République Algérienne Démocratique et Populaire

Ministère de l’Enseignement Supérieure et de la Recherche Scientifique

Université Tahri Mohamed de Béchar
Faculté des Sciences Exactes
Département de Mathématique et Informatique

1MSIR

Rapport De Tp IASW

(openssl)

Année universitaire 2018/2019

-Introduction :

1- openSSL

2- Install openSSL

3- Creating a private key

4- Creating a Certificate Signing Request (CSR)
5- Getting an SSL certificate
6- Inspecting a certificate
7- add new website IIs
8- convert the forma of our certificate from PEM extention to PFX extention :
9- import certificate :
10- binding the certificat with the web site :
11- test the web site:
12- import the certificate to Trusted Root Certification Authorities folder (mmc) :

-conclusion
introduction :

Normal web traffic is sent unencrypted over the Internet. That is, anyone with access to the right tools can
snoop all of that traffic. Obviously, this can lead to problems, especially where security and privacy is
necessary, such as in credit card data and bank transactions. The Secure Socket Layer is used to encrypt
the data stream between the web server and the web client (the browser).

1- Openssl :

OpenSSL is a software library for applications that secure communications over computer
networks against eavesdropping or need to identify the party at the other end. It is widely used in Internet
web servers, serving a majority of all web sites.

OpenSSL contains an open-source implementation of the SSL and TLS protocols. The core library,
written in the C programming language, implements basic cryptographic functions and provides various
utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages
are available.

The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It
can also be used to generate self-signed certificates which can be used for testing purposes or internal
usage.
 2- Install openSSL :

1- Download openSSL from many links as https://slproweb.com/products/Win32OpenSSL.html

2- Double click the installation file,accept the agreement and next

Figure1 :install openssl(accept the agreement)

-Click next :

Figure2 :

4-Click install then and the installation has been completed .

Figure3 :
 3- Creating a private key

Usually the first thing you need to do is to create a private RSA key. For this, OpenSSL has the genrsa
command. By default, it creates a 512 bit private key (which is pretty weak), and it prints it to the
terminal. To change this you need to specify the -out flag and a filename, as well as the number of bits
you want to use for the key.

The more bits you use, the stronger the key will be - but the longer any calculations will take, too.
Currently you should either use 2048 bits, or if you want to be ready for the future, directly use 4096 bits:

openssl genrsa -out privateKey.pem 4096

Figure4 :

This creates a new file in the current directory, privateKey.pem, whose contents look similar to this. As
you can see from the file name, the private key is stored using the so-called PEM format, one of multiple
possible formats that are typically used to store keys:

Figure5 :
 4- Creating a Certificate Signing Request (CSR)

The most common reason for creating a private key is because you want to have an SSL certificate. It
doesn't matter whether you want to create a self-signed certificate on your own, or if you are going to buy
an official one - the initial steps are always the same.

So, next you need to create a so-called Certificate Signing Request (CSR), which is like the order for your
certificate. For a CSR to work you need to specify information, such as what your name is, for which
domain the certificate is intended, and so on…

For creating a CSR, OpenSSL has the req command. Since you want to create a new CSR, provide the -
new flag. You also have to specify the private key using the -key flag, and (again) the -out flag so that the
CSR is written to a file. OpenSSL then asks you a number of questions, so that it learns about the
information that need to be put into the CSR:

openssl req -new -key privateKey.pem -out csr.pem

Figure 6 :

When OpenSSL asks you about a challenge password, simply leave the field blank. The CSR then gets
created, again in PEM format, and if you take a look inside the generated csr.pem file its contents are
similar to this:
 Figure7 :

The CSR contains all the information you entered in an encoded form, but not your private key.

5- Getting an SSL certificate

Now there are two options of how to proceed. If you want to buy an official certificate that is trusted by
common web browsers, send the CSR to a certificate authority (CA), pay, and wait for the certificate
being returned. The certificate will probably be in PEM format again.

Depending on your infrastructure, you may need to convert the certificate to another format, but e.g. if
you are using Node.js, PEM is perfectly fine. Now you don't longer need the CSR, so you can safely
delete the csr.pem file.

If you want to create a self-signed certificate, you can use the x509 command of OpenSSL. You need to
provide the CSR using the -in flag, and (again) the -out flag to specify the file name where the certificate
should be written to. Additionally, you need to set the -req flag.

You also have to provide the private key using the -signkey flag, as this private key is now not only used
as private counterpart to the certificate, but also to sign the certificate (hence the name self-
signed certificate).

Finally, you need to provide the -days flag and specify the number of days the certificate should be
considered valid. Typical values are 365, 730 and 1095, for certificates with a runtime of 1, 2, and 3
years:

openssl x509 -in csr.pem -out certificate.pem -req -signkey privateKey.pem -days 365
 Figure 8 :

Once the certificate.pem file was created, you don't need the csr.pem file any more, so you can safely
delete this file now. If you take a look at the contents of the certificate.pem file, it already looks familiar:

Figure9 :

6- Inspecting a certificate

From time to time you may want to figure out the details of a certificate, e.g. to lookup which domain a
certificate was made for, or when it is about to expire. Luckily, OpenSSL can do this for you as well,
again using the x509 command.

You need to provide the certificate to inspect using the -in flag. Since you want the certificate's details in
text form, provide the -text flag, and - which comes as a surprise - you need to set the -noout flag to force
OpenSSL not to write the output to a file, but print it to the terminal:

openssl x509 -in certificate.pem -text –noout

Figure 10 :

7- add new website IIs :

Figure 11 :
 Figure 12 :

- Create html page C:\inetpub\SITES\soft_bech

Figure 13:

Figure 14 :
-

Figure 15 :

Figure 16 :

8- binbing (liaisons)

Figure 17 :
9- import certificate :

-convert the forma of our certificate from PEM extention to PFX extention :

openssl pkcs12 -inkey privatekey.pem -in certificate.pem -export -out certificate_pfx.pfx

Figure 18 :

9- import certificate to IIS :

Figure 19 :

10- binding the certificat with the web site :

Figure 20 :
11- test the web site:

Figure 21 :

12- import the certificate to Trusted Root Certification Authorities folder (mmc) :

Figure 22 :

Figure 23 :
-test the web site :

Figure 24 :

Conclusion :

A website security certificate is a validation and encryption tool, part of the HTTPS protocol, which
secures and encrypts data going back and forth between the server and the client browser. It is issued by a
trusted certification authority (CA) who verifies the identity of the owner of a website. The certificate
then ensures the user that the website it is connected to is legitimate and that the connection is safe and
secure.

OpenSSL is a general purpose cryptography library that provides an open source implementation of the
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.