#### LAB 1: Generation of a CSR and using it to request for a certificate ## LAB Objectives * Generate CSR * Use CSR to create certificate from CA * Create trust with CA ## LAB Duration 20 Minutes ## LAB Environment On your lab machine hostX.ws.nsrc.org: Check if openssl is installed > dpkg -l | grep openssl The above command should return something like openssl-0.9.8e-7.el5 openssl-0.9.8e-7.el5 openssl-devel-0.9.8e-7.el5 or else execute the following: > apt-get install openssl openssl-devel ** ON YOUR LAPTOP/HOST MACHINE IT IS RECOMMENDED TO HAVE FIREFOX INSTALLED ** ## LAB tasks ** IN THIS LAB AS THE REST REPLACE ALL OCCURENCES OF 'X' WITH YOUR GROUP NUMBER ** ---------------PART 1: GENERATING A CSR------------------- # Generating a Certificate Signing Request (CSR) 1. Change directory to your home folder > cd ~ 3. Create a new directory and change to it > mkdir conf > cd conf 4. Generate CSR b ) Generate the RSA key > openssl genrsa -out hostX.ws.nsrc.org.key 2048 c ) Create a CSR > openssl req -new -sha256 -key hostX.ws.nsrc.org.key -out hostX.ws.nsrc.org.csr ## ! IMPORTANT: ENTER THE INFORMATION TO BE DISPLAYED ON THE CERTIFICATE. **** ENSURE COMMON NAME IS YOUR HOST NAME **** Country Name (2 letter code) [AU]:KE State or Province Name (full name) [Some-State]:Nairobi Locality Name (eg, city) []:Nairobi Organization Name (eg, company) [Internet Widgits Pty Ltd]:HostX Organizational Unit Name (eg, section) []:HX Common Name (e.g. server FQDN or YOUR name) []:hostX.ws.nsrc.org Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: << leave this blank >> An optional company name []: << leave this blank >> 5. Verify your CSR > openssl req -noout -text -in hostX.ws.nsrc.org.csr ---------- PART 2: DOWNLOADING YOUR SSL CERTIFICATE--------------- # Downloading Certificate from CA. # Ensure you have your CSR ready for upload or copy pasting 1. Open URL https://ca-gen.kenet.or.ke/ on your browser 2. Visit the 'Create Certificate from CSR' link Enter your Username and password as follows: username: hostX password: hostX Paste/Upload your CSR Result Type: Choose 'PEM Certificate Only' and click SUBMIT 3. Download and save the certificate on your computer 4. Now we are going to copy the certificate to our server using > scp hostX.pem sysadm@hostX.ws.nsrc.org:~/conf OR Copy and Paste when having vi in INSERT mode as follows > vi hostXwsnsrcorg.pem ---------- PART 3: INSTALLING CA CERTIFICATE ON BROWSER TO BUILD TRUST---- *** FIREFOX IS RECOMMENDED FOR THIS. CHROMIUM USERS WILL HAVE TO DOWNLOAD FIRST AND THEN INSTALL LATER *** 1. Open URL http://crt.ca.kenet.or.ke/KENETROOTCA.crt and trust this certificate to identify all entitites 2. Open URL http://crt.ca.kenet.or.ke/KENETCA.crt and trust again ** ON FIREFOX CHECK ALL THE BOXES ** You should have 3 files in your conf directory now. Do 'ls -lah' to list them: 1. The CSR file 2. The private key 3. The public Key --------------- PART 4: CHANGE PERMISSIONS OF ALL THIS FILES -------------------- This step is very important. You don't want anyone to have access to this files. So execute while in conf directory: > chmod 400 * > ls -lah ## END