OpenSSL Certificates
Public key cryptography is beyond the scope of this page, but very
very basically the whole idea is based on the idea that I give you
my public key. You use the key to lock data and send it to me.
I use my private key to unlock the data. Only the private key
can be used to unlock the data so if I am the only one with the private
key only I can unlock the data. Anyone can get the public key and the
locked data but without the private key you need a lot of computing
time to unlock it.
If both parties exchange public keys then comulication can be secured
in both directions on a public network.
The only problem with this is that if someone says "Hi I am an Doug
here is my public key lock data and sent it to me." You do not know
who they really are. In this case a third party (a Certificate
Authority) is used to sign the public keys. If you trust the third
party you can take their word for it that the public
key is from the person that claims to own it.
I think this stuff is interesting because it can be used to secure
all sorts of network traffic, including email.
HowTo...
Software.
Install openssl ref:
www.openssl.org
Edit you openssl config file /etc/ssl/openssl.cnf and set
defaults_days = 3650 so that your certificates last 10 years.
Make your own Certificate Authority.
This creates a trusted third party. You can go to compaies for
this service but I trust me more than an company. This
needs to be done only once, and it then the CA can be used to
sign all sorts of certificates.
mkdir DougsCA
cd DougsCA
/usr/share/ssl/misc/CA.sh -newca
|
Make an Personal Certificate.
/usr/share/ssl/misc/CA.sh -newreq
/usr/share/ssl/misc/CA.sh -sign
# Delete ---- CERTIFICATE REQUEST ---- Section of private key.
vi newreq.pem
# Rename Files.
mv newreq.pem doug@culnane.net.key
mv newcert.pem doug@culnane.net.pem
# Make a p12 version of cert for installation in your mail client.
openssl pkcs12 -export \
-in doug@culnane.net.pem -inkey doug@culnane.net.key \
-certfile demoCA/cacert.pem -out doug@culnane.net.p12
|
|
