The public key is like the keyhole, as it can be installed on any door or device that the matching private key should have access to. In terms of server administration, any device that has your public key installed will be able to authenticate you using your private key when you send it. How to Generate a Public and Private Keypair. Windows Users. Jul 23, 2017 Creating PGP/SSH Keys For B2B Communications 2 minute read. Create the PGP keys using Kleopatra. Install the software; Generate your keypair so you can encrypt/decrypt messages. Go to File – New Certificate – Create a personal OpenPGP key pair. Make sure it is 2048 bit RSA. Expires in two years. Make note of the passphrase.
GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to. Cryptography/Generate a keypair using OpenSSL. From Wikibooks, open books for an open world. Generate an RSA keypair with a 2048 bit private key. $ openssl rsa -pubout -in privatekey.pem -out publickey.pem writing RSA key A new file is created, publickey.pem, with the public key. The Kleopatra Handbook 2.3.1 Revoking a key A key pair that has expired can be brought back into an operational state as long as you have access to the private key and the passphrase. To reliably render a key unusable you need to revoke it. Revoking is done by adding a special revocation signature to the key. Jun 01, 2018 This guide will show you how to generate a GPG key, set up your computer to serve it in place of an SSH key, and put the new public key onto your server for authentication. It will also detail how to optionally move your GPG private key onto a smartcard or YubiKey to prevent authentication when the device isn’t plugged into your computer.
- Linux Admin Tutorial
- Linux Admin Useful Resources
- Selected Reading
TLS and SSL Background
TLS is the new standard for socket layer security, proceeding SSL. TLS offers better encryption standards with other security and protocol wrapper features advancing SSL. /ableton-live-9-suite-serial-key-generator.html. Often, the terms TLS and SSL are used interchangeably. However, as a professional CentOS Administrator, it is important to note the differences and history separating each.
SSL goes up to version 3.0. SSL was developed and promoted as an industry standard under Netscape. After Netscape was purchased by AOL (an ISP popular in the 90's otherwise known as America Online) AOL never really promoted the change needed for security improvements to SSL.
At version 3.1, SSL technology moved into the open systems standards and was changed to TLS. Since copyrights on SSL were still owned by AOL a new term was coined: TLS - Transport Layer Security. So it is important to acknowledge that TLS is in fact different from SSL. Especially, as older SSL technologies have known security issues and some are considered obsolete today.
Note − This tutorial will use the term TLS when speaking of technologies 3.1 and higher. Then SSL when commenting specific to SSL technologies 3.0 and lower.
SSL vs TLS Versioning
The following table shows how TLS and SSL versioning would relate to one another. I have heard a few people speak in terms of SSL version 3.2. However, they probably got the terminology from reading a blog. As a professional administrator, we always want to use the standard terminology. Hence, while speaking SSL should be a reference to past technologies. Simple things can make a CentOS job seeker look like a seasoned CS Major.
| TLS | SSL |
|---|---|
| - | 3.0 |
| 1.0 | 3.1 |
| 1.1 | 3.2 |
| 1.2 | 3.3 |
TLS performs two main functions important to the users of the Internet today: One, it verifies who a party is, known as authentication. Two, it offers end-to-end encryption at the transport layer for upper level protocols that lack this native feature (ftp, http, email protocols, and more).
The first, verifies who a party is and is important to security as end-to-end encryption. If a consumer has an encrypted connection to a website that is not authorized to take payment, financial data is still at risk. This is what every phishing site will fail to have: a properly signed TLS certificate verifying website operators are who they claim to be from a trusted CA.
There are only two methods to get around not having a properly signed certificate: trick the user into allowing trust of a web-browser for a self-signed certificate or hope the user is not tech savvy and will not know the importance of a trusted Certificate Authority (or a CA).
In this tutorial, we will be using what is known as a self-signed certificate. This means, without explicitly giving this certificate the status of trusted in every web browser visiting the web-site, an error will be displayed discouraging the users from visiting the site. Then, it will make the user jump though a few actions before accessing a site with a self-signed certificate. Remember for the sake of security this is a good thing.
Install and Configure openssl
openssl is the standard for open-source implementations of TLS. openssl is used on systems such as Linux, BSD distributions, OS X, and even supports Windows.
openssl is important, as it provides transport layer security and abstracts the detailed programming of Authentication and end-to-end encryption for a developer. This is why openssl is used with almost every single open-source application using TLS. It is also installed by default on every modern version of Linux.
By default, openssl should be installed on CentOS from at least version 5 onwards. Just to assure, let's try installing openssl via YUM. Just run install, as YUM is intelligent enough to let us know if a package is already installed. If we are running an older version of CentOS for compatibility reasons, doing a yum -y install will ensure openssl is updated against the semi-recent heart-bleed vulnerability.
When running the installer, it was found there was actually an update to openssl.
Create Self-signed Certificate for OpenLDAP
This is a method to create a self-signed for our previous OpenLDAP installation.
To create an self-signed OpenLDAP Certificate.
Now our OpenLDAP certificates should be placed in /etc/openldap/certs/
As you can see, we have both the certificate and key installed in the /etc/openldap/certs/ directories. Finally, we need to change the permissions to each, since they are currently owned by the root user.
Create Self-signed Certificate for Apache Web Server
In this tutorial, we will assume Apache is already installed. We did install Apache in another tutorial (configuring CentOS Firewall) and will go into advanced installation of Apache for a future tutorial. So, if you have not already installed Apache, please follow along.
Once Apache HTTPd can be installed using the following steps −
Step 1 − Install mod_ssl for Apache httpd server.
First we need to configure Apache with mod_ssl. Using the YUM package manager this is pretty simple −
Then reload your Apache daemon to ensure Apache uses the new configuration.
At this point, Apache is configured to support TLS connections on the local host.
Step 2 − Create the self-signed ssl certificate.
First, let's configure our private TLS key directory.
Note − Be sure only the root has read/write access to this directory. With world read/write access, your private key can be used to decrypt sniffed traffic.
Generating the certificate and key files.
Note − You can use public IP Address of the server if you don't have a registered domain name.
Let's take a look at our certificate −
Here is an explanation for each option we used with the openssl command −
| Command | Action |
|---|---|
| req -X509 | Use X.509 CSR management PKI standard for key management. |
| -nodes | Do not secure our certificate with a passphrase. Apache must be able to use the certificate without interruption of a passphrase. |
| -days 2555 | Tells the validity of the certificate to 7 years or 2555 days. Time period can be adjusted as needed. |
| -newkey rsa:2048 | Specified to generate both key and certificate using RSA at 2048 bits in length. |
Next, we want to create a Diffie-Heliman group for negotiating PFS with clients.
This will take from 5 to 15 minutes.
Public Private Partnership
Perfect Forward Secrecy − Used to secure session data in case the private key has been compromised. This will generate a key used between the client and the server that is unique for each session.
Now, add the Perfect Forward Secrecy configuration to our certificate.
Configure Apache to Use Key and Certificate Files
We will be making changes to /etc/httpd/conf.d/ssl.conf −
We will make the following changes to ssl.conf. However, before we do that we should back the original file up. When making changes to a production server in an advanced text editor like vi or emcas, it is a best practice to always backup configuration files before making edits.
Generate A 2048-bit Public Private Rsa Key Pair Kleopatra Key
Now let's continue our edits after copying a known-working copy of ssl.conf to the root of our home folder.
- Locate
- Edit both DocumentRoot and ServerName as follows.
DocumentRoot this is the path to your default apache directory. In this folder should be a default page that will display a HTTP request asking for the default page of your web server or site.
ServerName is the server name that can be either an ip address or the host name of the server. For TLS, it is a best practice to create a certificate with a host name. From our OpenLdap tutorial, we created a hostname of centos on the local enterprise domain: vmnet.local
Now we want to comment the following lines out.
SSLProtocol
Then let Apache know where to find our certificate and private/public key pair.
Specify path to our self-signed certificate file
Finally, we need to allow inbound connections to https over port 443.