Masterclass in openSSL

In this masterclass video you have 1 hour in depth education in using openSSL in Linux. We first look at self-signed openSSL certificates but see their limitation. From there on we go through and create the full PKI hierarchy of the openSSL Root Certificate , an intermediate CA and server keys. We see how we sign the sub CA with the root CA and the sub CA is used to sign the certificates. We see how clients can trust the root CA and we end the masterclass demonstration on openSSL by starting an openSSL test server before configuring nginix with https. 00:00 Intro 02:06 SSH Trust and Encryption 03:30 Create the directory structure 07:30 Self Signed Keys 13:30 Private Keys 18:47 Create the Root CA Certificate 26:35 Create the Intermediate CA 36:15 Create the Server Certificate 44:30 Test the PKI Structure The root-ca conf file follows. You can edit this file to become the sub-ca .conf. Change the directory variable and the policy [ca] #/root/ca/root-ca/root-ca.conf #see man ca default_ca = CA_default [CA_default] dir = /root/ca/root-ca certs = $dir/certs crl_dir = $dir/crl new_certs_dir = $dir/newcerts database = $dir/index serial = $dir/serial RANDFILE = $dir/private/.rand private_key = $dir/private/ca.key certificate = $dir/certs/ca.crt crlnumber = $dir/crlnumber crl = $dir/crl/ca.crl crl_extensions = crl_ext default_crl_days = 30 default_md = sha256 name_opt = ca_default cert_opt = ca_default default_days = 365 preserve = no policy = policy_strict [ policy_strict ] countryName = supplied stateOrProvinceName = supplied organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_loose ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] Options for the req tool, man req. default_bits = 2048 distinguished_name = req_distinguished_name string_mask = utf8only default_md = sha256 Extension to add when the -x509 option is used. x509_extensions = v3_ca [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name 0.organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = Common Name emailAddress = Email Address countryName_default = GB stateOrProvinceName_default = England 0.organizationName_default = TheUrbanPenguin Ltd [ v3_ca ] Extensions to apply when createing root ca Extensions for a typical CA, man x509v3_config subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ v3_intermediate_ca ] Extensions to apply when creating intermediate or sub-ca Extensions for a typical intermediate CA, same man as above subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer #pathlen:0 ensures no more sub-ca can be created below an intermediate basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ server_cert ] Extensions for server certificates basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth