Introduction

This lab will cover:

Installing the root certificate bundle
Compiling lynx against openssl
Connecting lynx to an https site and verifying the certificate
Trusting a non-root CA
Generating your own CSR

Steps

Do a regular NetBSD Install
Set a strong root password
fetch the root_certs.p7b file from ftp, (BINARY MODE!!!)
fetch the lynx source file from ftp
extract the lynx source
read lynx2-8-6/docs/README.sslcerts (our openssl directory is /etc/openssl not /usr/local/ssl)
compile lynx with SSL support (requires ./configure option)
follow the instructions to convert the .p7b file to a .pem file, name this file cert.pem and copy it to /etc/openssl/
lynx to https://www.paypal.com/ and notice how the certificate is verified
lynx to https://ozone.mohawkcollege.ca/ and notice how the certificate is rejected
fetch ozone.pem from ftp
trust the ozone CA by copying it to /etc/openssl/certs
install perl binary package from ftp
get the c_rehash tool from ftp
copy it to /usr/bin
set the executable bit on it
edit c_rehash and change the ssl path
run c_rehash
revisit ozone, and notice that the certificate is verified
Generate an SSL Key pair
Generate a Certificate Signing Request for your self, your common name will be: studentnumber.csait.ca
Email me your .csr file, email your self the .key file

Commands:

                View a certificate:
        openssl x509 -noout -text -in file.crt
        
                Generate a key pair:
	openssl genrsa -aes256 -out studentnumber.key 1024

                Generate a CSR:
	openssl req -new -key studentnumber.key -out studentnumber.csr

Questions:

Why must you keep the .key file when you generate the CSR?:

What does c_rehash do?:

Why is it important that you be able to trust the validity of a certificate?:

Where is the lynx config file installed?:

?:

Last updated: 2008-03-12
Updated by: Allan Jude

Written by: Allan Jude (2008)