Lab to illuminate SSL best practices. The Lab uses OpenSSL to create keys, create a certificate authority (CA), and sign certificates using the CA.
Deploy the CloudFormation infrastructure/cloudformation.json
template. The template creates a user with the following credentials and minimal required permisisons to complete the Lab:
- Username: student
- Password: password
-
In the Cloud9 environment terminal, generate an RSA private key:
openssl genpkey -algorithm RSA -aes-128-cbc -pass pass:Cloud_Academy -out key.pem -pkeyopt rsa_keygen_bits:2048
-
Restrict file access to the private key:
chmod 400 key.pem
-
Copy the contents of
src/req.cnf
to areq.cnf
file in the Cloud9 environment. -
Create a certificate signing request (CSR) to have a certificate authority (CA) certify your identity:
openssl req -new -config csr.cnf -key key.pem -out req.csr
-
Create a CA and root certificate (self-sign a CSR):
openssl req -key ca.key.pem -new -out ca.csr chmod 400 ca.key.pem
Fill out the fields (use the same
Organization Name
as used in the CSR)sudo sh -c 'openssl rand -hex 16 > /etc/pki/CA/serial' # initialize a random certificate serial number sudo touch /etc/pki/CA/index.txt # initialize the index file for tracking sudo openssl ca -selfsign -days 7300 -md sha256 -in ca.csr -keyfile ca.key.pem -out ca.crt -extensions v3_ca chmod 444 ca.crt
-
Use the CA to sign the certificate in the CSR created earlier:
sudo openssl ca -days 100 -notext -md sha256 -batch -in req.csr -keyfile ca/ca.key.pem -cert ca/ca.crt -out cert.pem sudo chmod 444 cert.pem
Delete the CloudFormation stack to remove all the resources used in the Lab.