- Certificate Authority -

Lab Goals

  1. Understand the functions of a certificate authority
  2. Understand how a certificate request is generated and signed
  3. Understand how a simple web server works and interacts with a certificate authority

Quick introduction to LAMP

  • LAMP is short for the software bundle of Linux operating system, Apache HTTP Server, MySQL database management system, and PHP programming language.
  • This bundle can realize the role and function of a web server, which can drive Web applications. Although not actually designed to work together, these open source software packages are relatively simple and easy to use.
  • Besides these four software packages, this software bundle can also be combined with many other free and open-source software packages.

Quick Introduction to Certificate Authority

  • Certificate Authority is a trusted third party that issues electronic documents in order verify a digital entity’s identification on the Internet.
  • In cryptography terms, certificate authority verifies the ownership of the public key of the named subject of the certificate.

Part 1: Setting up your Topology

  1. In your slice click on the "Add Resources" button
  2. Next drag and drop four Xen VMs and name them as in the image below: Screenshot
  3. The node named CA will be the certificate authority in this experiment.
  4. The node named WS will be the web server in this experiment, and we will install LAMP on this node to enable it to be a web server.
  5. Once the nodes turn green, the machines are ready for use and we can continue to the next steps

Part 2: Setting up LAMP on the Web Server

  1. The GENI nodes already have linux as the operating system, so we only need to install the remaining Apache, MySQL, and PHP. It is important that we install PHP last as the PHP server depends on the services of Apache and MySQL.
  2. Use SSH to log into the "ws" node. The following instillation will be on this node.
  3. Before installation, we should download the package lists from the repositories and "update" them to get information on the newest versions of packages and their dependencies. Execute the following command: sudo apt-get update

Part 2 (cont.): Installing MySQL

  1. In order to install MySQL exexcute the following command: sudo apt-get install mysql-serverScreenshot
  2. After the installation of MySQL, we should verify that it was successful. Execute the following command: sudo netstat -tap | grep mysql
  3. If it shows the listening port of MySQL as the following, then we know it was installed successfully.Screenshot

Part 2 (cont.): Installing Apache

  1. In order to install Apache execute the follwing command: sudo apt-get install apache2Screenshot
  2. We can run the browser to check whether or not it was installed successfully. However, we need to involve third party software to enable the graphics showing on GENI node. We will cover this later.

Part 2 (cont.): Installing PHP

  1. In order to install PHP, execute the following command: sudo apt-get install php libapache2-mod-php
  2. After this installation, a folder named “www”will be created under /var. This folder will be reserved for the source code of the website.

Part 2 (cont.): Installing the extension packets of PHP and MySQL

  1. In order to install the extensions of PHP and MySQL, execute the following command: sudo apt-get install php-pear php-fpm php-dev php-zip php-curl php-xmlrpc php-gd php-mysql php-mbstring php-xml libapache2-mod-php
  2. Install some additional packages for php: sudo apt-get install php-intl php-imagick php-imap php-mcrypt php-memcache php7.0-ps php-pspell php-recode php-snmp php7.0-sqlite php-tidy php7.0-xsl

Part 3: Enabling SSL connection of Apache

  1. Because we need to install the digital certificate later, we need to enable SSL connection of Apache.
  2. First, a brief introduction of the Apache configuration file.
  3. As we can see, there are several configuration files in the Apache folder. In the old versions of Apache, there is only one configuration file named “httpd.conf”. As for the latest version, the main configuration file is “apache2.conf”. We can take a quick look of this file.
  4. There are many “include” commands in this file. This means the apache server will read this file first, and the other configuration files will be linked using these “include” commands.
  5. As for the SSL configuration file, it is in the “sites-enabled” folder. We can use the following command to create a configuration file for SSL connection: sudo cp /etc/apache2/sites-available/default-ssl.conf  /etc/apache2/sites-enabled/default-ssl.conf
  6. Then we modify this default-ssl.conf as follows
  7. Here, 172.17.2.41 is the IP address of our web server. You can use the command “ifconfig” to check it out. The “443” is the port number for the SSL connection.
  8. We temporarily named our server jhuws.edu. The digital certificate name is jhuws.crt, and the private key of the digital certificate name is jhuws.key. Of course you can make the name as you like, but make sure to use the same name later.
  9. You should also use the following command to enable the SSL module of Apache2 if you receive a prompt about a connection refusal while trying to connect port 443 to the web server: sudo a2enmod ssl
  10. Then, restart the apache2 service using the following commad: sudo service apache2 restart

Part 4: Installing and enabling browser on GENI

  1. On our "user" node we will be using a web browser to interact with our web server.
  2. We choose the Firefox browser in this experiment. TO install SSH into the "user" node and execute the following command: sudo apt-get install firefox
  3. The operation of the next step will be different for Windows, Mac and Linux operating systems. For Windows and MacOS operating systems, we need to depend on third party software in order to enable the graphics display on the GENI node.

Part 4: Installing and enabling browser on GENI (Windows)

  1. Install the Xming software on your local operating system. Xming is an X11 display server for Microsoft Windows operating systems. Then, run it to start the X server. You should see the Xming icon in the taskbar if it is running.
  2. Then, use PuTTY to log onto the GENI node. Remember to click the option for X11 in addition to the other steps for logging in to a GENI node using PuTTY.
  3. Now when we execute the command firefox we should see a browser GUI displayed with the help of Xming.

Part 4: Installing and enabling a browser on GENI (MacOS)

  1. Install XQuartz on your Mac. XQuartz is an X server designed for MacOS.
  2. Right click on the XQuartz icon in the dock, and select Applications > Terminal. This should bring up a new xterm terminal window.
  3. Then, make an ssh connection to the GENI node in this terminal window. Make sure to include the "-Y" flag.
  4. Now execute the command "firefox", and with the help of XQuartz the a GUIt display of firefox should appear

Part 4: Installing and enabling a browser on GENI (Linux)

  1. It is much simpler when you are using a Linux operating system. Just ssh into the Linux system of your choice using the “-Y” flag.
  2. Then simply run the "firefox" command

Part 5: Testing Apache and PHP services

  1. Open the Firefox browser on the "user" machines
  2. Enter "127.0.0.1" into the browser. Note: if the local IP does not work, use the public IP of the "user" machine (in our example it is "192.122.236.81"). If you see the following image, then it means the Apache service is successfully installed.
  3. We can write a simple PHP website and then run it to test whether or not the PHP service is installed successfully.
  4. If your on a Windows machine,we can use the WinSCP software to write PHP source code. The instruction of how to log in to a GENI node using WinSCP can be found through the following link: http://mountrouidoux.people.cofc.edu/CyberPaths/winscp.html
  5. Mac and Linux users can write the PHP code on their local machine with text editor of choice, and upload it using SFTP. More instrucitons on SFTP can be found here: http://mountrouidoux.people.cofc.edu/CyberPaths/sftpmac.html
  6. Under the “www/html”folder, create a file named “info.php”, and write the following code in it:
    <?php
    phpinfo();
    ?>
  7. Now we need to restart the apache server. Execute the following command: sudo /etc/init.d/apache2 restart
  8. Run the browser, and enter "127.0.0.1/info.php" in the browser. If we can see the relative configuration information of PHP, then we know the PHP service was installed successfully.

Part 6: Setting Up Certificate Authority

  1. The GENI nodes have OpenSSL already installed. OpenSSL is a general purpose cryptography library that provides an open-source implementation of the SSL and TLS
  2. We can take a quick view of OpenSSL in the GENI node. The folder is in “/etc/ssl”. We can see three documents already in this folder.
  3. he “certs”folder is used to store the digital certificate of this machine. The“private”folder is used to store the private key of the digital certificate. The“openssl.cnf”file is the main configuration document of OpenSSL.
  4. Right now, these documents are not enough for enabling the whole function of OpenSSL. We need to do some additional configurations.
  5. First, we need to create some new document in the /etc/ssl/ so that our CA can play the role of a functioning certificate authority. Create the "newcerts" folder and "index.txt" file.
  6. Next, we are going to create a serial document and set the serial number as pictured below.
  7. Now we need to make some edits of the openssl.cnf file. The openssl.cnf file is used mainly for the generation of certificate requests. Before we can do se, we need to change the privileges with the following command: sudo chmod 777 openssl.conf. If you are a windows user you can use the WinSCP editor. If you are on a Mac/Linux machine, either download the file, make changes locally and then reupload, or use a text editor such as "nano" or "vim" that you can use in the terminal.
  8. Set the values as follows:
  9. we need to generate a root private key for the root digital certificate for the certificate authority. Execute the following command: openssl genrsa -out private/cakey.pem 2048
  10. Finally, we create the root digital certificate for the certificate authority by executing: openssl req -new -x509 -key private/cakey.pem -out cacert.pem

Part 7: Generating a certificate sign request

  1. In this part we are going to generate a certificate sign request on the web server. First we need to SSH into the web server.
  2. Then, we need to generate a private key for the web server: sudo openssl genrsa -out jhuws.key 2048
  3. Now we need to configure the openssl.conf file just like we did previouls in the certificate authority node.
  4. Next, we generate a certificate sign request for the web server: sudo openssl req -new -key jhuws.key -out jhuws.csr. When the prompt appears make sure to enter "jhuws.edu" for the common name, as pictured below.

Part 8: Issuing a digital certificate

  1. In this step, the CA node needs to get the request sign document from the web server. We can use WinSCP or SFTP to send the jhuws.csr file from the ws node to the CA node. Before we send itn we need to use the chmod command to allow access: sudo chmod 777 jhuws.csr
  2. Once the request sign document is on the CA node, we are going to sign it with the following command: openssl ca -in /etc/ssl/jhuws.csr -out /etc/ssl/jhuws.crt -days 3650
  3. Then, we send this digital certificate back to the WS node. This can be done with WinSCP or SFTP.
  4. Then, we use the next two commands to install the web server’s digital certificate. In other words, we should put the digital certificate file and key file into the correct folder of the web server.
    • sudo cp jhuws.crt /etc/ssl/certs
    • sudo cp jhuws.key /etc/ssl/private
  5. Now, before we open the browser to see the result, we should copy the “cacert.pem” file from the CA node to the user node. We need to let the CA verify the digital certificate issued by CA, so we need this file on the web server. In addition, we should change the extension “.pem”to “.crt”.

Part 9: Results of issued digital certificate

  1. Now, we can view the result of the work we have done. The following operations are all on the user node.
  2. Because the display of the browser on GENI is kind of slow, we determine whether or not we are right by installing “curl” to perform a quick test. Curl is a tool that allows us to make HTTP requests from the command line.
  3. Install curl by executing: sudo apt-get isntall curl
  4. Now we are going to make some modifications to our hosts file. The hosts file translates a website name to an IP address on the local machine before a DNS request is made to resolve teh website name. Change th privelages of the hosts file: sudo chmod 777 hosts. Now edit so that the IP adress of the ws node is set to the server name "jhuws.edu" like so.
  5. Now use curl to see if our webserver is working proparly: curl jhuws.edu
  6. The command should return the HTML of the apache server default page.
  7. Now to test if the SSL configuration we modified ealier works, execute the following command: curl https://jhuws.edu --cacert cacert.crt
  8. Again the HTML of the Apache web server should appear. This means we have succesfully made an HTTP over SSL connection to our web server.
  9. Now we are going to make the same HTTPS connection this time with our we browser. First, open firefox on the user node. Now we are going to install our digital certificate into the browser. Go to the preference option of the browser.
  10. Then, we go to Advanced and then to Certificates options. Click on “View Certificates”.
  11. Then, import the cacert.crt file we put on the user node before.
  12. Now our certificate authority is in the list of certificate authorities.
  13. We visit jhuws.edu/info.php first and see the connection is insecure.
  14. Then we visit https://jhuws.edu/info.php and we can see a green lock, revealing that it is now a secure connection.
  15. We can view the details of this connection by clicking on the symbol “>”.The information we put in when making the digital certificate is shown in this display. By now, we have already finished the experiment of building a certificate authority and issuing a digital certificate.