Part 4 - Implementation of a Public Key Infrastructure (PKI)
The certificates generated in part 2 are self-signed. This means that they
are signed with the private key of the same entity whose identity it certifies.
This does not provide any guarantee about the identity of the owner of the
certificate (unless you trust him/her).
In a PKI
setting, a digital signature from a trusted third party (a certificate
authority) will attest the validity of a public key and its certificate.
We will create a certificate authority (CA) that will sign the certificates of all agents. Each agent will need to trust only the CA.
TASK 1 - Set up a Certificate Authority (CA)
We are going to use
CFSSL
to set up a Certificate authority.
Read some documentation about CFSSL:
1
and
2.
To initialize the CA you need to specify some parameters in configuration
file which is in a JSON format.
A
sample of a JSON file is available along with the
package
containing CFSSL from Windows
If you are using another operating
system you can download binaries from
here.
To generate a self-signed root CA certificate, specify the key request as а JSON file.
cfssl genkey -initca ca.json | cfssljson -bare ca
Three PEM-encoded entities will appear in the output: the private key, the CSR, and the self-signed certificate.
TASK 2 - Signing agent's certificate
Try signing the certificates you have generated in part 2.
Follow these examples as guidance (you may need to adjust the paths!)
If you
do not have the keystore you created in part2 you may use
this one (containing self-signed
certificates).
Signing alice CSR with CA key/cert piped to alice.pem
cfssl sign -ca ca.pem -ca-key ca-key.pem -hostname
alice alice_enc.csr | cfssljson -bare alice_enc
Prints out some
certificate info from the PEM
cfssl-certinfo -cert
alice_enc.pem
TASK 3 - Import CA certificate in agent's keystore
This is similar to what you have done on part 2. Check the content of the keystore to verify that the certificate is imported as expected.
TASK 4 - Import Agent's certificates in agent's keystores
Again, this is similar to what you have done on part 2. Check the content of the keystore
to verify the the certificate is imported as expected.
You could try to build you own script to automatize the process.
Hints: you may need to concatenate the self-signed certificate
issued by the CA.
Moreover, you may need to remove the previous key, as you
cannot have two keys with the same alias in a key store.
TASK 5 - Running protocols
There are two set of key stores available for download:
- the
first one is with certificates already signed by
CA
- the second one is with self-signed
certificates.
Experiment running some of the examples of part 2 and 3
with the first one, the second, or mix (Alice from first and Bob from second).
Do you see something interesting? Report it to the instructor.
TASK 6 - Run CFSSL as a server (optional)
It is possible to run CFSSL as a http server.
Read the documentation
here and try it.