Membuat Certificate Authority bertingkat

Mari langsung ke tutorial saja 😀

Membuat Certificate Authority (CA) utama.

  1. Buat direktori kerja.

    $ mkdir ca-utama
    $ cd ca-utama
    
  2. Salin skrip pembantu dari /usr/lib/ssl/misc/CA.pl

    $ cp /usr/lib/ssl/misc/CA.pl .
    
  3. Buat CA baru

    $ ./CA.pl -newca
    CA certificate filename (or enter to create)
    
    
    Making CA certificate ...
    Generating a 1024 bit RSA private key
    ..........++++++
    ..........++++++
    writing new private key to './demoCA/private/cakey.pem'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:ID
    State or Province Name (full name) [Some-State]:Jakarta
    Locality Name (eg, city) []:Jakarta
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:BlankOn
    Organizational Unit Name (eg, section) []:Infrastruktur
    Common Name (eg, YOUR name) []:CA
    Email Address []:
    
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    Using configuration from /usr/lib/ssl/openssl.cnf
    Enter pass phrase for ./demoCA/private/cakey.pem:
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number:
                f7:4a:da:34:c1:89:6d:f9
            Validity
                Not Before: Feb 24 15:48:30 2011 GMT
                Not After : Feb 23 15:48:30 2014 GMT
            Subject:
                countryName               = ID
                stateOrProvinceName       = Jakarta
                organizationName          = BlankOn
                organizationalUnitName    = Infrastruktur
                commonName                = CA
            X509v3 extensions:
                X509v3 Subject Key Identifier:
                    78:DE:57:D2:4D:3E:8A:F8:FD:B6:51:CD:A7:DB:29:B6:C8:EB:4B:42
                X509v3 Authority Key Identifier:
                    keyid:78:DE:57:D2:4D:3E:8A:F8:FD:B6:51:CD:A7:DB:29:B6:C8:EB:4B:42
                    DirName:/C=ID/ST=Jakarta/O=BlankOn/OU=Infrastruktur/CN=CA
                    serial:F7:4A:DA:34:C1:89:6D:F9
    
    
    
            X509v3 Basic Constraints:
                CA:TRUE
    

    Certificate is to be certified until Feb 23 15:48:30 2014 GMT (1095 days)

    Write out database with 1 new entries
    Data Base Updated

Sertifikat CA akan disimpan di demoCA/cacert.pem. Untuk melihat informasi
detil mengenai sebuah sertifikat, kita bisa menggunakan openssl seperti
berikut.

 $ openssl x509 -in demoCA/cacert.pem -text

Salah satu karakteristik sertifikat CA adalah sertifikat ini dipakai untuk
menandatangani dirinya sendiri. Dalam informasi sertifikat, hal ini bisa
dilihat pada bagian Subject dan Issuer.

 $ openssl x509 -in demoCA/cacert.pem -text |grep 'Subject:|Issuer'
         Issuer: C=ID, ST=Jakarta, O=BlankOn, OU=Infrastruktur, CN=CA
         Subject: C=ID, ST=Jakarta, O=BlankOn, OU=Infrastruktur, CN=CA

Bisa dilihat isi keduanya sama, hal ini menunjukkan self-signed certificate
atau sertifikat yang ditandatangani sendiri.

Membuat sertifikat baru

  1. Buat permintaan sertifikat baru

    $ ./CA.pl -newreq
    Generating a 1024 bit RSA private key
    ..................++++++
    ..................++++++
    writing new private key to 'newkey.pem'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:ID
    State or Province Name (full name) [Some-State]:Jakarta
    Locality Name (eg, city) []:Jakarta
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:BlankOn
    Organizational Unit Name (eg, section) []:Irgsh
    Common Name (eg, YOUR name) []:CA Pabrik
    Email Address []:
    
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    Request is in newreq.pem, private key is in newkey.pem
    
  2. Tanda tangani permintaan sertifikat tersebut dengan CA yang ada

    $ ./CA.pl -sign
    Using configuration from /usr/lib/ssl/openssl.cnf
    Enter pass phrase for ./demoCA/private/cakey.pem:
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number:
                f7:4a:da:34:c1:89:6d:fa
            Validity
                Not Before: Feb 24 15:56:26 2011 GMT
                Not After : Feb 24 15:56:26 2012 GMT
            Subject:
                countryName               = ID
                stateOrProvinceName       = Jakarta
                localityName              = Jakarta
                organizationName          = BlankOn
                organizationalUnitName    = Irgsh
                commonName                = CA Pabrik
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                Netscape Comment:
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier:
                    05:B3:34:C6:A8:64:A8:C1:E1:5B:B6:03:93:5C:38:19:CA:41:DF:48
                X509v3 Authority Key Identifier:
                    keyid:78:DE:57:D2:4D:3E:8A:F8:FD:B6:51:CD:A7:DB:29:B6:C8:EB:4B:42
    
    
    Certificate is to be certified until Feb 24 15:56:26 2012 GMT (365 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    Signed certificate is in newcert.pem
    

Setelah ditandatangani, akan ada 3 buah berkas yaitu newcert.pem,
newkey.pem, dan newreq.pem. Berkas newreq.pem bisa dihapus karena sudah
tidak dipakai lagi. Berkas ini hanya berisi permintaan pembuatan sertifikat,
bukan sertifikat akhir. Berkas newcert.pem dan newkey.pem adalah dua berkas
yang harus diamankan karena berkas ini adalah berkas sertifikat dan kuncinya.

Mari kita cek judul dan penerbit sertifikat baru ini.

    $ openssl x509 -in newcert.pem -text | grep 'Subject:|Issuer:'
            Issuer: C=ID, ST=Jakarta, O=BlankOn, OU=Infrastruktur, CN=CA
            Subject: C=ID, ST=Jakarta, L=Jakarta, O=BlankOn, OU=Irgsh, CN=CA Pabrik

Sekarang kita punya sebuah sertifikat baru yang telah ditandatangani oleh CA
yang kita buat di awal.

Menjadikan sertifikat baru sebagai CA kedua

  1. Siapkan direktori kerja baru

    $ cd ..
    $ mkdir ca-kedua
    $ cd ca-kedua
    $ cp /usr/lib/ssl/misc/CA.pl .
    
  2. Agar skrip CA.pl dapat bekerja, kita harus mempersiapkan lingkungan
    kerjanya dengan opsi -newca. Namun alih-alih menyuruh skrip tersebut untuk
    membuat sertifikat CA baru, kita bisa menggunakan sertifikat yang sudah ada.

    $ ./CA.pl -newca
    CA certificate filename (or enter to create)
    ../ca-utama/newcert.pem
    
  3. Salin berkas kunci sertifikat

    $ cp ../ca-utama/newkey.pem demoCA/private/cakey.pem
    
  4. Siapkan nomor seri baru.

    $ echo 00 > demoCA/serial
    

Sama seperti sebelumnya, sertifikat CA ada di demoCA/cacert.pem. Mari kita cek isinya.

$ openssl x509 -in demoCA/cacert.pem -text | grep 'Subject:|Issuer:'
        Issuer: C=ID, ST=Jakarta, O=BlankOn, OU=Infrastruktur, CN=CA
        Subject: C=ID, ST=Jakarta, L=Jakarta, O=BlankOn, OU=Irgsh, CN=CA Pabrik

Persis sama dengan sertifikat yang dibuat sebelumnya kan? Memang sertifikat itu
yang akan dipakai menjadi CA baru ini.

Buat sertifikat dengan CA tingkat kedua tadi

  1. Buat permintaan sertifikat seperti biasa

    $ ./CA.pl -newreq
    Generating a 1024 bit RSA private key
    ............++++++
    ............++++++
    writing new private key to 'newkey.pem'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:ID
    State or Province Name (full name) [Some-State]:Jakarta
    Locality Name (eg, city) []:Jakarta
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:BlankOn
    Organizational Unit Name (eg, section) []:Pabrik
    Common Name (eg, YOUR name) []:Pekerja64
    Email Address []:
    
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    Request is in newreq.pem, private key is in newkey.pem
    
  2. Tandatangani

    $ ./CA.pl -sign
    Using configuration from /usr/lib/ssl/openssl.cnf
    Enter pass phrase for ./demoCA/private/cakey.pem:
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 0 (0x0)
            Validity
                Not Before: Feb 24 16:05:13 2011 GMT
                Not After : Feb 24 16:05:13 2012 GMT
            Subject:
                countryName               = ID
                stateOrProvinceName       = Jakarta
                localityName              = Jakarta
                organizationName          = BlankOn
                organizationalUnitName    = Pabrik
                commonName                = Pekerja64
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                Netscape Comment:
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier:
                    15:0E:2E:71:C3:AF:4A:A4:99:01:D5:C8:3E:CF:EB:9F:08:3D:85:1D
                X509v3 Authority Key Identifier:
                    keyid:05:B3:34:C6:A8:64:A8:C1:E1:5B:B6:03:93:5C:38:19:CA:41:DF:48
    
    
    Certificate is to be certified until Feb 24 16:05:13 2012 GMT (365 days)
    Sign the certificate? [y/n]:y
    

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

Seperti biasa, kita akan menjumpai 3 berkas baru. Mari cek informasi sertifikat baru ini.

    $ openssl x509 -in newcert.pem -text | grep 'Subject:|Issuer:'
            Issuer: C=ID, ST=Jakarta, L=Jakarta, O=BlankOn, OU=Irgsh, CN=CA Pabrik
            Subject: C=ID, ST=Jakarta, L=Jakarta, O=BlankOn, OU=Pabrik, CN=Pekerja64

Dapat dilihat sertifikat baru ini ditandatangani oleh CA kedua yang kita buat.

Bertingkat

Mari kita lihat informasi 3 sertifikat yang telah kita buat.

  1. CA utama

    $ openssl x509 -in ../ca-utama/demoCA/cacert.pem -text | grep 'Subject:|Issuer:'
            Issuer: C=ID, ST=Jakarta, O=BlankOn, OU=Infrastruktur, CN=CA
            Subject: C=ID, ST=Jakarta, O=BlankOn, OU=Infrastruktur, CN=CA
    
  2. CA kedua

    $ openssl x509 -in demoCA/cacert.pem -text | grep 'Subject:|Issuer:'
            Issuer: C=ID, ST=Jakarta, O=BlankOn, OU=Infrastruktur, CN=CA
            Subject: C=ID, ST=Jakarta, L=Jakarta, O=BlankOn, OU=Irgsh, CN=CA Pabrik
    
  3. Sertifikat biasa

    $ openssl x509 -in newcert.pem -text | grep 'Subject:|Issuer:'
            Issuer: C=ID, ST=Jakarta, L=Jakarta, O=BlankOn, OU=Irgsh, CN=CA Pabrik
            Subject: C=ID, ST=Jakarta, L=Jakarta, O=BlankOn, OU=Pabrik, CN=Pekerja64
    

Apakah terlihat hubungan antara ketiga sertifikat di atas?

Kalkulasi SHA1 dan HMAC-SHA1 dengan OpenSSL

Berhubung cuma pengen nyatet aja, bagi yang pengen tau caranya langsung aja lihat http://gist.github.com/63888

Tuk ngitung SHA1

char* data = "data";
unsigned long len = (unsigned long)strlen(data);
SHA_CTX sha_ctx;
unsigned char result[SHA_DIGEST_LENGTH];
int i;

SHA1Init(&shactx);
SHA1Update(&shactx, data, len);
SHA1Final(result, &shactx);

Tuk ngitung HMAC-SHA1

char* key = "12345678901234567890";
int key_len = 20;

char* data = "data";
int data_len = strlen(data);

unsigned int result_len;
unsigned char result[EVP_MAX_MD_SIZE];

int i;

HMAC(EVP_sha1(),
  key, key_len,
  data, data_len,
  result, &result_len);

Tuk ngecek, bisa coba langsung panggil openssl dari command line.

$ echo -n "data" | openssl dgst -sha1
$ echo -n "data" | openssl dgst -sha1 -hmac "12345678901234567890"

Nyetak isi array of chars dalam heksadesimal bisa pake cara berikut

inline char tohex(char c)
{
  if ((c >= 0) && (c <= 9)) { return '0' + c; }
  else { return 'a' + (c-10); }
}

...

for (i=0; i<result_len; i++) {
  printf("%c", tohex(result[i] >> 4));
  printf("%c", tohex(result[i] & 0xF));
}