keygensign.htm

The Open–source PKI Book Version 2.4.6 Edition Copyright &copy 1999, 2000 by Symeon (Simos) Xenite

<HTML
><HEAD
><TITLE
>User/Server key generation and signing</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.55"><LINK
REL="HOME"
TITLE="The Open&#8211;source PKI Book"
HREF="ospki-book.htm"><LINK
REL="UP"
TITLE="General implementation overview"
HREF="implementation-overview.htm"><LINK
REL="PREVIOUS"
TITLE="Initialisation of the Certification Authority"
HREF="initialisation.htm"><LINK
REL="NEXT"
TITLE="PKI standards and specifications"
HREF="standards-specifications.htm"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>The Open&#8211;source PKI Book: A guide to PKIs and Open&#8211;source Implementations</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="initialisation.htm"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 4. General implementation overview</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="standards-specifications.htm"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="KEYGENSIGN"
>User/Server key generation and signing</A
></H1
><P
>	The user generates a key pair for a certificate to be used
	by that user or any entity that needs to be authenticated by
	the CA. We also show the signing procedure.
    </P
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="GENERATEKEY"
>Generate the RSA key&#8211;pair for a user/server</A
></H2
><P
>	
      Use this command to generate the RSA key pair
      </P
><P
>      <P
CLASS="LITERALLAYOUT"
><TT
CLASS="PROMPT"
>User% </TT
><TT
CLASS="USERINPUT"
><B
>openssl genrsa &#8211;des3 &#8211;out user.key 2048</B
></TT
></P
>

    <P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
>Parameters</B
></P
><DL
><DT
>genrsa</DT
><DD
><P
>	the <SPAN
CLASS="APPLICATION"
>openssl</SPAN
> component to generate an 
	<SPAN
CLASS="ACRONYM"
>RSA</SPAN
> key&#8211;pair,
	</P
></DD
><DT
>-des3</DT
><DD
><P
>	the symmetric algorithm to encrypt the key&#8211;pair,
	</P
></DD
><DT
>-out <TT
CLASS="FILENAME"
>user.key</TT
></DT
><DD
><P
>	the filename to store the key&#8211;pair,
	</P
></DD
><DT
>2048</DT
><DD
><P
>	size of RSA modulus in bits.
	</P
></DD
></DL
></DIV
>
    </P
><P
>    Execution of the above command presents the user with the following
    dialogue:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="PROGRAMLISTING"
>1112 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
.+++++
........................................................++++++++++++
e is 65537 (0x10001)
Enter PEM pass phrase: <I
CLASS="EMPHASIS"
>enter the pass&#8211;phrase here</I
>
Verifying password - Enter PEM pass phrase: <I
CLASS="EMPHASIS"
>re&#8211;enter pass&#8211;phrase here</I
></PRE
></TD
></TR
></TABLE
>
      </P
><P
>	This creates an RSA key pair stored in the file 
	<TT
CLASS="FILENAME"
>user.key</TT
>.
	The key pair is encrypted with 3DES with a password supplied by
	the user during key generation. The N in RSA is 2048 bits long.
      </P
><P
>      	The reader should note that this is the same procedure as the
	generation of the CA key&#8211;pair. For sample key&#8211;pairs,
	please see the appendices listed in <A
HREF="initialisation.htm#GENERATEKEYPAIR"
>the section called <I
>Generate the RSA key&#8211;pair for the CA</I
></A
>.
      </P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="GENERATECSR"
>Generate a certificate request</A
></H2
><P
>	The user generates a certificate request with this command.
	The CSR is sent to the CA for signing.  The CA returns the
	the signed certificate.
      </P
><P
><P
CLASS="LITERALLAYOUT"
><TT
CLASS="PROMPT"
>User% </TT
><TT
CLASS="USERINPUT"
><B
>openssl req &#8211;new &#8211;key user.key &#8211;out user.csr</B
></TT
></P
>
    <P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
>Parameters</B
></P
><DL
><DT
>req</DT
><DD
><P
>	the <SPAN
CLASS="APPLICATION"
>openssl</SPAN
> component to generate 
	a certificate request,
	</P
></DD
><DT
>-new</DT
><DD
><P
>	this is a new certificate,
	</P
></DD
><DT
>-key <TT
CLASS="FILENAME"
>user.key</TT
></DT
><DD
><P
>	the key&#8211;pair file to be used,
	</P
></DD
><DT
>-out <TT
CLASS="FILENAME"
>user.csr</TT
></DT
><DD
><P
>	the filename that the new certificate request will be written onto
	</P
></DD
></DL
></DIV
>
    </P
><P
>    By executing the above command, we are presented with the following
    dialogue:
    </P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="PROGRAMLISTING"
>Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:  <I
CLASS="EMPHASIS"
>type the pass&#8211;phrase here</I
>
You are about to be asked to enter information that will 
be incorporated into your certificate request.
What you are about to enter is what is called a 
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:<TT
CLASS="USERINPUT"
><B
>GB</B
></TT
>
State or Province Name (full name) [Some-State]:<TT
CLASS="USERINPUT"
><B
>Surrey</B
></TT
>
Locality Name (eg, city) []:<TT
CLASS="USERINPUT"
><B
>Egham</B
></TT
>
Organization Name (eg, company) [MyCo Ltd]:<TT
CLASS="USERINPUT"
><B
>Arts Building Ltd</B
></TT
>
Organizational Unit Name (eg, section) []:<TT
CLASS="USERINPUT"
><B
>Dept. History</B
></TT
>
Common Name (eg, YOUR name) []:<TT
CLASS="USERINPUT"
><B
>Simos Xenitellis</B
></TT
>
Email Address []:<TT
CLASS="USERINPUT"
><B
>S.Xenitellis@rhbnc.ac.uk</B
></TT
>

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<TT
CLASS="USERINPUT"
><B
>.</B
></TT
>
An optional company name []:<TT
CLASS="USERINPUT"
><B
>.</B
></TT
>
<TT
CLASS="PROMPT"
>User% </TT
></PRE
></TD
></TR
></TABLE
><P
>	This command creates a certificate request stored in 
	the file <TT
CLASS="FILENAME"
>user.csr</TT
>. 
	In this phase, the user enters
	the values of the fields for the X.509 Certificate as shown.
	For a certificate request in <SPAN
CLASS="ACRONYM"
>PEM</SPAN
> format, please see
	<A
HREF="sample-cr.htm"
>the section called <I
>Sample certificate request in PEM format</I
> in Appendix B</A
>. For a <SPAN
CLASS="ACRONYM"
>TXT</SPAN
> or 
	human&#8211;readable version,
	please check <A
HREF="sample-cr-txt.htm"
>the section called <I
>Sample certificate request in TXT format</I
> in Appendix B</A
>.
      </P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="SIGNCSR"
>Ask the CA to sign the certificate request</A
></H2
><P
>	The CA receives the certificate request, and depending
	on the policy used, will decide whether to sign the CSR.
	If it trusts the user, it signs the CSR
	as follows:
      </P
><P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="PROGRAMLISTING"
><TT
CLASS="PROMPT"
>CA_Admin% </TT
><TT
CLASS="USERINPUT"
><B
>./sign.sh user.csr</B
></TT
>
CA signing: user.csr -&#62; user.crt:
Using configuration from ca.config
Enter PEM pass phrase: <I
CLASS="EMPHASIS"
>enter the pass&#8211;phrase</I
>
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :PRINTABLE:'GB'
stateOrProvinceName   :PRINTABLE:'Surrey'
localityName          :PRINTABLE:'Egham'
organizationName      :PRINTABLE:'Arts Building Ltd'
organizationalUnitName:PRINTABLE:'Dept. History'
commonName            :PRINTABLE:'Simos Xenitellis'
emailAddress          :IA5STRING:'S.Xenitellis@rhbnc.ac.uk'
Certificate is to be certified until Feb  6 13:30:41 2001 GMT (365 days)
Sign the certificate? [y/n]:<TT
CLASS="USERINPUT"
><B
>y</B
></TT
>


1 out of 1 certificate requests certified, commit? [y/n]<TT
CLASS="USERINPUT"
><B
>y</B
></TT
>
Write out database with 1 new entries
Data Base Updated
CA verifying: user.crt &#60;-&#62; CA cert
user.crt: OK
<TT
CLASS="PROMPT"
>CA_Admin% </TT
></PRE
></TD
></TR
></TABLE
>
      </P
><P
>	This command produces a file called <TT
CLASS="FILENAME"
>user.crt</TT
>, 
	the Certificate of the user. The <B
CLASS="COMMAND"
>sign.sh</B
> script 
	can be found in the modssl package, described above, at the 
	<TT
CLASS="FILENAME"
>/pkg.contrib/</TT
> directory.
	This script uses <SPAN
CLASS="APPLICATION"
>openssl</SPAN
> as a backend.
	We use the script and not the manual procedure
	because with the latter we would have to perform rather several steps
	and this would be out of the scope of this book. 
	In a future version of this document, we shall revisit this issue.
      </P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="initialisation.htm"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="ospki-book.htm"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="standards-specifications.htm"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Initialisation of the Certification Authority</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="implementation-overview.htm"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>PKI standards and specifications</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>