Good afternoon Let's continue with this topic).
Today we move on to the practical part. Let's start by setting up our CA based on the full-fledged open source cryptographic library openSSL. This algorithm has been tested using windows 7.
With openSSL installed, we can perform various cryptographic operations (such as creating keys and certificates) via the command line.
The algorithm of actions is as follows:
- Download the installation distribution openssl-1.1.1g.
openSSL has different versions. The documentation for Rutoken said that openSSL version 1.1.0 or newer is required. I used openssl-1.1.1g version. You can download openSSL from the official site, but for an easier installation, you need to find the installation file for windows on the net. I did this for you:
Scroll down the page and download Win64 OpenSSL v1.1.1g EXE 63MB Installer. - Install openssl-1.1.1g on the computer.
Installation must be carried out according to the standard path, which is automatically indicated in the C: Program Files folder. The program will be installed in the OpenSSL-Win64 folder. - In order to set up openSSL the way you need it, there is the openssl.cfg file. This file is located in the C:\Program Files\OpenSSL-Win64bin path if you installed openSSL as described in the previous paragraph. Go to the folder where openssl.cfg is stored and open this file using, for example, Notepad++.
- You probably guessed that the certification authority will be configured somehow by changing the contents of the openssl.cfg file, and you are absolutely right. This requires customization of the [ ca ] command. In the openssl.cfg file, the beginning of the text where we will make changes can be found as: [ ca ].
- Now I will give an example of a setting with its description:
[ ca ] default_ca = CA_default [ CA_default ] dir = /Users/username/bin/openSSLca/demoCA certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/ca.crt serial = $dir/private/serial crlnumber = $dir/crlnumber crl = $dir/crl.pem private_key = $dir/private/ca.key x509_extensions = usr_certNow we need to create the demoCA directory and subdirectories as shown in the example above. And place it in this directory along the path that is specified in dir (I have /Users/username/bin/openSSLca/demoCA).
It is very important to spell dir correctly - this is the path to the directory where our certification center will be located. This directory must be located in /Users (that is, in the account of some user). If you place this directory, for example, in C: Program Files, the system will not see the file with the openssl.cfg settings (at least it was like that for me).
$dir - the path specified in dir is substituted here.
Another important point is to create an empty index.txt file, without this file the βopenSSL ca β¦β commands will not work.
You also need to have a serial file, a root private key (ca.key), a root certificate (ca.crt). The process of obtaining these files will be described below.
- We connect the encryption algorithms provided by Rutoken.
This connection takes place in the openssl.cfg file.- First of all, you need to download the necessary Rutoken algorithms. These are the files rtengine.dll, rtpkcs11ecp.dll.
To do this, download the Rutoken SDK: .The Rutoken SDK is all there is for developers who want to try out Rutoken. There are both separate examples for working with Rutoken in different programming languages, and some libraries are presented. Our libraries rtengine.dll and rtpkcs11ecp.dll are located in the Rutoken sdk, respectively, at the location:
sdk/openssl/rtengine/bin/windows-x86_64/lib/rtengine.dll
sdk/pkcs11/lib/windows-x86_64/rtpkcs11ecp.dllA very important point. Libraries rtengine.dll, rtpkcs11ecp.dll do not work without the installed driver for Rutoken. Also Rutoken must be connected to the computer. (for installing everything you need for Rutoken, see the previous part of the article )
- The rtengine.dll and rtpkcs11ecp.dll libraries can be kept anywhere in the user account.
- We write the paths to these libraries in openssl.cfg. To do this, open the openssl.cfg file, put the line at the beginning of this file:
openssl_conf = openssl_defAt the end of the file you need to add:
[ openssl_def ] engines = engine_section [ engine_section ] rtengine = gost_section [ gost_section ] dynamic_path = /Users/username/bin/sdk-rutoken/openssl/rtengine/bin/windows-x86_64/lib/rtengine.dll MODULE_PATH = /Users/username/bin/sdk-rutoken/pkcs11/lib/windows-x86_64/rtpkcs11ecp.dll RAND_TOKEN = pkcs11:manufacturer=Aktiv%20Co.;model=Rutoken%20ECP default_algorithms = CIPHERS, DIGEST, PKEY, RANDdynamic_path - you must specify your path to the rtengine.dll library.
MODULE_PATH - you need to write your path to the rtpkcs11ecp.dll library.
- First of all, you need to download the necessary Rutoken algorithms. These are the files rtengine.dll, rtpkcs11ecp.dll.
- Adding environment variables.
Be sure to add an environment variable that specifies the path to the openssl.cfg configuration file. In my case, the OPENSSL_CONF variable was created with the path C:Program FilesOpenSSL-Win64binopenssl.cfg.
In the path variable, you must specify the path to the folder where openssl.exe is located, in my case it is: C: Program FilesOpenSSL-Win64bin.
- Now you can go back to step 5 and create the missing files for the demoCA directory.
- The first important file without which nothing will work is serial. This is a file without an extension, the value of which should be 01. You can create this file yourself and write 01 inside. You can also download it from the Rutoken SDK along the path sdk/openssl/rtengine/samples/tool/demoCA/.
The demoCA directory contains the serial file, which is exactly what we need. - Create a root private key.
To do this, we will use the openSSL library command, which must be run directly on the command line:openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out ca.key - We create a root certificate.
To do this, use the following openSSL library command:openssl req -utf8 -x509 -key ca.key -out ca.crtPlease note that the root private key, which was generated in the previous step, is required to generate the root certificate. Therefore, the command line must be launched in the same directory.
Everything now has all the missing files for the complete configuration of the demoCA directory. Place the created files in the directories indicated in point 5.
- The first important file without which nothing will work is serial. This is a file without an extension, the value of which should be 01. You can create this file yourself and write 01 inside. You can also download it from the Rutoken SDK along the path sdk/openssl/rtengine/samples/tool/demoCA/.
We will assume that after completing all 8 points, our certification center is fully configured.
In the next part, I will describe how we will work with the certification authority in order to accomplish what was described in .
Source: habr.com