1

Certificate Authority Module Lab 1 issue and revoke of digital certificate

Introduction 2Quick introduction to LAMP 2Quick introduction to certificate authority 2

Implementation 2Network topology on GENI 2Setting Up LAMP on GENI 3

Installing MySQL: 4Installing Apache 5Installing PHP 5Enabling SSL connection of Apache 6

Installing and enabling browser on GENI 8For Windows operating system: 8For MacOS operating system 11For other Linux operating systems 13Testing Apache and PHP services 14

Testing Apache service 14Testing PHP service 15

Setting up certificate authority on GENI 18Building Certificate Authority 19On web server node 21

Issuing a digital certificate 23Result of issued digital certificate 29Revoking a digital certificate 36Result of revoking a digital certificate 38

Introduction

Quick introduction to LAMP

LAMP is short for the software bundle of Linux operating system,

2

Apache HTTP Server, MySQL database management system, and PHP programming language.This bundle can realize the role and function of a web server, which can drive Web applications. Although not actually designed to work together, these open source software packages are relatively simple and easy to use.Besides these four software packages, this software bundle can also be combined with many other free and open-source software packages.

Quick introduction to certificate authority

Certificate Authority is a trusted third party that issues electronic documents in order verify a digital entity’s identification on the Internet. In cryptography terms, certificate authority verifies the ownership of the public key of the named subject of the certificate.

Implementation

Network topology on GENI

The network topology of our experiment will be the following:

The node named CA will be the certificate authority in this experiment.The node named WS will be the web server in this experiment, and we will install LAMP on this node to enable it to be a web server.

3

Notice: we must wait for all the GENI nodes to turn green, which means the remote machines are ready for us to use. Then, we can continue the following steps. This may take a while.

Setting Up LAMP on GENI

We already have the GENI node. In other words, we already have a Linux operating system, so we only need to install the remaining Apache, MySQL, and PHP. We should pay attention to the installation order of LAMP. We recommend installing MySQL and Apache first and leaving PHP for last. The order of installation of MySQL and Apache can be reversed because they do not depend on each other. However, the PHP must be installed after we finish the installation of MySQL and Apache because the PHP server depends on the services of Apache and MySQL.Using SSH, log in to the WS node. The following installation will be on this node.Before installation, we should download the package lists from the repositories and "update" them to get information on the newest versions of packages and their dependencies.Command: “sudo apt-get update”

Installing MySQL:

In order to install MySQL, use the following command.Command: “sudo apt-get install mysql-server”

In this process, a prompt will ask you to enter the password for the MySQL administrator. Setup the password in this prompt window.

4

After the installation of MySQL, we should verify that it was successful.Command: “sudo netstat -tap | grep mysql”If it shows the listening port of MySQL as the following, then we know it was installed successfully.

Installing Apache

In order to install Apache, use the following command.Command: “sudo apt-get install apache2”

We can run the browser to check whether or not it was installed successfully. However, we need to involve third party software to enable the graphics showing on GENI node. We will cover this later.

5

Installing PHP

In order to install PHP, use the following command.Command: “sudo apt-get install php”

After this installation, a folder named “www” will be created under /var. This folder will be reserved for the source code of the website.

Enabling SSL connection of Apache

Because we need to install the digital certificate later, we need to enable SSL connection of Apache.First, a brief introduction of the Apache configuration file.

As we can see, there are several configuration files in the Apache folder.In the old versions of Apache, there is only one configuration file named “httpd.conf”.As for the latest version, the main configuration file is “apache2.conf”. We can take a quick look at this file.

6

As we can see, there are many “include” commands in this file. This means the apache server will read this file first, and the other configuration files will be linked using these “include” commands.

As for the SSL configuration file, it is in the “sites-enabled” folder.We can use the following command to create a configuration file for SSL connection.

Command:“sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/default-ssl.conf ”

Then we modify this default-ssl.conf as follows:

7

We temporarily named our server jhuws.edu. The digital certificate name is jhuws.crt, and the private key of the digital certificate name is jhuws.key. Of course, you can make the name as you like, but make sure to use the same name later.Here, 172.17.2.41 is the IP address of our web server. You can use the command “ifconfig” to check it out. The “443” is the port number for the SSL connection.You should also use the following command to enable the SSL module of Apache2 if you receive a prompt about a connection refusal while trying to connect port 443 to the web server.Command: “sudo a2enmod ssl”

Installing and enabling browser on GENI

We choose the Firefox browser in this experiment. Of course, you can choose other browsers. This part should be done on the user node.Command: “sudo apt-get install firefox”

8

The operation of the next step will be different for Windows, Mac and Linux operating systems. For Windows and MacOS operating systems, we need to depend on third-party software in order to enable the graphics display on the GENI node.

For Windows operating system:

Install the Xming software on your local operating system. Xming is an X11 display server for Microsoft Windows operating systems. Then, run it to start the X server. You should see the Xming icon in the taskbar if it is running.

Then, use PuTTY to log onto the GENI node. You can find instructions on how to log into a GENI node using PuTTY through the link below.

9

http://groups.geni.net/geni/wiki/HowTo/LoginToNodesRemember to click the option on X11 option besides the other steps of logging onto GENI node using PuTTY.

Then, we can run the graphics display on the GENI node on the Windows operating system.Command: “firefox”

After a few seconds, we can see a browser GUI displayed with the help of Xming

10

For MacOS operating system

Install XQuartz on your Mac. XQuartz is an X server designed for MacOS.

Right click on the XQuartz icon in the dock, and select Applications > Terminal. This should bring up a new xterm terminal window.

11

Then, make an ssh connection to the GENI node in this terminal window. The password is your GENI account password.

We can enable the graphics display of the browser in a GENI node with the help of the XQuartz software.Command: “firefox”

12

For other Linux operating systems

It is much simpler when you are using a Linux operating system.Just ssh into the Linux system of your choice using the “-Y” flag.

Then, run the Firefox browser.Command: “firefox”

13

Testing Apache and PHP services

Now, because the browser is installed and enabled we can test the Apache and PHP services installed before.

Testing Apache service

Open the Firefox browser using the following command.Command: “firefox”Enter “127.0.0.1” in the browser. If it shows the following image, then it means the Apache service is installed successfully.

14

Testing PHP service

We can write a simple PHP website and then run it to test whether or not the PHP service is installed successfully.We can use vi commands to write the document. The instruction of how to use vi commands can be found through the link below:http://www.yolinux.com/TUTORIALS/LinuxTutorialAdvanced_vi.htmlFor convenience, we can use the WinSCP software to write PHP source code. The instruction of how to log into a GENI node using WinSCP can be found through the link below:http://mountrouidoux.people.cofc.edu/CyberPaths/winscp.htmlWinSCP software is only for Windows.

15

We need to give the privilege to edit the "/var/www" folder. As mentioned before, the "www" folder contains the website’s source code.Command: “sudo chmod 777 /var/www”

Under the “www/html”folder, create a file named “info.php”, and write the following code in it:<?phpphpinfo();?>

Now, we need to restart the Apache service.Command: “sudo /etc/init.d/apache2 restart”

16

Run the browser, and enter "127.0.0.1/info.php" in the browser. If we can see the relative configuration information of PHP, then we know the PHP service was installed successfully.

Setting up certificate authority on GENI

The GENI nodes have OpenSSL already installed. OpenSSL is a general purpose cryptography library that provides an open-source implementation of the SSL and TLS.Further reading of SSL/TLS protocol can be found through the link below:https://www.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/sy10660_.htm We can take a quick view of OpenSSL in the GENI node. The folder is in “/etc/ssl”. We can see three documents already in this folder.The “certs” folder is used to store the digital certificate of this machine. The“private” folder is used to store the private key of the

17

digital certificate. The“openssl.cnf” file is the main configuration document of OpenSSL.

Right now, these documents are not enough for enabling the whole function of OpenSSL. We need to do some additional configurations.

Building Certificate Authority

Firstly, we need to do something on the CA node in order for it to play the role of a certificate authority.First, we need to create some new documents in this folder.

Create a serial document, and set the serial number.

Then, make changes in the openssl.cnf file.In order to do so, we should give the privilege to write to openssl.cnf.Command: “sudo chmod 777 openssl.cnf”

Then we need to use vi commands to modify some values of openssl.cnf.The instruction of how to use vi commands to edit the document on Ubuntu can be found through the link below:http://www.yolinux.com/TUTORIALS/LinuxTutorialAdvanced_vi.htmlIf you are Windows user, for the convenience you can use WinSCP to open it, and set the values as follows:

18

Then, we need to generate a root private key for the root digital certificate for the certificate authority.Command: “openssl genrsa -out private/cakey.pem 2048”

Then, we create the root digital certificate for the certificate authority.

Command: “openssl req -new -x509 -key private/cakey.pem -out cacert.pem”

19

This time, we set the server name as “jhuca.edu”. You can set this to whatever you like. We will do some configuration later in order to visit the server named here.

On web server node

In this part, we need to log in to the WS node, which we previously configured to be a web server.Then, we generate a private key for the web server.

Command: “sudo openssl genrsa -out jhuws.key 2048”

Next, we generate a certificate sign request for the web server.

Command: “sudo openssl req -new -key jhuws.key -out jhuws.csr”

20

We also need to change the configuration of the openssl.cnf file under the /etc/ssl on the ws node.

21

Issuing a digital certificate

In real world,the commercial CAs that issue the bulk of certificates for HTTPS servers typically use a technique called "domain validation" to authenticate the recipient of the certificate. The techniques used for domain validation vary between CAs, but in general domain validation techniques are meant to prove that the certificate applicant controls a given domain name, not any information about the applicant's identity.

A CA issues digital certificates that contain a public key and the identity of the owner. The matching private key is not made available publicly, but kept secret by the end user who generated the key pair. The certificate is also a confirmation or validation by the CA that the public key contained in the certificate belongs to the person, organization, server or other entity noted in the certificate. A CA's obligation in such schemes is to verify an applicant's credentials, so that users and relying parties can trust the information in the CA's certificates. CAs use a variety of standards and tests to do so. In essence, the certificate authority is responsible for saying "yes, this person is who they say they are, and we, the CA, certify that".

In this step, the CA node needs to get the request sign document from the web server. We can use WinSCP or the SCP command to send it.

22

The instruction of how to use SCP command on Ubuntu to transfer the files can be found through the link below:https://help.ubuntu.com/community/SSH/TransferFilesThe instruction of how to use SCP command on Ubuntu to transfer the files can be found through the link below:https://help.ubuntu.com/community/SSH/TransferFilesWe can use the chmod command to allow access and then transport it. This is shown below.Command: “chmod 777 ssl”You need to give permissions on both the nodes, that is the ws and ca node using the above command to transfer files (one method: right click ->duplicate)

23

Then, we can sign this digital certificate on the CA node.Command: “openssl ca -in /etc/ssl/jhuws.csr -out /etc/ssl/jhuws.crt -days 3650”

24

25

Then, we send this digital certificate back to the WS node. This can be done by WinSCP.

We should now be able to see this digital certificate. We can use the cat command to view it in Linux, or we can just double click and open it on Windows.

26

27

We can see clearly that this digital certificate is issued by jhuca.edu, which is the CA node and is issued to jhuws.edu, which is the WS node.Then, we use the next two commands to install the web server’s digital certificate. In other words, we should put the digital certificate file and key file into the correct folder of the web server.Command: “ sudo cp jhuws.crt /etc/ssl/certs”Command: “ sudo cp jhuws.key /etc/ssl/private”

Now, before we open the browser to see the result, we should copy the “cacert.pem” file from the CA node to the user node. We need to let the CA verify the digital certificate issued by CA, so we need this file on the web server.In addition, we should change the extension “.pem” to “.crt”.If you receive an error describing that you do not have the proper privilege to send the file, just use the command “chmod 777 file_name” to give the privilege.

Result of issued digital certificate

Firstly, restart the apache2 service using the following.Command: “service apache2 restart”Now, we can view the result of the work we have done.The following operations are all on the user node.Firstly, log into the user node.

28

Because the display of the browser on GENI is kind of slow, we determine whether or not we are right by installing “curl” to perform a quick test.Curl is a tool used to transfer data to or from a server using HTTP and HTTPS.Use “sudo su” to enter the root account.Use “apt-get update” to update the existing packets.Use “apt-get install curl” to install the curl.

Then, cd to the hosts file to do a little modification.

Use the following command to give the proper privileges.Command: “chmod 777 hosts”

We perform the above modifications since “172.17.2.41” is the IP address of the WS node and jhuws.edu is the server name we set up before.

Use the following command to see if it works properly.Command: “curl jhuws.edu”

29

This returns the HTML response of our web server. It appears to work well.Then, we test whether or not the SSL configuration we modified before is working right.We use the following command to test this.Command: “curl https://jhuws.edu --cacert cacert.crt”

As shown above, it also works well. So, we can turn to the browser.Open the browser on the user node. You can refer to the instructions provided before about how to run and open a browser on a GENI node.We visit the jhuws.edu/info.php website first.

30

It works properly. So, we install the digital certificate. In order to do so, we go to the preference option of the browser.

Then, we go to Advanced and then to Certificates options. Click on “View Certificates”.

31

Then, import the cacert.crt file we put on the user node before.

Next, trust this certificate authority we built previously.

32

Now, we can see our certificate authority is in the list of certificate authorities.

We visit jhuws.edu/info.php first and see the connection is insecure.

33

Then, we visit https://jhuws.edu/info.php.

This time we can see a green lock, revealing that it is now a secure connection.We can view the details of this connection by clicking on the symbol “>”.

The information we put in when making the digital certificate is shown in this display.

34

By now, we have already finished the experiment of building a certificate authority and issuing a digital certificate.

Revoking a digital certificate

Now, we can try to revoke the digital certificate to see how it works. To revoke the digital certificate we issued before, we should login to the CA node.Use the following command to revoke the digital certificate previously issued. The name of the digital certificate used is “jhuws.crt”Command :“openssl ca -revoke jhuws.crt”

We can use the next command to check the index of our digital certificate. Command: “cat index.txt”

It’s 03, so everything is going right.

We should renew the crl, which is short for Certificate Revocation List. The digital certificate we revoked will be given the index and recorded in this list.Use the following command to generate the index of the digital certificate we just revoked.Command: “openssl ca -gencrl -out thisca.crl”We can have a look at the thisca.crl file.

35

It stores the Certificate Revocation List.Then, we need to add “00” to “crlnumber” in order to let the crl start recording.Each time we revoke a digital certificate, it will add one to itself.

I have revoked the digital certificate twice, so the number shown is 02.So, we have successfully revoked a previously issued digital certificate.

Result of revoking a digital certificate

To see the result after we revoke an issued digital certificate, we need to import the new cacert.crt into the user node.Remove the old cacert.crt, and import the new cacert.crt. As we have done before, we actually move the file “cacert.pem”, but we need to change the extension “.pem” to “.crt”.

36

Also, we should move the thisca.crl file, which stores the Certificate Revocation List, to the user node.

Because our certificate authority is offline, we need to move these files manually.We can see the result by using the curl tool.We use the next command to visit our previously built site. Note, we need the options “—cacert” and “—crlfile” in order to include the ca and crl documents manually.Command:“ curl https://jhuws.edu --cacert cacert.crt --crlfile thisca.crl”

37

Now, we can see the digital certificate has already been revoked.As for the Firefox browser we installed before, we need to update the ca document and crl document. However, the Firefox browser has already removed the user interface on Firefox used for importing the crl document, so we can’t see the result on Firefox as the certificate authority is offline.

https://wiki.mozilla.org/CA:ImprovingRevocation#Preload_Revocations_of_Intermediate_CA_Certificates