To obtain a signed public key certificate, including how to create cert file, create a CSR, submit to CA, cover OpenSSL/Windows, and additional considerations, such as handling intermediate certificates and certificate bundling. Public key certificates are an integral part of the TLS protocol. Sometimes they are autogenerated in devices where authentication is not needed, and TLS is just used for confidentiality reasons. When server authentication is required, the certificate must be signed by a known CA. In the case of Enterprise internal services, this CA can be internal, while in the case of a public one, the signing CA has to be well known by the user browser, resulting in a required signed certificate from a known public CA. To scale the PKI architecture, intermediate CAs are involved in creating a certificate chain that can be managed through effective certificate bundling.
To configure Public Key Certificates, follow these steps:
-
Generate the Private Key
-
Generate the Certificate Signing Request (CSR)
-
Display and verify the certificate (Optional)
-
Enrollment
-
Install the certificate
To configure a Public Key Certificate using Apache web server follow these 5 steps:
Step 1: Generate the private key
admin@web_server:~$ openssl genrsa -aes192 -out MYPRIVATEKEY.key 4096
Generating RSA private key, 4096 bit long modulus
...++
..++
e is 65537 (0x10001)
Enter pass phrase for MYPRIVATEKEY.key:
Verifying - Enter pass phrase for MYPRIVATEKEY.key:
Generate an RSA key pair that is 4096 bits long, encrypting the generated key with AES-192 algorithm with an encryption key that is the entered passphrase. The private key is stored in the MYPRIVATEKEY.key file. RSA and DSA key pairs can be generated, and they can be protected using 3DES, AES, SEED, and other algorithms.
Step 2: Generate the CSR
admin@web_server:~$ openssl req -new -key MYPRIVATEKEY.key -out MYCSR.csr
Enter pass phrase for MYPRIVATEKEY.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
<... output omitted ...>
Generate a CSR using the private key created in the previous step and configure the certificate attributes:
-
Country
-
State or province
-
City
-
Organization Name
-
Organizational Unit Name
-
Common name
-
Email address
-
Challenge password
-
Optional company name
Not all attributes are mandatory and not all of them are recognized by all enrollment services.
Step 3: Display and verify the CSR (Optional)
admin@web_server:~$ cat MYCSR.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIFSjCCAzICAQAwgcExCzAJBgNVBAYTAkNIMQ8wDQYDVQQIDAZUaWNpbm8xDzAN
BgNVBAcMBkx1Z2FubzEXMBUGA1UECgwOTXlPcmdhbml6YXRpb24xHzAdBgNVBAsM
FkluZm9ybWF0aW9uIFRlY2hub2xvZ3kxIzAhBgNVBAMMGm15b3JnYW5pemF0aW9u
<... output omitted ...>
EdyJ9hQC7Uvs5c+4KtNA8vSYa1NkTUABIeaDOiHT6gwPfyaBxCGPoiC2PbWqvF2t
DgF0hpSo2LZMzCDp2t8=
-----END CERTIFICATE REQUEST-----
Display the generated CSR. You can copy the output to verify that it's correctly generated and to enroll the certificate
To verify that the CSR is correctly generated and check for any warnings, there are multiple online tools, one is the Digicert Check CSR tool, accessible at https://ssltools.digicert.com/checker/views/csrCheck.jsp
Step 4: Enrollment to request the certificate
The enrollment process varies depending on the certification authority, but the general concept is to verify the identity of the requesting organization offline and issue the CA signed certificate through different methods:
To complete the enrollment process, the requester typically must provide information like:
-
Time range validity
-
Number of servers
-
The Organization’s identity
-
The common name, something like www.myorganization.com
-
An email contact address
-
A CSR is generated from the server you need to secure.
Automatic CSR enrollment is possible and is usually used for network devices. One automatic enrollment method is the Simple Certificate Enrollment Protocol (SCEP), an IETF internet draft. Using SCEP, a network device can automatically send the CSR to a CA, obtain, and install a certificate. SCEP is a useful option where using internal CA for the enrollment process and to verify the real identity of the requester offline is not needed.
Once the certificate is created, it can be downloaded or it is sent by email.
Step 5: Install the certificate
-
Modify the Apache configuration file accordingly (httpd.conf or ssl.conf)
#Points to the certificate file, if the certificate is encrypted a passphrase is required
SSLCertificateFile /PATH_TO_CRT/public.crt
#Points to the key file
SSLCertificateKeyFile /PATH_TO_KEY/private.key
#Points to SSL chain bundle file
SSLCertificateChainFile /PATH_TO_BUNDLE/bundle.crt
My question is the first step is necessary
To obtain an identity certificate, a system administrator will enroll with the PKI. The first step is to obtain the CA's identity certificate. The next step is to create a Certificate Signing Request (CSR). The CSR contains the identity information that is associated with the enrolling system. This can include data such as the system name, the organization to which the system belongs, and location information. Most importantly, the enrolling system's public key is included with the CSR. Depending on the circumstance, the CA administrator may need to contact the enroller and verify the data before the request can be approved. If the request is approved, the CA will take the identity data from the CSR, and add in the CA-specified data, such as the certificate serial number, the validity dates, and the signature algorithm, to complete the X.509v3 certificate structure. It will then sign the certificate by hashing the certificate data and encrypting the hash with its private key. The signed certificate is then made available to the enrolling system.
please do not forget to rate.
