Shulou(Shulou.com)06/01 Report--

Lesson 12 of Network Certification

I. operational requirements

Test whether mail client software (such as Outlook, Foxmail, etc.) supports key usage extensions

Two. use tools

OpenSSL,OutLook,FoxMail

III. Experimental process

Generate certificates using OpenSSL

(1)。 First generate the private key pravate.pem

On the command line, type: genrsa-des3-out private.pem 2048, generate a 2048-bit private key using the RSA algorithm, and encrypt the key using the 3DES algorithm.

After entering the encryption key of DES, generate the private.pem file

(2)。 Generate a certificate with an extension

The lab requires testing whether the mail client supports the key usage extension, so two certificates are generated to distinguish the test. Cacert2.crt 's key usage is extended to Digital Signature, Non-Repudiation, Key Encipherment (e0), certificates can be used for encryption and signature; cacert3.crt 's key usage is extended to Digital Signature, Non-Repudiation, without encryption, can only be used for signature.

Modify the keyUsage field content of [v3_req] in the openssl.cnf file:

Configuration of cacert2.crt → keyusage= nonRepudiation, digitalSignature, keyEncipherment

Configuration of cacert3.crt → keyusage= nonRepudiation, digitalSignature

On the command line, type: req-new-x509-days 3650-key private.pem-out cacert2.crt-config openssl.cnf-extensions v3_req to generate a certificate with an extension. Similarly, cacert3 is generated after modifying the cnf configuration file.

Certificate generation requires the input of certificate information, including country, organization name, mailbox, etc. The email address entered here should be the same as the email address of the login test later.

The generated certificate is shown in the following figure. On the left is the certificate of cacert2.crt with keyEncipherment encryption feature, and on the right is the certificate of cacert3.crt that is not available for encryption:

(3)。 Generate pfx file

Use pkcs12 to package the certificate and the corresponding private key information, protect the private key with a password, generate a pfx file, so that the certificate can be imported into the computer's "personal" certificate and configured on the mail client.

On the command line, type: pkcs12-export-out cacert2.pfx-inkey private.pem-in cacert2.crt

Enter the key that was previously used to encrypt the private key by the 3DES algorithm, and then set the password to export the private key after verification. Generate cacert2.pfx and cacert3.pfx files respectively.

Test whether OutLook supports key usage extensions

To configure a personal certificate in OutLook, first import the certificate into personal in the browser and trust the issuer who generated the certificate in the trusted Root Certificate Authority.

(1)。 Keyusage= nonRepudiation, digitalSignature, keyEncipherment

First, select cacert2.crt (with a certificate that Key Encipherment can use for encryption) to configure OutLook, which can be used for both signing and encryption, as shown in the following figure:

Then send an encrypted signature test email to the recipient "xx's is" with the address "xxxxx@is.xx.xx" and the recipient's certificate has been configured in advance in the contact. Select encryption and signature when sending, as shown in the following figure:

The recipient "is of xx" successfully received and opened the message, and the message was encrypted and signed, as shown in the following figure:

(2)。 Keyusage= nonRepudiation, digitalSignature

Then change the certificate from the OutLook configuration and select cacert3.crt (there is no certificate that Key Encipherment is not available for encryption). When you select a signing certificate, two optional certificates pop up, including cacert3.crt, which can be used for signing.

However, when you select an encryption certificate, it pops up that there is only one certificate in the selection certificate, and you cannot select cacert3.crt. You can see that OutLook has recognized that cacert3.crt does not have a Key Usage extension with keyEncipherment, so it cannot be used for encryption.

Try to send an encrypted and signed message again. The message cannot be sent, indicating that there is no certificate available for encryption.

If you try to send a message that is only signed and not encrypted, it can be sent successfully.

IV. Experimental conclusion

The OutLook client is tested in this lab.

OutLook supports the Key Usage extension. When the certificate Key Usage extension has nonRepudiation, digitalSignature, and keyEncipherment, the certificate can be used to send encrypted and signed messages, while without keyEncipherment, OutLook cannot use the certificate to send encrypted messages.

FoxMail version 7.2 does not support digital certificate configuration, let alone whether it supports Key Usage extensions. However, the client has the function of encrypting email, which ensures the confidentiality of email, but can not guarantee the authenticity and integrity of email. It can be seen that OutLook is more comprehensive and professional than FoxMail in email security.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.