ask $1$: Become a Certificate Authority $($CA$)$

A Certificate Authority $($CA$)$ is a trusted entity that issues digital certificates. The digital certificate certifies the

ownership of a public key by the named subject of the certificate. A number of commercial CAs are treated as

root CAs; VeriSign is the largest CA at the time of writing. Users who want to get digital certificates issued by

the commercial CAs need to pay those CAs.

In this problem, we need to create digital certificates, but we are not going to pay any commercial CA$.$ We will

become a root CA ourselves, and then use this CA to issue certificate for others $($e$.$g$.$ servers$).$ In this task, we

will make ourselves a root CA$,$ and generate a certificate for this CA$.$ Unlike other certificates, which are

usually signed by another CA$,$ the root CA$$s certificates are self$-$signed. Root CA$$s certificates are usually pre$-$

loaded into most operating systems, web browsers, and other software that rely on PKI. Root CA$$s certificates

are unconditionally trusted.

The Configuration File openssl.conf. In order to use OpenSSL to create certificates, you have to have a

configuration file. The configuration file usually has an extension $.$cnf$.$ It is used by three OpenSSL

commands: ca$,$ req and x$509.$ The manual page of openssl.conf can be found using Google search. You can

also get a copy of the configuration file from $/$usr$/$lib$/$ssl$/$openssl$.$cnf$.$ After copying this file into your

current directory, you need to create several sub$-$directories as specified in the configuration file $($look at the

$[$default CA$]$ section$)$:

dir $=./$demoCA # Where everything is kept

certs $=$ $dir$/$certs # Where the issued certs are kept

crl$\_$dir $=$ $dir$/$crl # Where the issued crl are kept

$2$

new$\_$certs$\_$dir $=$ $dir$/$newcerts # default place for new certs.

database $=$ $dir$/$index$.$txt # database index file.

serial $=$ $dir$/$serial # The current serial number

For the index.txt file, simply create an empty file. For the serial file, put a single number in string format

$($e$.$g$.1000)$ in the file. Once you have set up the configuration file openssl.cnf$,$ you can create and issue

certificates.

Certificate Authority $($CA$).$ As we described before, we need to generate a self$-$signed certificate for our CA$.$

This means that this CA is totally trusted, and its certificate will serve as the root certificate. You can run the

following command to generate the self$-$signed certificate for the CA:

$ openssl req $-$new $-$x$509-$keyout ca$.$key $-$out ca$.$crt $-$config openssl.cnf

You will be prompted for information and a password. Do not lose this password, because you will have to type

the passphrase each time you want to use this CA to sign certificates for others. You will also be asked to fill in

some information, such as the Country Name, Organization Name, Common Name, etc. Please use your own

name for the Organization Name $($if working in a team, use the name of one team member$).$ The output of

the command are stored in two files: ca$.$key and ca$.$crt$.$ The file ca$.$key contains the CA$$s private key, while

ca$.$crt contains the public$-$key certificate.

Please include the content of these two files,

ca$.$key and

ca$.$crt $($as text files$)$ in the document you are

submitting $($do not "embed" the files in the MS Word document, because such "embedded" files cannot be

accessed if MS Word is running on a Mac$)$