PKI Processing with OpenSSL

Rodney Thayer

rodney@tillerman.to

Rodney Thayer 2

Contents

• Standards

• Protocols

• OpenSSL as a Tool

• OpenSSL as PKI Tool

• OpenSSL as PKI Subsystem

Rodney Thayer 3

Introduction

• Open source OpenSSL (formerly SSLEAY)

• Processes IETF TLS and SSL 2,3 (Netscape)

• Processes Public Key certificates (for PKI)

Rodney Thayer 4

Standards

• Algorithms: RSA, DSA, MD5, SHA-1

• RFC 2459 (PKIX); X.509

• DER and PEM

• PKI Standard features: Roots, CRL’s, OCSP

• PKCS 7, 1, 10

Rodney Thayer 5

Protocols

• TLS and SSL, using certificates

• SMIME

• IPsec for VPN’s

Rodney Thayer 6

OpenSSL as a Tool

Rodney Thayer 7

‘openssl’ - the program

• Apps/ directory

• commands for tls tests

• commands for crypto

• commands for cert processing

• uses simple keystore

• uses DER and PEM format certificates

Rodney Thayer 8

Standard commandsasn1parse ca ciphers crl crl2pkcs7dgst dh dhparam dsa dsaparamenc errstr gendh gendsa genrsanseq passwd pkcs12 pkcs7 pkcs8rand req rsa rsautl s_clients_server s_time sess_id smime speedspkac verify version x509

Rodney Thayer 9

Message Digest commands (see the `dgst' command for more details)md2 md4 md5 mdc2 rmd160sha sha1

Rodney Thayer 10

Cipher commands (see the `enc' command for more details)base64 bf bf-cbc bf-cfb bf-ecbbf-ofb cast cast-cbc cast5-cbc cast5-cfbcast5-ecb cast5-ofb des des-cbc des-cfbdes-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofbdes-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofbdes3 desx idea idea-cbc idea-cfbidea-ecb idea-ofb rc2 rc2-40-cbc rc2-64-cbcrc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4rc4-40 rc5 rc5-cbc rc5-cfb rc5-ecbrc5-ofb

Rodney Thayer 11

OpenSSL as a PKI Tool

Rodney Thayer 12

‘openssl’ - the program

• Apps/ directory

• commands for tls tests

• commands for crypto

• commands for cert processing

• uses simple keystore

• uses DER and PEM format certificates

Rodney Thayer 13

‘openssl’ commands

asn1parse

• ca

• crl

• crl2pkcs7

• dsaparam

Rodney Thayer 14

‘openssl’ commands (cont.)

• Pkcs7

• req

• x509

Rodney Thayer 15

OpenSSL as a Subsystem

• Builds to a library

• API for certificate processing

• API for underlying crypto operations

• used by TLS/SSL, ‘openssl’ application

Rodney Thayer 16

Subsystem Uses

• TLS and SSL

• SMIME

• OpenSSH

• GPKCS

• Embedded systems

Rodney Thayer 17

API Calls for Cert Request

• See apps/req.c

• 1. Make key pair

• 2. Configure certificate request

• 3. Sign certificate request

• 4. Output as DER or PEM

Rodney Thayer 18

Application

OpenSSL

CertificateProcessing

CyptographicProcessing

CertificateStore

Key StoreHardware

Acceleration

Rodney Thayer 19

Conclusion

• General purpose cryptographic tool

• Provides PKI processing

• Out of the box support for standards

• Published API

• Definitely product-grade solution

Contact Info

Rodney Thayer

The Tillerman Group

rodney@tillerman.to

http://www.pkiclue.com/presentations