Root CA : A Certificate Authority $($CA$)$ is a trusted entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. A number of commercial CAs are treated as root CAs; VeriSign is one of the largest CAs. Users who want to get digital certificates issued by the commercial CAs need to pay those CAs. In this question, you need to create digital certificates, but you are not going to pay any commercial CA$.$ You will become a root CA yourselves by using your name, and then use this CA to issue certificate for others $($e$.$g$.$ servers$).$ You will make yourselves a root CA$,$ and generate a certificate for yourself. Unlike other certificates, which are usually signed by another CA$,$ the root CA$$s certificates are self$-$signed. Root CA$$s certificates are usually pre$-$loaded into most operating systems, web browsers, and other software that rely on PKI. Root CA$$s certificates are unconditionally trusted.

The Configuration File openssl.cnf : In order to use OpenSSL to create certificates, you have to have a configuration file. The configuration file usually has an extension $.$cnf$.$ It is used by three OpenSSL commands: ca$,$ req and x$509.$ The manual page of openssl.cnf can be found from online resources. By default, OpenSSL uses the configuration file from $/$usr$/$lib$/$ssl$/$openssl$.$cnf$.$ Since you need to make changes to this file, you will copy it into your current directory, and instruct OpenSSL to use this copy instead. The $[$CAdefault$]$ section of the configuration file shows the default setting that you need to prepare. Uncomment the uniquesubject line to allow creation of certifications with the same subject, because it is very likely that you will do that.

Listing $1$: Default CA setting

$[$ CA$\_$default $]$

dir$=./$demoCA

# Where everything is kept

certs$=$ $dir$/$certs

# Where the issued certs are kept

crl$\_$dir$=$ $dir$/$crl

# Where the issued crl are kept

database$=$ $dir$/$index$.$txt

# database index file.

#unique$\_$subject $=$ no

# Set to $$no$$ to allow creation of # several certs with same subject.

new$\_$certs$\_$dir$=$ $dir$/$newcerts

# default place for new certs.

serial$=$ $dir$/$serial

# The current serial number

For the index.txt file, simply create an empty file. For the serial file, put a single number in string format $($e$.$g$.1000)$ in the file. Once you have set up the configuration file openssl.cnf$,$ you can create and issue certificates. You need to create several sub$-$directories. The execution of the following commands may generate the default directory structure:

Generating Certificate for Root CA : You need to generate a self$-$signed certificate for your CA$.$ This means that this CA is totally trusted, and its certificate will serve as the root certificate. You can run the following command to generate the self$-$signed certificate for the CA$.$ The output of the command are stored in two files: ca$.$key and ca$.$crt$.$ The file ca$.$key contains the CA$$s private key, while ca$.$crt contains the public$-$key certificate. You can also specify the subject information and password in the command line, so you will not be prompted for any additional information. In the following command, use $-$subj to set the subject information and you need to use your name inspite of ModelCA in the subject information $($for example, if your name is AbdhulHamid then you will use www$.$abdulhamidCA.com$).$ and use $-$passout pass:dees to set the password to dees.

openssl req $-$x$509-$newkey rsa:$4096-$sha$256-$days $3650\backslash$

$-$keyout ca$.$key $-$out ca$.$crt $\backslash$

$-$subj $"/$CN$=$www$.$modelCA.com$/$O$=$Model CA LTD$./$C$=$SA$"\backslash$

$-$passout pass:dees

You can use the following commands to look at the decoded content of the X$509$ certificate and the RSA key $(-$text means decoding the content into plain text; $-$noout means not printing out the encoded version$)$:

openssl x$509-$in ca$.$crt $-$text $-$noout openssl rsa $-$in ca$.$key $-$text $-$noout

Run the above commands. From the output, identify the following information and include screenshots:

$($a$)$ Who is the Issuer, what is the last date of validity, and what is the subject of the certificate?

$($b$)$ What part of the certificate indicates this is a self$-$signed certificate?

$($c$)$ What part of the certificate indicates this CA can certify others?

$($d$)$ In the RSA algorithm, you have a public exponent e$,$ identify the public exponent value in the key file.

$($e$)$ Is the public exponent in the key file and in the certificate file the same?