Solve : RSA-Keys, Key Pairs and x509 certificates? – InterviewSolution

InterviewSolution

1.	Solve : RSA-Keys, Key Pairs and x509 certificates?
Answer» Hello, I have been trying to set up a network server at my home using FreeNAS server. It is a server OS based off of FreeBSD. Anyway, it supports file transfer via SSH, SFTP, and has a webGUI you can access via HTTPS. I would like to use these protocols, however, I have no idea how to generate and use Keys, and certificates. Specifically, the webGUI calls for an X.509 certificate to authenticate. I understand the premise behind keys and certificates, I simply do not know how to generate keys and certificates, and use those generated files to authenticate on different machines. I've read many tutorials on "How to setup SSH" ...etc, but none show how to actually generate the files and administer them. The FreeNAS server as I stated is based off of FreeBSD, and I use Windows 7 on one machine on one machine I would like to connect, and Windows VISTA on another. I also want to connect my android phone, but I already know how to install certificates on that. Any help would really be appreciated. Thank you.for anyone who may be reading this, I found the answers to my own question. Here is what I learned, and how I accomplished my task: Software I used: Cygwin for Windows 7 (http://www.cygwin.com/) There is a special thing you have to do in the How-To's to install OpenSSL (IMPORTANT) These commands will also work on linux machines! Once installed, you can open up the cygwin bash shell (terminal) and type ssh-keygen It will ask you where you want to save the file. The default is /home/User/.ssh/id_rsa (*USER being the user name, I will use USER wherever you need to type a user name*) You can make this any path and filename you like, as long as you remember what it is. This command will make TWO FILES, an id_rsa (no extension) and an id_rsa.pub Let me explain what those two files are.... the id_rsa is the RSA PRIVATE KEY, and can be used where PEM format is needed. You can open this file using notepad in windows and copy the contents when you need to "Paste PEM Private Key" somewhere. This private key is the key that is distributed to the user or client you are trying to connect to your https or ssh server. the id_rsa.pub is the public key. This public key needs to be appended to a file called authorized_keys on the server machine. the authorized_keys file is saved in the .ssh folder (if you are using cygwin, you can get to this file by typing cd /home/user/.ssh and then typing ls -L to list the files in that directory. On default install of cygwin it is also located in C:\cygwin\home\USER\.ssh) authorized_keys also has no file extension. If this file does not exist yet, here is what you need to type into your cygwin bash shell: cd /home/User/.ssh touch authorized_keys cat id_rsa.pub >> authorized_keys so, now you have a correct authorized_keys file and a ready private key. The private key now needs to be sent to the user side and put in the user's .ssh folder, where it needs to stay. You can use any method you like to do this, but I used SCP. scp is a convenient file transfer protocol which is also secure. here is what I typed: cd /home/User/.ssh scp -p id_rsa USER(or root)@USER-IP-ADDRESS:~/.ssh it will ask for that users password, and upon correct authentication, it will transfer the file. It may also say something like, "Authenticity of host cannot be verified" or something like that, it's ok to say yes, unless you have no idea who you are connecting to! Ok, now you have the private key in the right spot, and the authorized_keys file correct. Having done this procedure right, the USER machine will now be able to log into the SERVER machine without a password, making it more secure. Here are some things you should know. Each user has their own root directory (not always called "root") in a linux based system. if you put the authorized_keys file in the folder /root/.ssh, then be sure you are trying to log into that machine as [emailprotected] or it will not work. if you want to ssh onto that machine as minus21, then you should put the authorized_keys file into the /home/minus21/.ssh folder. Remember, the machine you are trying to connect to via ssh (or sftp) is the SERVER machine. that is the machine that needs to have the authorized_keys file, and the other machine needs to have the id_rsa private key. You can also do this whole procedure using DSA keys, however when you want to initially generate the DSA keys, you need to type in the terminal: ssh-keygen -t dsa The output of this command is the same, and so is the rest of the process. Now, if you need an x509 certificate, you will need to use the private key you created before, or create a new one. To generate a private key id_rsa.pem using the RSA-2048 algorithm: openssl genrsa 2048 > id_rsa.pem To create a self-signed certificate auth.crt with the private key auth.pem: openssl req -x509 -new -key auth.pem > auth.crt remember, if your shell (terminal) is not located at the moment in the directory where you are calling the private key from, or where you want to put the certificate into, the names of the key and certificate need to include the path ie: To create a self-signed certificate auth.crt with the private key auth.pem: openssl req -x509 -new -key /home/USER/.ssh/auth.pem > /home/USER/certs/auth.crt. You can also create certificates in another way, using a certificate signing request (csr): To create a certificate signing request example.csr with the private key example.pem: openssl req -new -key example.pem > example.csr then.... To create a signed certificate example.crt from example.csr: openssl x509 -req -CA auth.crt -CAkey auth.pem -CAcreateserial < example.csr > example.crt In windows, you will need to open this certificate with notepad, and paste the contents where "Paste x509 certificate here" is needed. And there you have it! This is essentially all of the answers to the question I posted. I learned ALOT more on my JOURNEY, but all of that is a different subject entirely. Good Luck to all who may be reading this!! Here are some other useful ssl commands To generate a public key id_rsa.pub from private key id_rsa.pem: openssl rsa -pubout < id_rsa.pem > id_rsa.pub To verify that auth.crt is a valid certificate: openssl verify < auth.crt To verify that example.crt is a valid certificate: openssl verify -CAfile auth.crt < example.crt To create a PKCS#12 keystore: (for Microsoft compatibility) cat example.pem example.crt \| openssl pkcs12 -export > example.pfx

Discussion

No Comment Found

Related InterviewSolutions