Creating a Certification Authority | My Assignment Tutor

Public Key certificates Hint: Before proceeding with this task please ensure you download  XCA and Abyss web server and that both software are installed on your machine. Software download links: 1- 2-     Tasks: 1. Creating a Certification Authority (CA) You will first create a CA. The role of CA is to issue public-key certificates to end entities (e.g., our web server). In other words, the CA digitally signs a public key of a web server and embeds it into the server’s certificate. The CA uses its private key for signing. In practice, the CA certificate manager (a certificate server) should be installed on a secure machine (potentially disconnected from the network); the CA’s private key should be kept highly secure. The CA also issues a self-signed public-key certificate, whereby the CA digitally signs its own public key. This certificate is distributed, in a secure way (the integrity of the CA’s certificate must be protected), to all users who use a certificate issued by the CA to verify the authenticity of the certificate holder (e.g., a web server). Create a new Database  click file -> new Database Open XCA and click the “New Certificate” button to start X.509 certificate creation procedure Make sure that you select SHA-1 as the “Signature algorithm”; the default algorithm is set to SHA 256 that is not supported by some Windows-based operating systems. Also, select CA template for this certificate (we are creating a CA). Select the “Subject” tab and fill in the fields such as “Internal name”, “Country code”, etc. with appropriate values. (Generate a new private key by clicking on the “Generate a new key” button. Note that this is the signing key of the CA. Select the “Extensions” tab and set the “Type” of the certificate to “Certification Authority” .Click “OK” to finish the certificate creation procedure. You can check the details of the created CA certificate by double-licking on it in the main XCA window under the “Certificate” tab. 2. Creating a Web Server Certificate Create a public-key certificate for a web server. This certificate will be digitally signed by the previously created Certification Authority (CA) . Again, click the “New Certificate” button in the main XCA window. Select the “Source” tab and configure the web server certificate properties as follows. Check “Use this Certificate for signing” and set it to the name of the CA created in the previous task.Set the “Signature algorithm” to SHA-1 and choose “HTTPS server template” from the list of available templatesSelect the “Subject” tab and fill in appropriately the available fields (Figure 9).It is particularly important that you set the “Common name” value to This will be the IP address (or the corresponding URL) of your web server. If not set, each time you try to establish a secure (SSL/TLS) session with this server, your web browser will give you a warning message about this mismatch. Finally, generate a new private key for the web server certificate by clicking “Generate a new key”. 3.    Exporting Certificates In this task, we will export the certificates created in the previous tasks, that is, the CA Public-key certificate (without the private key) and the web server public-key certificate including its private key. Open the “Certificates” tab in the main XCA window. Select the certificate that belongs to the CA and click “Export”. Select a destination and filename where you want to store the certificate and click “OK”.Repeat the previous step but now export the public-key certificate of the web server. Finally, we export the private key of the web server. To accomplish this, open the “Private Keys” tab and select the private key of the web server. The “Key export” window pops-up. Check the box “Export the private part of the Key too” and uncheck “Encrypt the Key with a password”. 4.    Configuring Abyss Web Server Open the Abyss web server console. Follow the “SSL/TLS Certificates” link to open the “SSL/TLS Certificates” dialog  We first configure the “Private Keys” parameter. Click the “Add” button to import the server’s private key that we previously exported using XCA. In the “Private Key – Add” dialog, choose some internal name for this private key (e.g., HTTPSPrivKey) and set the “Action” parameter to “Import” ,Finally, you copy the private key (exported using XCA) into the text box marked as “Key Contents”. To accomplish this, open the private key in any text editor, copy and paste it into the text box “Key Contents” Click the “OK” button.Next we configure a web server certificate in the “Certificate” dialog. Chose a name for your certificate and enter it in the “Name” field. Set “Private Key” to the private key that the certificate is based on (e.g., to HTTPSPrivKey). Next set “Type” to “Signed by a Certification Authority (CA)”. Finally, enter the main certificate in the text box “Main Certificate”. As with the private key, open the web server certificate (exported using XCA) is any text editor, copy and paste it into this text box. Click “OK” to validate the certificate. In the Abyss web server console (Figure 10) click on the “Configure” button and follow the link marked as “General”. In the “General” dialog, set the following parameters (Figure 12). Set parameter “Protocol” to HTTPS, parameter “HTTPS Port” to 4330. The “HTTPS Port” is the port on which the host waits for secure HTTPS connections. Note that the default value of HTTPS Port is 443; however you might experience certain problems with Abyss web server when using this value for the port. To save this configuration clicks the “OK” button. Restart the web server and make sure that it started to listen on the correct port (i.e., 4430). Finally, create simple html file and name it index.html. Copy this file to the “htdocs/” subdirectory in the “Abyss Web Server” directly. Overwrite any existing index.html file. 5.    Testing Your Configuration 1. Open a web browser and enter the following address in the address bar:  Do you get any warning message? Which one? Can you explain why you get it? We would like to eliminate this warning message. What can we do in this regard? Recall that the CA has digitally signed the web server public-key certificate. So if our web browser would have an access to the CA certificate (i.e., if it would trust this certificate), the web browser could successfully verify the digital signature in the web server certificate and would not report any warning messages. To accomplish this goal in a Windows operating system, we can place the CA’s certificate in the Trusted Root Certification Authorities directory. Here are the steps to install the CA’s certificate: (a) Click “Start. Run” and type “MMC”. This opens the “Microsoft Management Console”. (b) Click “File . Add Remove Snap-in”. This opens the “Add/Remove Snap-in” window. (c) In the resulting window click “Add”. This opens the “Add Standalone Snap-in” window. (d) In this window find the “Certificates snap-in”. Select it and click “Add”. (e) Select “Computer account” and click “Next”. (f) Select “Local computer” and click “Finish”. (g) Click “Close” and then “Ok”. Now you will see the “Certificates snap-in” in the MMC. (h) Expand the “Certificates” node, right click on “Trusted Root Certification Authorities” and select “All Tasks. Import…. (i) Click “Next” then select the CA’s .cer file and click “Next” again. (j) The next step in the wizard should indicate that the certificates will be placed in the “Trusted Root Certification Authorities”. If so, click next. If not, fix it. (k) Click “Finish”. This procedure might not work well for Firefox. Alternatively, you can use a web browser to install the CA certificate. In the “Tools” menu, click “Options…”  (Firefox) or “Internet Options…” (Internet Explorer) to open the dialog through which you can manage certificates. 4. Now that you have installed the CA certificate, access . Do you get any warning message? 5. Try to access to the web server by using the following address: https://localhost:4430 . Do you get any warning message? Please explain your answer.


Leave a Reply

Your email address will not be published. Required fields are marked *