Lab to illuminate SSL best practices. The Lab uses OpenSSL to create keys, create a certificate authority (CA), and sign certificates using the CA.

Deploy the CloudFormation infrastructure/cloudformation.json template. The template creates a user with the following credentials and minimal required permisisons to complete the Lab:

• Username: student
• Password: password

1. In the Cloud9 environment terminal, generate an RSA private key:

   openssl genpkey -algorithm RSA -aes-128-cbc -pass pass:Cloud_Academy -out key.pem -pkeyopt rsa_keygen_bits:2048

2. Restrict file access to the private key:

   chmod 400 key.pem

3. Copy the contents of src/req.cnf to a req.cnf file in the Cloud9 environment.

4. Create a certificate signing request (CSR) to have a certificate authority (CA) certify your identity:

   openssl req -new -config csr.cnf -key key.pem -out req.csr

5. Create a CA and root certificate (self-sign a CSR):

   openssl req -key ca.key.pem -new -out ca.csr
   chmod 400 ca.key.pem

   Fill out the fields (use the same Organization Name as used in the CSR)

   sudo sh -c 'openssl rand -hex 16 > /etc/pki/CA/serial' # initialize a random certificate serial number
   sudo touch /etc/pki/CA/index.txt # initialize the index file for tracking
   sudo openssl ca -selfsign -days 7300 -md sha256 -in ca.csr -keyfile ca.key.pem -out ca.crt -extensions v3_ca
   chmod 444 ca.crt

6. Use the CA to sign the certificate in the CSR created earlier:

   sudo openssl ca -days 100 -notext -md sha256 -batch -in req.csr -keyfile ca/ca.key.pem -cert ca/ca.crt -out cert.pem
   sudo chmod 444 cert.pem

Delete the CloudFormation stack to remove all the resources used in the Lab.