{"id":20315320,"url":"https://github.com/madebypixel02/openssl-practices-2022","last_synced_at":"2026-03-05T09:32:51.131Z","repository":{"id":109078518,"uuid":"467024362","full_name":"madebypixel02/Openssl-Practices-2022","owner":"madebypixel02","description":"[Uc3m] Welcome to the Open Secure Sockets Layer","archived":false,"fork":false,"pushed_at":"2022-12-04T15:04:39.000Z","size":338,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-04T08:46:12.270Z","etag":null,"topics":["cnf","cybersecurity","data-protection","openssl","openssl-library","uc3m"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/madebypixel02.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-07T09:21:54.000Z","updated_at":"2025-01-11T15:29:23.000Z","dependencies_parsed_at":"2023-04-21T13:56:23.569Z","dependency_job_id":null,"html_url":"https://github.com/madebypixel02/Openssl-Practices-2022","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/madebypixel02/Openssl-Practices-2022","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madebypixel02%2FOpenssl-Practices-2022","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madebypixel02%2FOpenssl-Practices-2022/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madebypixel02%2FOpenssl-Practices-2022/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madebypixel02%2FOpenssl-Practices-2022/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/madebypixel02","download_url":"https://codeload.github.com/madebypixel02/Openssl-Practices-2022/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/madebypixel02%2FOpenssl-Practices-2022/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30117711,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-05T08:19:04.902Z","status":"ssl_error","status_checked_at":"2026-03-05T08:17:37.148Z","response_time":93,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cnf","cybersecurity","data-protection","openssl","openssl-library","uc3m"],"created_at":"2024-11-14T18:18:46.659Z","updated_at":"2026-03-05T09:32:51.104Z","avatar_url":"https://github.com/madebypixel02.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003c!-- *********************************************************************** --\u003e\n\u003c!--                                                                         --\u003e\n\u003c!--                                +###****.                                --\u003e\n\u003c!--                                =***@@@+                                 --\u003e\n\u003c!--            *%*   -%%:  -*%%%#     :@@@=:   #%##%%#=-*%%%*:              --\u003e\n\u003c!--            %@%   =@@: #@@*=+*.    -==*@@+  @@@*=+@@@%+=#@@=             --\u003e\n\u003c!--            %@%   -@@:-@@-     .==.    *@@. %@#   =@@:   %@#             --\u003e\n\u003c!--            +@@+-=%@@..%@@+--+..%@@+--*@@*  @@#   +@@:   @@#             --\u003e\n\u003c!--             -*%@@#+.   =#%@@%.  -*%@@%*-   %@*   =@@:   %@*             --\u003e\n\u003c!--                                                                         --\u003e\n\u003c!-- README.md                                                               --\u003e\n\u003c!--                                                                         --\u003e\n\u003c!-- By: aperez-b \u003c100429952@alumnos.uc3m.es\u003e                                --\u003e\n\u003c!--                                                                         --\u003e\n\u003c!-- Created: 2022/03/07 09:50:11 by aperez-b                                --\u003e\n\u003c!-- Updated: 2022/12/04 16:03:46 by aperez-b                                --\u003e\n\u003c!--                                                                         --\u003e\n\u003c!-- *********************************************************************** --\u003e\n\n# OpenSSL Practices 2022 | uc3m\n\n*Welcome to the Open Secure Sockets Layer 🔑*\n\n### Table of Contents\n\n- [Introduction](#introduction)\n- [Configuration of AC1](#configuration-of-ac1-root-ac)\n- [Configuration of AC2](#configuration-of-ac2-subordinate-ac)\n- [Generation of AC2’s certificate by AC1](#generation-of-ac2s-certificate-by-ac1)\n- [Generation of keys for entity A](#generation-of-keys-for-entity-a-as-well-as-its-corresponding-certificate-request)\n- [Generation of A certificate by AC2](#generation-of-a-certificate-by-ac2)\n- [Verification of A certificate](#verification-of-a-certificate)\n- [Joining the certificate and the private key](#joining-the-certificate-and-the-private-key-to-sign-in-common-applications-word-email)\n- [Use of A’s private key to sign a document](#use-of-as-private-key-to-sign-a-document)\n- [Questions](#questions)\n- [Summary](#summary)\n\n## Introduction\n\nThe objective of this practice is to understand the concepts underlying a public key infrastructure\nbased on the hierarchical trust model.\nSpecifically, the objectives are the following:\n\n- Understand required steps in order to create a mini PKI\n- Understand required steps in order to an Authority issuing a certificate\n- Understand what the certificate role is regarding the signing and verifying of documents\n\nTo achieve these objectives each student (or student group) becomes a ROOT CERTIFICATION AUTHORITY (equal to the role of **Fábrica Nacional de Moneda y Timbre** in the real world). Such Authority (AC1), according to organizational reasons (for example, to have a local office in all different districts), has some SUBORDINATE CERTIFICATION AUTHORITIES (AC2, AC3,…ACn). Moreover, these last Authorities are in charge of issuing public key certificates to people (A, B, C…).\n\nThe group of all the Authorities composes a Public Key Infrastructure (PKI).\n\n## Configuration of AC1 (root AC)\n\nWe will apply the following commands: ``ca``, ``req``, ``x509`` and ``verify``.\n\nThe ``ca`` command is a minimal Certification Authority application. It can be used to sign certificate requests in a variety of forms. Its characteristics can be established by means of the file ``openssl.cnf``. Moreover, we must prepare the working environment as a specific directory structure.\n\nThe ``req`` command primarily creates and processes certificate requests. It can additionally create self signed certificates for use as root CAs for example.\n\nCommand ``x509`` can be used to display certificate information, convert certificates to various forms, and sign certificate requests.\nVerify command verifies certificate chains.\n\n1. Generate the directory structure necessary for AC1 and initialize the files ``serial`` and ``index.txt``.\n\n```shell\nmkdir -p A\ncd AC1\nmkdir requests crls newcerts private\necho '01' \u003e serial\ntouch index.txt\ncd ..\n```\n\n2. Generate the RSA key-pair and the self signed certificate for AC1. Analyze the output.\n\n```shell\ncd AC1\nopenssl req -x509 -newkey rsa:2048 -days 360 -out ac1cert.pem -outform PEM -config openssl_AC1.cnf\ncd ..\n```\n\nThe command requests a passphrase to generate AC1 private key. Remember it when\nyou want to use this key.\n\n```shell\ncd AC1\nopenssl x509 -in ac1cert.pem -text -noout\ncd ..\n```\n\n## Configuration of AC2 (subordinate AC)\n\n3. Generate the directory structure necessary for AC2 and initialize the files ``serial`` and ``index.txt``.\n\n```shell\ncd AC2\nmkdir requests crls newcerts private\necho '01' \u003e serial\ntouch index.txt\ncd ..\n```\n\n4. Generate the RSA key-pair for AC2 and the certificate request which will be sent to AC1 and 'send' it to AC1. Analyze the results.\n\n```shell\ncd AC2\nopenssl req -newkey rsa:2048 -days 360 -out ac2req.pem -outform PEM -config openssl_AC2.cnf\ncd ..\n```\n\nThe command requests a passphrase to generate AC2 private key. Remember it when you want to use this key.\n\n```shell\ncd AC2\nopenssl req -in ac2req.pem -text -noout\ncp ac2req.pem ../AC1/requests\ncd ..\n```\n\n## Generation of AC2’s certificate by AC1\n\n5. Verify the request **sent** by AC2.\n\n```shell\ncd AC1\nopenssl req -in ./requests/ac2req.pem -text -noout\ncd ..\n```\n\n6. Generate the corresponding certificate for AC2 and **send** it back to AC2. Rename ``01.pem`` into ``ac2cert.pem``, because AC2 has this name in its configuration file.\n\n```shell\ncd AC1\nopenssl ca -in ./requests/ac2req.pem -notext -extensions v3_subca -config openssl_AC1.cnf\ncd ..\n```\n\nAC1 needs its private key to generate AC2 certificate. AC1 passphrase is requested\n\n```shell\ncd AC1\ncp ./newcerts/01.pem ../AC2/ac2cert.pem\ncd ..\n```\n\n## Generation of keys for entity A as well as its corresponding certificate request\n\n7. For entity A, generate an RSA key-pair as well as a certificate request and **send** it to AC2 (when generating the certificate requests, fill in ALL the requested fields and indicate ``ES`` as country, ``MADRID`` as province, **UC3M** as organization, and any common name (eg, one NIA) and the email is your student email.\n\n```shell\ncd A\nopenssl req -newkey rsa:1024 -days 360 -sha1 -keyout Akey.pem -out Areq.pem\ncd ..\n```\n\nThe command requests a passphrase to generate A private key. Remember it when you want to use this key.\n\n```shell\ncd A\nopenssl req -in Areq.pem -text -noout\ncp Areq.pem ../AC2requests/\ncd ..\n```\n\n## Generation of A certificate by AC2\n\n8. Verify the request **sent** by A.\n\n```shell\ncd AC2\nopenssl req -in ./requests/Areq.pem -text -noout\ncd ..\n```\n\n9. Generate certificate for A and **send** it back to this entity.\n\n```shell\ncd AC2\nopenssl ca -in ./requests/Areq.pem -notext -config ./openssl_AC2.cnf\ncd ..\n```\n\nAC2 needs its private key to generate A certificate. AC2 passphrase is request\n\n```shell\ncd AC2\ncp ./newcerts/01.pem ../A/Acert.pem\ncd ..\n```\n\n10. Analyze changes in AC2 directory and check the resulting certificate:\n\n```shell\ncd A\nopenssl x509 -in Acert.pem -text -noout\ncd ..\n```\n\n## Verification of A certificate\n\n11. Obtain a copy of the public key certificates of AC1 and AC2 and verify (you need to concatenate both AC1 and AC2 certificates in a single file).\n\n```shell\ncd A\ncp ../AC1/ac1cert.pem ./\ncp ../AC2/ac2cert.pem ./\ncat ac1cert.pem ac2cert.pem \u003e certs.pem\nopenssl verify -CAfile certs.pem Acert.pem\ncd ..\n```\n\n## Joining the certificate and the private key to sign in common applications (Word/ Email)\n\n12. Export the certificate of entity A, its private key and both AC1 and AC2 certificates (file certs.pem) to PKCS12 format.\n\n```shell\ncd A\nopenssl pkcs12 -export -in Acert.pem -inkey Akey.pem -certfile certs.pem -out Acert.p12\ncd ..\n```\n\nA passphrase is request to export A private key, and a new passphrase is request for ``Acert.p12``\n\n## Use of A’s private key to sign a document\n\n13. Create a Microsoft Word Office document and sign it electronically signed using A private key. In order to do that, you have to import ``Acert.p12`` in the browser (``Tools \u003e Internet options \u003e Content \u003e Certificates \u003e Import...``) and, then, using Microsoft Word make use of ``Office button \u003e Prepare \u003e Add digital signature...``.\n\n## Questions\n\n- What is the file **serial** used for?\n- What is the file **index** used for?\n- Could AC2 create a certificate applying step 2 of this script?\n- If you or your lab group become a Certification Authority, explain and justify (i.e., advantages, disadvantages, alternatives…) the values you would use to configure the following parameters: ``default_days``, ``default_crl_days``, ``countryName``\n- When you open the Word document, once signed, you may notice that a it gives a **Verification error**. Why does it happen? How can it be solved?\n\n## Summary\n\nThat was fun!\n\nMarch 7th, 2022\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmadebypixel02%2Fopenssl-practices-2022","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmadebypixel02%2Fopenssl-practices-2022","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmadebypixel02%2Fopenssl-practices-2022/lists"}