1 / 20

PKI Processing with OpenSSL

PKI Processing with OpenSSL. Rodney Thayer rodney@tillerman.to. Contents. Standards Protocols OpenSSL as a Tool OpenSSL as PKI Tool OpenSSL as PKI Subsystem. Introduction. Open source OpenSSL (formerly SSLEAY) Processes IETF TLS and SSL 2,3 (Netscape)

nieve
Download Presentation

PKI Processing with OpenSSL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PKI Processing with OpenSSL Rodney Thayer rodney@tillerman.to

  2. Contents • Standards • Protocols • OpenSSL as a Tool • OpenSSL as PKI Tool • OpenSSL as PKI Subsystem Rodney Thayer

  3. Introduction • Open source OpenSSL (formerly SSLEAY) • Processes IETF TLS and SSL 2,3 (Netscape) • Processes Public Key certificates (for PKI) Rodney Thayer

  4. Standards • Algorithms: RSA, DSA, MD5, SHA-1 • RFC 2459 (PKIX); X.509 • DER and PEM • PKI Standard features: Roots, CRL’s, OCSP • PKCS 7, 1, 10 Rodney Thayer

  5. Protocols • TLS and SSL, using certificates • SMIME • IPsec for VPN’s Rodney Thayer

  6. OpenSSL as a Tool Rodney Thayer

  7. ‘openssl’ - the program • Apps/ directory • commands for tls tests • commands for crypto • commands for cert processing • uses simple keystore • uses DER and PEM format certificates Rodney Thayer

  8. Standard commands asn1parse ca ciphers crl crl2pkcs7 dgst dh dhparam dsa dsaparam enc errstr gendh gendsa genrsa nseq passwd pkcs12 pkcs7 pkcs8 rand req rsa rsautl s_client s_server s_time sess_id smime speed spkac verify version x509 Rodney Thayer

  9. Message Digest commands (see the `dgst' command for more details) md2 md4 md5 mdc2 rmd160 sha sha1 Rodney Thayer

  10. Cipher commands (see the `enc' command for more details) base64 bf bf-cbc bf-cfb bf-ecb bf-ofb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb Rodney Thayer

  11. OpenSSL as a PKI Tool Rodney Thayer

  12. ‘openssl’ - the program • Apps/ directory • commands for tls tests • commands for crypto • commands for cert processing • uses simple keystore • uses DER and PEM format certificates Rodney Thayer

  13. ‘openssl’ commands • asn1parse • ca • crl • crl2pkcs7 • dsaparam Rodney Thayer

  14. ‘openssl’ commands (cont.) • Pkcs7 • req • x509 Rodney Thayer

  15. OpenSSL as a Subsystem • Builds to a library • API for certificate processing • API for underlying crypto operations • used by TLS/SSL, ‘openssl’ application Rodney Thayer

  16. Subsystem Uses • TLS and SSL • SMIME • OpenSSH • GPKCS • Embedded systems Rodney Thayer

  17. API Calls for Cert Request • See apps/req.c • 1. Make key pair • 2. Configure certificate request • 3. Sign certificate request • 4. Output as DER or PEM Rodney Thayer

  18. Rodney Thayer

  19. Conclusion • General purpose cryptographic tool • Provides PKI processing • Out of the box support for standards • Published API • Definitely product-grade solution Rodney Thayer

  20. Contact Info Rodney Thayer The Tillerman Group rodney@tillerman.to http://www.pkiclue.com/presentations

More Related