Archive for the ‘OpenSSL’ Category
This blog entry is to walkthrough how to Use OpenSSL to setup a new Certificate Authority & to issue a Certificate from that Certificate Authority to Sign an Infopath Form. I tried best to keep it simple, hope it helps.
Step 1: Download Open SSL installer for Windows http://www.slproweb.com/products/Win32OpenSSL.html.
Once you have installed, Open SSL will have a default Certificate Authority Configured into it (Mostly with the name of demoCA).
Now add the Bin directory of the OpenSSL Installation folder in to the path.
Step 2: Let’s setup our own Certificate Authority. Every certificate authority need to have a Certificate Authority Root folder along with a folder structure / default files that it uses in conjunction with OpenSSL.
Create the below Folder structure (I am assuming that it’s created under C:\ Drive for this article). Create a dummy text file with the name “index.txt” under “OpenSSLCA” (Open Notead, do not type anything save it with the filename index.txt under the folder OpenSSLCA). “index.txt” will act as a the database for OpenSSL to store Certificates information.
Folder “certreq” -> Meant to store all the certificate requests that came long to this certificate authority, Folder “certs” -> Will store all the certificates, Folder “crl” -> will store the certificate revocation list, Folder “newcerts” is where OpenSSL puts the created certificates in PEM format – OpenSSL needs this so we will have to create it, Folder “private” -> Will store all the private keys.
Open command prompt and navigate to “OpenSSLCA” folder (Start -> Run -> CMD (enter key) -> CD c:\OpenSSLCA)
Insert the command (echo 01 > serial) and press enter, this creates the file serial under “OpenSSLCA” folder.
Copy the default OpenSSL Configuration file into our Root CA folder. (Start -> Run -> CMD (enter key) – CD C:\OpenSSLCA\CARoot (enter key) copy <<OpenSSL Installation Root>>\bin\OpenSSL.cfg MyCompany.cfg
Let me give a brief description of how our file extension naming convensions are going to be
- KEY – Private key (Restrictive permissions should be set on this)
- CSR – Certificate Request (This will be signed by our CA in order to create the server certificates. Afterwards it is not needed and can be deleted)
- CRT – Certificate (This can be publicly distributed)
- PEM – We will use this extension for files that contain both the Key and the server Certificate (Some servers need this). Permissions should be restrictive on these files.
- CRL – Certificate Revokation List (This can be publicly distributed)
Step 3: Lets generate a Root Authority Certificate for CA. Navigate to the Root CA folder (c:\OpenSSLCA\CARoot).
enter the below statement.
OpenSSL req -config MyCompany.cfg -new -x509 -keyout private/MyCompany.key -out certs/MyCompany.crt -days 365
Enter the Password for the Root Certificate Authority Private Key along with other informtion regarding the Certificate authority.
Now OpenSSL generates a certificate and a private key for the Certificate authority.
Step 4: Now our CA is ready. Let’s change the CA configuration file to point it to the right folders / certificates.
Open MyCompany.cfg that we have copied in step 2 in notepad / wordpad. Navigate to line 35 (Roughly) where you should be able to see “CA_default” section of the configuration file. The following configuration entires needs to be changed to the values as below.
dir = .
certificate = $dir/certs/MyCompany.crt
Save the file.
Step 5: Now our CA is ready to issue certificates for the Certificate requests.
Let’s assume that we are creating an application using Infopath / MOSS 2010 for a company “DingDong” and we want to issue the certificate to “DingDongIT” which will be used to Sign the Infopath form.
First step is to generate a Certificate request. Second step generate the certificate. Third step generate the certificate with a private key in .P12 format (As Infopath Needs the certificate to be in .P12 format).
Generate certificate request:
Navigate to the CA Root folder in Command line (C:\OpenSSLCA\CARoot)
OpenSSL req -config MyCompany.cfg -new -keyout private/DingDongIT.key -out certreq/DingDongIT.csr -days 365
Insert the password for the private key along with the company information of “DingDong”
OpenSSL will now generate a Certificate request for DingDongIT and places it in “certreq” folder.
Generate Certificate: (use the request to generate the certificate)
OpenSSL ca -config MyCompany.cfg -policy policy_anything -out certs/DingDingITCertificate.crt -infiles certreq/DingDongIT.csr
This generates the Private Key / certificate for DingDongIT.
Generate Certificate with a Private Key in .p12 Format:
OpenSSL pkcs12 -export -in certs/DingDongCertificate.crt -out certs/DingDongITCertificate.p12 -inkey private/DingdongIT.key -certfile certs/MyCompany.crt
This will merge the RootCA certificate and DingDongIT Certificate into a .p12 file and places it in “certs” folder.
Now our certificate is ready to be used in Infopath. Give the certificate to DingDongIT along with the password.
Step 7: Now DingDongIT will have to install the certificate. Double click on .P12 file and follow the wizard steps to let it install the certificate.
Open Microsoft Management Console (Start -> Run -> MMC (enter key))
In the menu select File -> Add/Remove Snapins and select the Certificates option and select “My User Account” in the popup. This opens the certificate store for the current logged in user. If you expand the tree view “Personal” -> “Certificates” you should be able to see the Certificate that you have just installed.
Now Open the Infopath form in Design view. Goto Form Options -> Security and Trust and check the checkbox which says “Sign this form template”. Click on the button “Select Certificate” you should be able to see the certificate which you just installed that was issued by the Newly created Certificate Authority.
Came through this Article which is good and quick way for developers to Setup the Digitally Signed Certificates for Infopath Development.