07-05-2022 07:36 PM - edited 07-05-2022 07:58 PM
Hi A server needs to install certificate for users access. I am not very clear about the process. Hope someone give some suggestion. Here are four steps for it. First is to generate a pair of key(private and publice) at the server. Second is to generate CSR at the server, Third step is to send the CSR to CA to sign a certificate with the CSR. Four step is to get the signed certificate back to install in the server. Different document that i read have a little different step. So i got a little confused. My question is the first step is necessary? what is its function of the first step? Thank you.
07-05-2022 08:21 PM - edited 07-05-2022 08:22 PM
Usually we use Certificate for VPN auth, BUT beside that certificate contain the Peer ID it contain the Public Key of Peer.
local router receive the certificate check if it valid if yes then the local router will use public Key in certificate to build Key for VPN connection.
07-06-2022 01:41 AM - edited 07-06-2022 01:55 AM
To obtain a signed public key certificate, including how to create cert file, create a CSR, submit to CA, cover OpenSSL/Windows, and additional considerations, such as handling intermediate certificates and certificate bundling. Public key certificates are an integral part of the TLS protocol. Sometimes they are autogenerated in devices where authentication is not needed, and TLS is just used for confidentiality reasons. When server authentication is required, the certificate must be signed by a known CA. In the case of Enterprise internal services, this CA can be internal, while in the case of a public one, the signing CA has to be well known by the user browser, resulting in a required signed certificate from a known public CA. To scale the PKI architecture, intermediate CAs are involved in creating a certificate chain that can be managed through effective certificate bundling.
To configure Public Key Certificates, follow these steps:
Generate the Private Key
Generate the Certificate Signing Request (CSR)
Display and verify the certificate (Optional)
Enrollment
Install the certificate
To configure a Public Key Certificate using Apache web server follow these 5 steps:
Step 1: Generate the private key
admin@web_server:~$ openssl genrsa -aes192 -out MYPRIVATEKEY.key 4096 Generating RSA private key, 4096 bit long modulus ...++ ..++ e is 65537 (0x10001) Enter pass phrase for MYPRIVATEKEY.key: Verifying - Enter pass phrase for MYPRIVATEKEY.key:
Generate an RSA key pair that is 4096 bits long, encrypting the generated key with AES-192 algorithm with an encryption key that is the entered passphrase. The private key is stored in the MYPRIVATEKEY.key file. RSA and DSA key pairs can be generated, and they can be protected using 3DES, AES, SEED, and other algorithms.
Step 2: Generate the CSR
admin@web_server:~$ openssl req -new -key MYPRIVATEKEY.key -out MYCSR.csr Enter pass phrase for MYPRIVATEKEY.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. <... output omitted ...>
Generate a CSR using the private key created in the previous step and configure the certificate attributes:
Country
State or province
City
Organization Name
Organizational Unit Name
Common name
Email address
Challenge password
Optional company name
Not all attributes are mandatory and not all of them are recognized by all enrollment services.
Step 3: Display and verify the CSR (Optional)
admin@web_server:~$ cat MYCSR.csr -----BEGIN CERTIFICATE REQUEST----- MIIFSjCCAzICAQAwgcExCzAJBgNVBAYTAkNIMQ8wDQYDVQQIDAZUaWNpbm8xDzAN BgNVBAcMBkx1Z2FubzEXMBUGA1UECgwOTXlPcmdhbml6YXRpb24xHzAdBgNVBAsM FkluZm9ybWF0aW9uIFRlY2hub2xvZ3kxIzAhBgNVBAMMGm15b3JnYW5pemF0aW9u <... output omitted ...> EdyJ9hQC7Uvs5c+4KtNA8vSYa1NkTUABIeaDOiHT6gwPfyaBxCGPoiC2PbWqvF2t DgF0hpSo2LZMzCDp2t8= -----END CERTIFICATE REQUEST-----
Display the generated CSR. You can copy the output to verify that it's correctly generated and to enroll the certificate
To verify that the CSR is correctly generated and check for any warnings, there are multiple online tools, one is the Digicert Check CSR tool, accessible at https://ssltools.digicert.com/checker/views/csrCheck.jsp
Step 4: Enrollment to request the certificate
The enrollment process varies depending on the certification authority, but the general concept is to verify the identity of the requesting organization offline and issue the CA signed certificate through different methods:
Download link
Simple Certificate Enrollment Protocol (SCEP)
To complete the enrollment process, the requester typically must provide information like:
Time range validity
Number of servers
The Organization’s identity
The common name, something like www.myorganization.com
An email contact address
A CSR is generated from the server you need to secure.
Automatic CSR enrollment is possible and is usually used for network devices. One automatic enrollment method is the Simple Certificate Enrollment Protocol (SCEP), an IETF internet draft. Using SCEP, a network device can automatically send the CSR to a CA, obtain, and install a certificate. SCEP is a useful option where using internal CA for the enrollment process and to verify the real identity of the requester offline is not needed.
Once the certificate is created, it can be downloaded or it is sent by email.
Step 5: Install the certificate
Modify the Apache configuration file accordingly (httpd.conf or ssl.conf)
#Points to the certificate file, if the certificate is encrypted a passphrase is required SSLCertificateFile /PATH_TO_CRT/public.crt #Points to the key file SSLCertificateKeyFile /PATH_TO_KEY/private.key #Points to SSL chain bundle file SSLCertificateChainFile /PATH_TO_BUNDLE/bundle.crt
My question is the first step is necessary
To obtain an identity certificate, a system administrator will enroll with the PKI. The first step is to obtain the CA's identity certificate. The next step is to create a Certificate Signing Request (CSR). The CSR contains the identity information that is associated with the enrolling system. This can include data such as the system name, the organization to which the system belongs, and location information. Most importantly, the enrolling system's public key is included with the CSR. Depending on the circumstance, the CA administrator may need to contact the enroller and verify the data before the request can be approved. If the request is approved, the CA will take the identity data from the CSR, and add in the CA-specified data, such as the certificate serial number, the validity dates, and the signature algorithm, to complete the X.509v3 certificate structure. It will then sign the certificate by hashing the certificate data and encrypting the hash with its private key. The signed certificate is then made available to the enrolling system.
07-06-2022 06:30 PM
@Sheraz.Salim Thank you very much for your reply. The first step is to create key pair. The second step is to create CSR. What is relation between the first step and second step?
07-06-2022 11:40 PM
Private key is mandatory without private key you can not generate the CSR. And with CSR you can not get the identity certificate for your system (server/router/switch).
Once you have the CSR you can proceed to get cert signed from CA.
07-07-2022 06:41 AM
I am also interested in the question. why Private key is mandatory without private key you can not generate the CSR? Thanks
07-07-2022 07:21 PM
@Sheraz.Salim private key is needed for CSR generating, where the key is generated? in the server or CA?
07-07-2022 11:23 PM
private key is generated on the server. Not the CA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide