory>

Top

 

How can I configure TLS/SSL for OpenLDAP 2.2x server?

After obtaining the required certificates, a number of options must be configured on both the client and the server to enable TLS and make use of the certificates. At a minimum, the clients must be configured with the filename containing all of the Certificate Authority (CA) certificates it will trust. The server must be configured with the CA certificates and also its own server certificate and private key.
Typically a single CA will have issued the server certificate and all of the trusted client certificates, so the server only needs to trust that one signing CA. However, a client may wish to connect to a variety of secure servers managed by different organizations, with server certificates generated by many different CA's. As such, a client is likely to need a list of many different trusted CA's in its configuration.
Server Configuration
The configuration directives for slapd belong in the global directives section of slapd.conf(5)

  • TLSCACertificateFile <filename>
    This directive specifies the PEM-format file containing certificates for the CA's that slapd will trust. The certificate for the CA that signed the server certificate must be included among these certificates. If the signing CA was not a top-level (root) CA, certificates for the entire sequence of CA's from the signing CA to the top-level CA should be present. Multiple certificates are simply appended to the file; the order is not significant.
    TLSCACertificatePath <path>
    This directive specifies the path of a directory that contains individual CA certificates in separate files. In addition, this directory must be specially managed using the OpenSSL c_rehash utility. When using this feature, the OpenSSL library will attempt to locate certificate files based on a hash of their name and serial number. The c_rehash utility is used to generate symbolic links with the hashed names that point to the actual certificate files. As such, this option can only be used with a file system that actually supports symbolic links. In general, it is simpler to use the TLSCACertificateFile directive instead.
    TLSCertificateFile <filename>
    This directive specifies the file that contains the slapd server certificate. Certificates are generally public information and require no special protection.
    TLSCertificateKeyFile <filename>
    This directive specifies the file that contains the private key that matches the certificate stored in the TLSCertificateFile file. Private keys themselves are sensitive data and are usually password encrypted for protection. However, the current implementation doesn't support encrypted keys so the key must not be encrypted and the file itself must be protected carefully.
    TLSCipherSuite <cipher-suite-spec>
    This directive configures what ciphers will be accepted and the preference order. <cipher-suite-spec> should be a cipher specification for OpenSSL. You can use the command
    openssl ciphers -v ALL
    to obtain a verbose list of available cipher specifications. Besides the individual cipher names, the specifiers HIGH, MEDIUM, LOW, EXPORT, and EXPORT40 may be helpful, along with TLSv1, SSLv3, and SSLv2.
    TLSRandFile <filename>
    This directive specifies the file to obtain random bits from when /dev/urandom is not available. If the system provides /dev/urandom then this option is not needed, otherwise a source of random data must be configured. Some systems (e.g. Linux) provide /dev/urandom by default, while others (e.g. Solaris) require the installation of a patch to provide it, and others may not support it at all. In the latter case, EGD or PRNGD should be installed, and this directive should specify the name of the EGD/PRNGD socket. The environment variable RANDFILE can also be used to specify the filename. Also, in the absence of these options, the .rnd file in the slap user's home directory may be used if it exists. To use the .rnd file, just create the file and copy a few hundred bytes of arbitrary data into the file. The file is only used to provide a seed for the pseudo-random number generator, and it doesn't need very much data to work.
  • Laserdisc { never | allow | try | demand }
    This directive specifies what checks to perform on client certificates in an incoming TLS session, if any. This option is set to never by default, in which case the server never asks the client for a certificate. With a setting of allow the server will ask for a client certificate; if none is provided the session proceeds normally. If a certificate is provided but the server is unable to verify it, the certificate is ignored and the session proceeds normally, as if no certificate had been provided. With a setting of try the certificate is requested, and if none is provided, the session proceeds normally. If a certificate is provided and it cannot be verified, the session is immediately terminated. With a setting of demand the certificate is requested and a valid certificate must be provided, otherwise the session is immediately terminate

Here is a relevant snippet taken from slapd.conf

#####
# slapd.conf
Laser /path/to/server-cert.pem
Laserdisc /path/to/server-key.pem
Telecaster /path/to/vtca_chain.pem
#####

Top

 

How can I push Virginia Tech Root CA cert via Active Directory?

Author: Zeb Bowden (zbowden@vt.edu)
Version: 1.0

Step 0:
On a machine you will push the Virginia Tech Root CA cert to, browse to https://ra.eprov.iad.vt.edu and make sure you get an SSL warning saying the certificate was issued by a company you haven't chosen to trust.

Step 1:
Get Root CA cert from http://www.pki.vt.edu/ (Click install Virginia Tech Root CA Certificate, then download the certificate in CER or CRT format)

Step 2:
Create a new Group Policy Object either as a domain level policy or on a particular OU.
We suggest starting out with an OU with a limited number of non-production workstations accounts.

Step 3:
1. Edit your new GPO: Navigate to Computer Configuration->Windows Settings->Security Settings->Public Key Policies.
2. Right click Trusted Root CA's and select All Tasks and then Import. (This will bring up a Certificate Import Wizard.)
3. Click Next, and then browse to the certificate file you downloaded in Step 1.
4. Click Next.
5. Click next again (you want this certificate to go in the Trusted Root Certification Authorities store).

Clean up:
After you've got the certificate in the GPO you can delete the .cer or .crt file you downloaded in step 1.

Testing:
After replication occurs you should be able to go to a machine that gets your new policy and do: secedit /refreshpolicy machine_policy /enforce (for W2k) or gpupdate /force (for XP).

From the machine you used in Step 0, you should now be able to go to https://ra.eprov.iad.vt.edu and not get an SSL warning or anything. You should also be able to see a certificate "Issued to" the Virginia Tech Root CA in the Trusted Root Certification Authorities section of the certificates MMC.

Top

 

How can I use certificates with servers like Tomcat and Jboss?

Note: download the Importkey.java file and instructions at: http://www.agentbob.info/agentbob/79-AB.html

  1. Generate a RSA key pair using the directions at How can I generate RSA key pair and make a PKCS #10 request using OpenSSL? and submit to IMS, save the private key as key.pem.
  2. Receive signed cert via IMS's email and save as cert.pem.
  3. Convert both private key and cert into DER format via these commands on the server:
    • openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER
    • openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
  4. Create a password protected keystore with the keytool utility and place the Trusted Root CA G2 and VT Global Qualified Server CA certificates in it.
  5. Edit ImportKey.java to suit your environment, updating it with the password of the previously created keystore should be sufficient.
  6. Run javac ImportKey.Java.
  7. Run "java -Dkeystore=<keystore_filename> ImportKey <key_filename> <cert_filename> <key_alias>".
  8. Modify your server configuration file to take new keystore and new password.

Top

 

How do I create and install VT SSL Server cert for Windows 2008 Server using IIS Certificate Wizard?

Follow the directions provided at Create and install VT Server certificate using IIS wizard

Top

How can I find my certificate by certificate serial number on the EJBCA website?

The serial number given for a cert in Mac keychain, doesn't work correctly for search for certificate on the EJBCA website, use the serial number that is called "other name" instead.

Top

 

References

Top

 

 

Last updated on September 2, 2013