Cpb-us-w2.wpmucdn.com



Certificate Authority Module Lab 1 issue and revoke of digital certificate TOC \h \u \z Introduction PAGEREF _Toc483945889 \h 2Quick introduction to LAMP PAGEREF _Toc483945890 \h 2Quick introduction to certificate authority PAGEREF _Toc483945891 \h 2Implementation PAGEREF _Toc483945892 \h 2Network topology on GENI PAGEREF _Toc483945893 \h 2Setting Up LAMP on GENI PAGEREF _Toc483945894 \h 3Installing MySQL: PAGEREF _Toc483945895 \h 4Installing Apache PAGEREF _Toc483945896 \h 5Installing PHP PAGEREF _Toc483945897 \h 5Enabling SSL connection of Apache PAGEREF _Toc483945898 \h 6Installing and enabling browser on GENI PAGEREF _Toc483945899 \h 8For Windows operating system: PAGEREF _Toc483945900 \h 8For MacOS operating system PAGEREF _Toc483945901 \h 11For other Linux operating systems PAGEREF _Toc483945902 \h 13Testing Apache and PHP services PAGEREF _Toc483945903 \h 14Testing Apache service PAGEREF _Toc483945904 \h 14Testing PHP service PAGEREF _Toc483945905 \h 15Setting up certificate authority on GENI PAGEREF _Toc483945906 \h 18Building Certificate Authority PAGEREF _Toc483945907 \h 19On web server node PAGEREF _Toc483945908 \h 21Issuing a digital certificate PAGEREF _Toc483945909 \h 23Result of issued digital certificate PAGEREF _Toc483945910 \h 29Revoking a digital certificate PAGEREF _Toc483945911 \h 36Result of revoking a digital certificate PAGEREF _Toc483945912 \h 38IntroductionQuick introduction to LAMPLAMP is short for the software bundle of Linux operating system, Apache HTTP Server, MySQL database management system, and PHP programming language.This bundle can realize the role and function of a web server, which can drive Web applications. Although not actually designed to work together, these open source software packages are relatively simple and easy to use.Besides these four software packages, this software bundle can also be combined with many other free and open-source software packages.Quick introduction to certificate authorityCertificate Authority is a trusted third party that issues electronic documents in order verify a digital entity’s identification on the Internet. In cryptography terms, certificate authority verifies the ownership of the public key of the named subject of the certificate.ImplementationNetwork topology on GENIThe network topology of our experiment will be the following:The node named CA will be the certificate authority in this experiment.The node named WS will be the web server in this experiment, and we will install LAMP on this node to enable it to be a web server.Notice: we must wait for all the GENI nodes to turn green, which means the remote machines are ready for us to use. Then, we can continue the following steps. This may take a while.Setting Up LAMP on GENIWe already have the GENI node. In other words, we already have a Linux operating system, so we only need to install the remaining Apache, MySQL, and PHP. We should pay attention to the installation order of LAMP. We recommend installing MySQL and Apache first and leaving PHP for last. The order of installation of MySQL and Apache can be reversed because they do not depend on each other. However, the PHP must be installed after we finish the installation of MySQL and Apache because the PHP server depends on the services of Apache and MySQL.Using SSH, log in to the WS node. The following installation will be on this node.Before installation, we should download the package lists from the repositories and "update" them to get information on the newest versions of packages and their mand: “sudo apt-get update”Installing MySQL:In order to install MySQL, use the following mand: “sudo apt-get install mysql-server”In this process, a prompt will ask you to enter the password for the MySQL administrator. Setup the password in this prompt window.After the installation of MySQL, we should verify that it was mand: “sudo netstat -tap | grep mysql”If it shows the listening port of MySQL as the following, then we know it was installed successfully.Installing ApacheIn order to install Apache, use the following mand: “sudo apt-get install apache2”We can run the browser to check whether or not it was installed successfully. However, we need to involve third party software to enable the graphics showing on GENI node. We will cover this later.Installing PHPIn order to install PHP, use the following mand: “sudo apt-get install php”After this installation, a folder named “www” will be created under /var. This folder will be reserved for the source code of the website.Enabling SSL connection of ApacheBecause we need to install the digital certificate later, we need to enable SSL connection of Apache.First, a brief introduction of the Apache configuration file.As we can see, there are several configuration files in the Apache folder.In the old versions of Apache, there is only one configuration file named “httpd.conf”.As for the latest version, the main configuration file is “apache2.conf”. We can take a quick look at this file.As we can see, there are many “include” commands in this file. This means the apache server will read this file first, and the other configuration files will be linked using these “include” commands.As for the SSL configuration file, it is in the “sites-enabled” folder.We can use the following command to create a configuration file for SSL mand:“sudo cp /etc/apache2/sites-available/default-ssl.conf ?/etc/apache2/sites-enabled/default-ssl.conf ” Then we modify this default-ssl.conf as follows:We temporarily named our server jhuws.edu. The digital certificate name is jhuws.crt, and the private key of the digital certificate name is jhuws.key. Of course, you can make the name as you like, but make sure to use the same name later.Here, 172.17.2.41 is the IP address of our web server. You can use the command “ifconfig” to check it out. The “443” is the port number for the SSL connection.You should also use the following command to enable the SSL module of Apache2 if you receive a prompt about a connection refusal while trying to connect port 443 to the web mand: “sudo a2enmod ssl”Installing and enabling browser on GENIWe choose the Firefox browser in this experiment. Of course, you can choose other browsers. This part should be done on the user mand: “sudo apt-get install firefox”The operation of the next step will be different for Windows, Mac and Linux operating systems. For Windows and MacOS operating systems, we need to depend on third-party software in order to enable the graphics display on the GENI node.For Windows operating system:Install the Xming software on your local operating system. Xming is an X11 display server for Microsoft Windows operating systems. Then, run it to start the X server. You should see the Xming icon in the taskbar if it is running.Then, use PuTTY to log onto the GENI node. You can find instructions on how to log into a GENI node using PuTTY through the link below. to click the option on X11 option besides the other steps of logging onto GENI node using PuTTY.Then, we can run the graphics display on the GENI node on the Windows operating mand: “firefox”After a few seconds, we can see a browser GUI displayed with the help of XmingFor MacOS operating systemInstall XQuartz on your Mac. XQuartz is an X server designed for MacOS.Right click on the XQuartz icon in the dock, and select Applications > Terminal. This should bring up a new xterm terminal window. Then, make an ssh connection to the GENI node in this terminal window. The password is your GENI account password.We can enable the graphics display of the browser in a GENI node with the help of the XQuartz mand: “firefox”For other Linux operating systemsIt is much simpler when you are using a Linux operating system.Just ssh into the Linux system of your choice using the “-Y” flag.Then, run the Firefox mand: “firefox”Testing Apache and PHP servicesNow, because the browser is installed and enabled we can test the Apache and PHP services installed before.Testing Apache serviceOpen the Firefox browser using the following mand: “firefox”Enter “127.0.0.1” in the browser. If it shows the following image, then it means the Apache service is installed successfully.Testing PHP serviceWe can write a simple PHP website and then run it to test whether or not the PHP service is installed successfully.We can use vi commands to write the document. The instruction of how to use vi commands can be found through the link below: convenience, we can use the WinSCP software to write PHP source code. The instruction of how to log into a GENI node using WinSCP can be found through the link below: software is only for Windows.We need to give the privilege to edit the "/var/www" folder. As mentioned before, the "www" folder contains the website’s source mand: “sudo chmod 777 /var/www”Under the “www/html”folder, create a file named “info.php”, and write the following code in it:<?phpphpinfo();?>Now, we need to restart the Apache mand: “sudo /etc/init.d/apache2 restart”Run the browser, and enter "127.0.0.1/info.php" in the browser. If we can see the relative configuration information of PHP, then we know the PHP service was installed successfully.Setting up certificate authority on GENIThe GENI nodes have OpenSSL already installed. OpenSSL is a general purpose cryptography library that provides an open-source implementation of the SSL and TLS.Further reading of SSL/TLS protocol can be found through the link below: We can take a quick view of OpenSSL in the GENI node. The folder is in “/etc/ssl”. We can see three documents already in this folder.The “certs” folder is used to store the digital certificate of this machine. The“private” folder is used to store the private key of the digital certificate. The“f” file is the main configuration document of OpenSSL.Right now, these documents are not enough for enabling the whole function of OpenSSL. We need to do some additional configurations.Building Certificate AuthorityFirstly, we need to do something on the CA node in order for it to play the role of a certificate authority.First, we need to create some new documents in this folder.Create a serial document, and set the serial number.Then, make changes in the f file.In order to do so, we should give the privilege to write to mand: “sudo chmod 777 f”Then we need to use vi commands to modify some values of f.The instruction of how to use vi commands to edit the document on Ubuntu can be found through the link below: you are Windows user, for the convenience you can use WinSCP to open it, and set the values as follows:Then, we need to generate a root private key for the root digital certificate for the certificate mand: “openssl genrsa -out private/cakey.pem 2048”Then, we create the root digital certificate for the certificate mand: “openssl req -new -x509 -key private/cakey.pem -out cacert.pem”This time, we set the server name as “jhuca.edu”. You can set this to whatever you like. We will do some configuration later in order to visit the server named here.On web server nodeIn this part, we need to log in to the WS node, which we previously configured to be a web server.Then, we generate a private key for the web mand: “sudo openssl genrsa -out jhuws.key 2048”Next, we generate a certificate sign request for the web mand: “sudo openssl req -new -key jhuws.key -out jhuws.csr”We also need to change the configuration of the f file under the /etc/ssl on the ws node.Issuing a digital certificate In real world,the commercial CAs that issue the bulk of certificates for HTTPS servers typically use a technique called "domain validation" to authenticate the recipient of the certificate. The techniques used for domain validation vary between CAs, but in general domain validation techniques are meant to prove that the certificate applicant controls a given domain name, not any information about the applicant's identity.A CA issues digital certificates that contain a public key and the identity of the owner. The matching private key is not made available publicly, but kept secret by the end user who generated the key pair. The certificate is also a confirmation or validation by the CA that the public key contained in the certificate belongs to the person, organization, server or other entity noted in the certificate. A CA's obligation in such schemes is to verify an applicant's credentials, so that users and relying parties can trust the information in the CA's certificates. CAs use a variety of standards and tests to do so. In essence, the certificate authority is responsible for saying "yes, this person is who they say they are, and we, the CA, certify that".In this step, the CA node needs to get the request sign document from the web server. We can use WinSCP or the SCP command to send it. The instruction of how to use SCP command on Ubuntu to transfer the files can be found through the link below: instruction of how to use SCP command on Ubuntu to transfer the files can be found through the link below: can use the chmod command to allow access and then transport it. This is shown mand: “chmod 777 ssl”You need to give permissions on both the nodes, that is the ws and ca node using the above command to transfer files (one method: right click ->duplicate)Then, we can sign this digital certificate on the CA mand: “openssl ca -in /etc/ssl/jhuws.csr -out /etc/ssl/jhuws.crt -days 3650”Then, we send this digital certificate back to the WS node. This can be done by WinSCP.We should now be able to see this digital certificate. We can use the cat command to view it in Linux, or we can just double click and open it on Windows.We can see clearly that this digital certificate is issued by jhuca.edu, which is the CA node and is issued to jhuws.edu, which is the WS node.Then, we use the next two commands to install the web server’s digital certificate. In other words, we should put the digital certificate file and key file into the correct folder of the web mand: “ sudo cp jhuws.crt /etc/ssl/certs”Command: “ sudo cp jhuws.key /etc/ssl/private”Now, before we open the browser to see the result, we should copy the “cacert.pem” file from the CA node to the user node. We need to let the CA verify the digital certificate issued by CA, so we need this file on the web server.In addition, we should change the extension “.pem” to “.crt”.If you receive an error describing that you do not have the proper privilege to send the file, just use the command “chmod 777 file_name” to give the privilege.Result of issued digital certificateFirstly, restart the apache2 service using the mand: “service apache2 restart”Now, we can view the result of the work we have done.The following operations are all on the user node.Firstly, log into the user node.Because the display of the browser on GENI is kind of slow, we determine whether or not we are right by installing “curl” to perform a quick test.Curl is a tool used to transfer data to or from a server using HTTP and HTTPS.Use “sudo su” to enter the root account.Use “apt-get update” to update the existing packets.Use “apt-get install curl” to install the curl.Then, cd to the hosts file to do a little modification.Use the following command to give the proper mand: “chmod 777 hosts”We perform the above modifications since “172.17.2.41” is the IP address of the WS node and jhuws.edu is the server name we set up before.Use the following command to see if it works mand: “curl jhuws.edu”This returns the HTML response of our web server. It appears to work well.Then, we test whether or not the SSL configuration we modified before is working right.We use the following command to test mand: “curl --cacert cacert.crt”As shown above, it also works well. So, we can turn to the browser.Open the browser on the user node. You can refer to the instructions provided before about how to run and open a browser on a GENI node.We visit the jhuws.edu/info.php website first.It works properly. So, we install the digital certificate. In order to do so, we go to the preference option of the browser.Then, we go to Advanced and then to Certificates options. Click on “View Certificates”.Then, import the cacert.crt file we put on the user node before. Next, trust this certificate authority we built previously.Now, we can see our certificate authority is in the list of certificate authorities.We visit jhuws.edu/info.php first and see the connection is insecure.Then, we visit time we can see a green lock, revealing that it is now a secure connection.We can view the details of this connection by clicking on the symbol “>”.The information we put in when making the digital certificate is shown in this display.By now, we have already finished the experiment of building a certificate authority and issuing a digital certificate.Revoking a digital certificateNow, we can try to revoke the digital certificate to see how it works. To revoke the digital certificate we issued before, we should login to the CA node.Use the following command to revoke the digital certificate previously issued. The name of the digital certificate used is “jhuws.crt”Command :“openssl ca -revoke jhuws.crt”We can use the next command to check the index of our digital certificate. Command: “cat index.txt”It’s 03, so everything is going right.We should renew the crl, which is short for Certificate Revocation List. The digital certificate we revoked will be given the index and recorded in this list.Use the following command to generate the index of the digital certificate we just mand: “openssl ca -gencrl -out thisca.crl”We can have a look at the thisca.crl file.It stores the Certificate Revocation List.Then, we need to add “00” to “crlnumber” in order to let the crl start recording.Each time we revoke a digital certificate, it will add one to itself.I have revoked the digital certificate twice, so the number shown is 02.So, we have successfully revoked a previously issued digital certificate.Result of revoking a digital certificateTo see the result after we revoke an issued digital certificate, we need to import the new cacert.crt into the user node.Remove the old cacert.crt, and import the new cacert.crt. As we have done before, we actually move the file “cacert.pem”, but we need to change the extension “.pem” to “.crt”.Also, we should move the thisca.crl file, which stores the Certificate Revocation List, to the user node.Because our certificate authority is offline, we need to move these files manually.We can see the result by using the curl tool.We use the next command to visit our previously built site. Note, we need the options “—cacert” and “—crlfile” in order to include the ca and crl documents mand:“ curl --cacert cacert.crt --crlfile thisca.crl”Now, we can see the digital certificate has already been revoked.As for the Firefox browser we installed before, we need to update the ca document and crl document. However, the Firefox browser has already removed the user interface on Firefox used for importing the crl document, so we can’t see the result on Firefox as the certificate authority is offline. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download