User/Server key generation and signing

The user generates a key pair for a certificate to be used by that user or any entity that needs to be authenticated by the CA. We also show the signing procedure.

Generate the RSA key–pair for a user/server

Use this command to generate the RSA key pair

User% openssl genrsa –des3 –out user.key 2048

Parameters

genrsa

the openssl component to generate an RSA key–pair,

-des3

the symmetric algorithm to encrypt the key–pair,

-out user.key

the filename to store the key–pair,

2048

size of RSA modulus in bits.

Execution of the above command presents the user with the following dialogue:
1112 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
.+++++
........................................................++++++++++++
e is 65537 (0x10001)
Enter PEM pass phrase: enter the pass–phrase here
Verifying password - Enter PEM pass phrase: re–enter pass–phrase here

This creates an RSA key pair stored in the file user.key. The key pair is encrypted with 3DES with a password supplied by the user during key generation. The N in RSA is 2048 bits long.

The reader should note that this is the same procedure as the generation of the CA key–pair. For sample key–pairs, please see the appendices listed in the section called Generate the RSA key–pair for the CA.

Generate a certificate request

The user generates a certificate request with this command. The CSR is sent to the CA for signing. The CA returns the the signed certificate.

User% openssl req –new –key user.key –out user.csr

Parameters

req

the openssl component to generate a certificate request,

-new

this is a new certificate,

-key user.key

the key–pair file to be used,

-out user.csr

the filename that the new certificate request will be written onto

By executing the above command, we are presented with the following dialogue:

Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:  type the pass–phrase here
You are about to be asked to enter information that will 
be incorporated into your certificate request.
What you are about to enter is what is called a 
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:Surrey
Locality Name (eg, city) []:Egham
Organization Name (eg, company) [MyCo Ltd]:Arts Building Ltd
Organizational Unit Name (eg, section) []:Dept. History
Common Name (eg, YOUR name) []:Simos Xenitellis
Email Address []:S.Xenitellis@rhbnc.ac.uk

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
User% 

This command creates a certificate request stored in the file user.csr. In this phase, the user enters the values of the fields for the X.509 Certificate as shown. For a certificate request in PEM format, please see the section called Sample certificate request in PEM format in Appendix B. For a TXT or human–readable version, please check the section called Sample certificate request in TXT format in Appendix B.

Ask the CA to sign the certificate request

The CA receives the certificate request, and depending on the policy used, will decide whether to sign the CSR. If it trusts the user, it signs the CSR as follows:

CA_Admin% ./sign.sh user.csr
CA signing: user.csr -> user.crt:
Using configuration from ca.config
Enter PEM pass phrase: enter the pass–phrase
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :PRINTABLE:'GB'
stateOrProvinceName   :PRINTABLE:'Surrey'
localityName          :PRINTABLE:'Egham'
organizationName      :PRINTABLE:'Arts Building Ltd'
organizationalUnitName:PRINTABLE:'Dept. History'
commonName            :PRINTABLE:'Simos Xenitellis'
emailAddress          :IA5STRING:'S.Xenitellis@rhbnc.ac.uk'
Certificate is to be certified until Feb  6 13:30:41 2001 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: user.crt <-> CA cert
user.crt: OK
CA_Admin% 

This command produces a file called user.crt, the Certificate of the user. The sign.sh script can be found in the modssl package, described above, at the /pkg.contrib/ directory. This script uses openssl as a backend. We use the script and not the manual procedure because with the latter we would have to perform rather several steps and this would be out of the scope of this book. In a future version of this document, we shall revisit this issue.