RH362 - ch02s06

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11

Guided Exercise: Managing Certificates

Create an encrypted key and a certificate signing request.

Validate a certificate with a certificate chain of trust.

Revoke and renew certificates.

Outcomes

Manage certificates in a public key infrastructure.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command prepares your environment and ensures that all required resources are available.

[student@workstation ~]$ lab start technology-pki

As a certificate administrator, you are requested to issue a new end-entity certificate. The existing server001.lab.example.com certificate is suspected to be compromised, and so you must issue a new certificate and revoke the existing certificate. The new certificate must be issued for the service.lab.example.com name instead of the server name.

The intermediate CA certificate is about to expire, and so you take the opportunity to renew the intermediate CA certificate and then issue the new end-entity certificate. Provide the certificate chain and validate the chain of trust for this end-entity certificate.

The root CA certificate and keys are in the /root/root-ca/ directory. The intermediate CA certificate and keys are in the /root/inter-ca/ directory. The passphrase for the root CA key is RedHat123^. The passphrase for the intermediate CA key is InterCA123^.

Instructions

On the workstation machine, switch to the root user.

[student@workstation ~]$ sudo -i
[sudo] password for student: student
[root@workstation ~]#

Review the contents of the intermediate CA directory. Review the validity of the certificates and verify the passphrase of the keys.

Review the contents of the intermediate CA directory.

[root@workstation ~]# cd ~/inter-ca/
[root@workstation inter-ca]# ls -l
total 20
drwxr-xr-x. 2 root root    73 Jan 29 22:05 certs
drwxr-xr-x. 2 root root     6 Jan 29 21:46 crl
drwxr-xr-x. 2 root root    71 Jan 29 21:46 csr
-rw-r--r--. 1 root root     0 Jan 29 22:05 index.txt
drwxr-xr-x. 2 root root     6 Jan 29 21:46 newcerts
-rw-r--r--. 1 root root 12729 Jan 29 21:46 openssl.cnf
drwx------. 2 root root    71 Jan 29 21:46 private
-rw-r--r--. 1 root root     5 Jan 29 21:46 serial

Review the intermediate CA certificate.

The certificate has less than 10 days left of validity. If you issue the end-entity certificate without renewing the intermediate certificate, then the end-entity certificate is only valid for the period of time that the intermediate certificate is valid.

Note

The validity time range of the certificate in your classroom might be different from the following example output. The validity time left, however, should be less than 10 days.

[root@workstation inter-ca]# openssl x509 -noout -text -in certs/inter-ca.cert.pem
Certificate:
...output omitted...
        Issuer: C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = Learning, CN = RH362 root CA
        Validity
            Not Before: Feb  8 03:05:54 2022 GMT
            Not After : Feb  8 03:05:54 2023 GMT
        Subject: C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = Learning, CN = RH362 intermediate CA
...output omitted...
            X509v3 Subject Alternative Name:
                DNS:RH362 intermediate CA
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints:
                CA:TRUE
...output omitted...

Verify that the intermediate CA private key can be used with the provided passphrase.

[root@workstation inter-ca]# openssl rsa -check -noout \
  -in private/inter-ca.key.pem
Enter pass phrase for private/inter-ca.key.pem: InterCA123^
RSA key ok

Review the end-entity certificate.

The certificate is valid for a few months, but it is suspected to be compromised. The common name for the certificate must replaced with a name that can be used for systems other than the server001.lab.example.com machine.

Note

The validity time range of the certificate in your classroom might be different from the following example output. The validity time left, however, should be less than 6 months.

[root@workstation inter-ca]# openssl x509 -noout -text \
  -in certs/server001.lab.example.com.cert.pem
Certificate:
...output omitted...
        Issuer: C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = Learning, CN = RH362 intermediate CA
        Validity
            Not Before: Aug  3 04:11:32 2022 GMT
            Not After : Aug  3 04:11:32 2023 GMT
        Subject: C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = Learning, CN = server001.lab.example.com
...output omitted...
            X509v3 Subject Alternative Name:
                DNS:server001.lab.example.com
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Basic Constraints:
                CA:FALSE
...output omitted...

As the root CA, renew the intermediate CA certificate for a validity of five years. Use the v3_inter_ca extension in the openssl.cnf configuration file. Create a chained certificate to validate the chain of trust.

Review the certificate signing request (CSR) information. Ensure that the request is configured to be used as a CA certificate. Verify the location information.

[root@workstation inter-ca]# openssl req -text -noout -verify \
  -in csr/inter-ca.csr.pem
Certificate request self-signature verify OK
...output omitted...
        Subject: C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = Learning, CN = RH362 intermediate CA
...output omitted...
                X509v3 Subject Alternative Name:
                    DNS:RH362 intermediate CA
                X509v3 Key Usage: critical
                    Digital Signature, Certificate Sign, CRL Sign
                X509v3 Basic Constraints:
                    CA:TRUE
...output omitted...

Renew the intermediate CA certificate. Use the existing intermediate CA CSR with the v3_inter_ca extension to send the renewal request. Set a validity period of five years.

Review the certificate details and confirm the certificate signing.

[root@workstation inter-ca]# cd ../root-ca/
[root@workstation root-ca]# openssl ca -config openssl.cnf -md sha256 \
  -extensions v3_inter_ca -days 1825 -notext \
  -in ../inter-ca/csr/inter-ca.csr.pem \
  -out ../inter-ca/certs/inter-ca.cert.pem
Using configuration from openssl.cnf
Enter pass phrase for /root/root-ca/private/root-ca.key.pem: RedHat123^
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Jan 30 04:37:07 2023 GMT
            Not After : Jan 29 04:37:07 2028 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = North Carolina
            organizationName          = Red Hat
            organizationalUnitName    = Learning
            commonName                = RH362 intermediate CA
...output omitted...
Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y
Write out database with 1 new entries
Data Base Updated

Update the permissions on the certificate and validate the certificate against the root CA.

[root@workstation root-ca]# cd ../inter-ca/
[root@workstation inter-ca]# chmod 0444 certs/inter-ca.cert.pem
[root@workstation inter-ca]# openssl verify \
  -CAfile ../root-ca/certs/root-ca.cert.pem certs/inter-ca.cert.pem
certs/inter-ca.cert.pem: OK

Create the chained certificate. Copy the content of the intermediate CA certificate to a new file and append the content of the root CA certificate. Update the permissions on the certificate.
```
[root@workstation inter-ca]# cat certs/inter-ca.cert.pem \
  ../root-ca/certs/root-ca.cert.pem > certs/ca-chain.cert.pem
[root@workstation inter-ca]# chmod 0444 certs/ca-chain.cert.pem
```

Configure a certificate revocation list and revoke the server001.lab.example.com certificate.

Configure the certificate revocation list for the intermediate CA.

[root@workstation inter-ca]# echo 1000 > crlnumber
[root@workstation inter-ca]# openssl ca -config openssl.cnf -gencrl \
  -out crl/inter-ca.crl.pem
Using configuration from openssl.cnf
Enter pass phrase for /root/inter-ca/private/inter-ca.key.pem: InterCA123^

Review the certificate revocation list.

[root@workstation inter-ca]# openssl crl -in crl/inter-ca.crl.pem -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = North Carolina, O = Red Hat, OU = Learning, CN = RH362 intermediate CA
        Last Update: Jan 30 04:57:16 2023 GMT
        Next Update: Mar  1 04:57:16 2023 GMT
...output omitted...
No Revoked Certificates.
...output omitted...

Revoke the server001.lab.example.com certificate.

[root@workstation inter-ca]# openssl ca -config openssl.cnf \
  -revoke certs/server001.lab.example.com.cert.pem
Using configuration from openssl.cnf
Enter pass phrase for /root/inter-ca/private/inter-ca.key.pem: InterCA123^
Adding Entry with serial number 1870A8484B5E3132C92B7581D68CB7D4081E6CA7 to DB for /C=US/ST=North Carolina/L=Raleigh/O=Red Hat/OU=Learning/CN=server001.lab.example.com
Revoking Certificate 1870A8484B5E3132C92B7581D68CB7D4081E6CA7.
Data Base Updated

Renew the certificate revocation list (CRL) and ensure that the server001.lab.example.com certificate is revoked.

[root@workstation inter-ca]# openssl ca -config openssl.cnf \
  -gencrl -out crl/inter-ca.crl.pem
Using configuration from openssl.cnf
Enter pass phrase for /root/inter-ca/private/inter-ca.key.pem: InterCA123^
[root@workstation inter-ca]# openssl crl -noout -text -in crl/inter-ca.crl.pem
Certificate Revocation List (CRL):
...output omitted...
Revoked Certificates:
    Serial Number: 1870A8484B5E3132C92B7581D68CB7D4081E6CA7
        Revocation Date: Jan 30 05:03:16 2023 GMT
[root@workstation inter-ca]# grep 1870A8484B5E31 index.txt
R	230803041132Z	230130050316Z	1870A8484B5E3132C92B7581D68CB7D4081E6CA7	unknown	/C=US/ST=North Carolina/L=Raleigh/O=Red Hat/OU=Learning/CN=server001.lab.example.com

Use the chained certificate to validate the server001.lab.example.com certificate.

[root@workstation inter-ca]# openssl verify -CAfile certs/ca-chain.cert.pem \
  certs/server001.lab.example.com.cert.pem
C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = Learning, CN = server001.lab.example.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error certs/server001.lab.example.com.cert.pem: verification failed

Issue a new certificate for the service.lab.example.com entity. Reuse the location information of the previous certificate. Create a private key to use with this certificate.

Review the information for the server001.lab.example.com certificate.

[root@workstation inter-ca]# openssl x509 -noout -text \
  -in certs/server001.lab.example.com.cert.pem
Certificate:
...output omitted...
        Subject: C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = Learning, CN = server001.lab.example.com
...output omitted...

Create a private key and create a CSR with the same location information as the previous certificate.

[root@workstation inter-ca]# openssl genrsa \
  -out private/service.lab.example.com 2048
[root@workstation inter-ca]# chmod 0400 private/service.lab.example.com
[root@workstation inter-ca]# openssl req -config openssl.cnf -new -sha256 \
  -key private/service.lab.example.com \
  -out csr/service.example.com.csr.pem
...output omitted...
Country Name (2 letter code) [XX]: US
State or Province Name (full name) []: North Carolina
Locality Name (eg, city) [Default City]: Raleigh
Organization Name (eg, company) [Default Company Ltd]: Red Hat
Organizational Unit Name (eg, section) []: Learning
Common Name (eg, your name or your server's hostname) []: service.lab.example.com
Email Address []: Enter

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: Enter
An optional company name []: Enter

Review the CSR and issue the certificate.

[root@workstation inter-ca]# openssl ca -config openssl.cnf \
  -notext -md sha256 -extensions end_entity_cert -days 365 \
  -in csr/service.example.com.csr.pem \
  -out certs/service.lab.example.com.cert.pem
Using configuration from openssl.cnf
Enter pass phrase for /root/inter-ca/private/inter-ca.key.pem: InterCA123^
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Jan 30 05:24:37 2023 GMT
            Not After : Jan 30 05:24:37 2024 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = North Carolina
            localityName              = Raleigh
            organizationName          = Red Hat
            organizationalUnitName    = Learning
            commonName                = service.lab.example.com
...output omitted...
Certificate is to be certified until Jan 30 05:24:37 2024 GMT (365 days)
Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y
Write out database with 1 new entries
Data Base Updated
[root@workstation inter-ca]# chmod 0444 certs/service.lab.example.com.cert.pem

Verify the certificate against the chained certificate.

[root@workstation inter-ca]# openssl verify -CAfile certs/ca-chain.cert.pem \
  certs/service.lab.example.com.cert.pem
certs/service.lab.example.com.cert.pem: OK

Log out of the root user on the workstation machine.

[root@workstation inter-ca]# exit
logout
[student@workstation ~]$

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish technology-pki

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8