User/Server key generation and signing

We shall generate a key pair for a certificate to be used by a user or any entity that needs to be authenticated by the CA. We shall show the signing procedure also.

Generate the RSA key–pair for a user/server

Use this command to generate the RSA key pair

User% openssl genrsa –des3 –out user.key 2048

where genrsa is the openssl component to generate an RSA key–pair, -des3 is the pass–phrase algorithm to encrypt the key–pair, -out user.key shows the filename to use to store the key–pair and 2048 means that we use 2048–bit RSA.

Executing the above command, the user is presented with the following information

1112 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
.+++++
..............................................\
.....................++++++++++++
e is 65537 (0x10001)
Enter PEM pass phrase: enter pass–phrase here
Verifying password - Enter PEM pass phrase: re–enter pass–phrase here

This creates an RSA key pair which is stored in the file user.key. The key pair is encrypted with 3DES with a password supplied by the user during key generation. The N in RSA is 2048 bits long.

The reader should note that this is the same procedure with the generation of the CA key–pair. For sample key–pairs, please see the apendices listed in the section called Generate the RSA key–pair for the CA.

Generate a Certificate Signing Request (CSR)

Use this command to generate a Certificate Signing Request (CSR). The CSR is to be sent to the CA for signing and as a result, the CA will return the certificate.

User% openssl req –new –key user.key –out user.csr

where req is the openssl component to generate a Certificate Signing Request, -new means we want to make a new request for a Certificate Signing Request, -days 365 show for how many days the certificate will be valid for, -key user.key is the key–pair to be used and finally -out user.csr is the filename where the certificate will be written to.

By executing the above command, we are presented with the following messages

Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:  type the pass–phrase here
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:Surrey
Locality Name (eg, city) []:Egham
Organization Name (eg, company) [MyCo Ltd]:Arts Building Ltd
Organizational Unit Name (eg, section) []:Dept. History
Common Name (eg, YOUR name) []:Simos Xenitellis
Email Address []:S.Xenitellis@rhbnc.ac.uk

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
User%

This creates a Certificate Signing Request and it is stored in the file user.csr. In this phase, the user has to enter the values of the fields of the X.509 Certificate as shown. For a Certificate Signing Request in PEM format, please see the section called Sample Certificate Signing Request in PEM format in Appendix B. For a TXT or human–readable version, please check the section called Sample Certificate Signing Request in TXT format in Appendix B.

Ask the CA to sign the Certificate Signing Request

The CA receives the Certificate Signing Request, and depending on the policy used, will decide whether to sign the CSR. In case it decides to trust the user, it signs the CSR as follows

CA_Admin% ./sign.sh user.csr
CA signing: user.csr -> user.crt:
Using configuration from ca.config
Enter PEM pass phrase: enter the pass–phrase
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :PRINTABLE:'GB'
stateOrProvinceName   :PRINTABLE:'Surrey'
localityName          :PRINTABLE:'Egham'
organizationName      :PRINTABLE:'Arts Building Ltd'
organizationalUnitName:PRINTABLE:'Dept. History'
commonName            :PRINTABLE:'Simos Xenitellis'
emailAddress          :IA5STRING:'S.Xenitellis@rhbnc.ac.uk'
Certificate is to be certified until Feb  6 13:30:41 2001 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: user.crt <-> CA cert
user.crt: OK
CA_Admin%

This command produces a file called user.crt, the Certificate of the user. The sign.sh script can be found in the modssl package, described above, at the /pkg.contrib/ directory. This script uses openssl as a backend. We use the script and not the manual procedure because with the latter we would have to perform rather several steps and this would be out of the scope of this book. In a future version of this document, we shall revisit this issue.