In the previous task, we use the certificates in the /etc/ssl/certs folder to verify server's certificates....

Transcribed Image Text:

In the previous task, we use the certificates in the /etc/ssl/certs folder to verify server's certificates. In this task, we will create our own certificate folder, and place the corresponding certificates in the folder to do the verification. Please create a folder called certs, and change the cadir line in the client program to the following. Run the client program and report your observation. cadir './certs' To solve this problem, you need to place the corresponding CA's certificate into your certs folder. Please use your client program to find out what CA certificate is needed to verify the www.example.com server's certificate, and then copy the certificate from the /etc/ssl/certs to your own folder. Run your client program again. If you have done everything correctly, your client program should be able to talk to the server. It should be noted that copying CA's certificate to the "./cert" folder is not enough. When TLS tries to verify a server certificate, it will generate a hash value from the issuer's identify information, use this hash value as part of the file name, and then use this name to find the issuer's certificate in the "./cert" folder. Therefore, we need to rename each CA's certificate using the hash value generated from its subject field, or we can make a symbolic link out of the hash value. In the following command, we use opensslto generate a hash value, which is then used to create a symbolic link. $ openssl x509 -in someCA.crt -noout -subject_hash 4a6481c9 $ ln -s some CA.crt 4a6481c9.0 $ ls -1 total 4 lrwxrwxrwx 1 -rw-r--r-- 1 ... ... 4a6481c9.0 -> some CA.crt someCA.crt In the previous task, we use the certificates in the /etc/ssl/certs folder to verify server's certificates. In this task, we will create our own certificate folder, and place the corresponding certificates in the folder to do the verification. Please create a folder called certs, and change the cadir line in the client program to the following. Run the client program and report your observation. cadir './certs' To solve this problem, you need to place the corresponding CA's certificate into your certs folder. Please use your client program to find out what CA certificate is needed to verify the www.example.com server's certificate, and then copy the certificate from the /etc/ssl/certs to your own folder. Run your client program again. If you have done everything correctly, your client program should be able to talk to the server. It should be noted that copying CA's certificate to the "./cert" folder is not enough. When TLS tries to verify a server certificate, it will generate a hash value from the issuer's identify information, use this hash value as part of the file name, and then use this name to find the issuer's certificate in the "./cert" folder. Therefore, we need to rename each CA's certificate using the hash value generated from its subject field, or we can make a symbolic link out of the hash value. In the following command, we use opensslto generate a hash value, which is then used to create a symbolic link. $ openssl x509 -in someCA.crt -noout -subject_hash 4a6481c9 $ ln -s some CA.crt 4a6481c9.0 $ ls -1 total 4 lrwxrwxrwx 1 -rw-r--r-- 1 ... ... 4a6481c9.0 -> some CA.crt someCA.crt