# As Alice
+openssl req -subj '/CN=alice.crypto.koans'
+-key files/client.key
+-new
+-out files/client.csr
+# As Bob
+openssl x509 -req -in files/alice.csr
+-CA files/ca.pem
+-CAkey files/ca.key
+-CAcreateserial
+-extfile client.cnf
+-out files/alice.crt
+
+
+
+
+
Generate a Client Certificate
+
Step 3
+
+
Save alice.crt as client.crt
+
Save the CA file you received as bob.pem
+
See testClientBundleGenerated
+
+
+
+
+
Theory Break 2
+
+
+
+
What Alice Had
+
+
Client (client.key, client.csr)
+
+
+
+
+
What Bob Had
+
+
Client CSR (client.csr)
+
CA (ca.pem, ca.key)
+
+
+
+
+
What Bob Had
+
+
Client CSR (client.csr, alice.crt)
+
CA (ca.pem, ca.key)
+
+
+
+
+
What Alice Has
+
+
Client (client.key, client.csr, client.crt)
+
Bob's CA (bob.pem)
+
+
What Bob Has
+
+
Server (1.key, 1.csr, 1.crt)
+
CA (ca.pem, ca.key)
+
+
+
+
+
What Alice Has
+
+
Client (client.key, client.crt)
+
Bob's CA (bob.pem)
+
+
What Bob Has
+
+
Server (1.key, 1.crt)
+
Bob's Own CA (ca.pem)
+
+
+
+
+
Where we're going
+
+
+
+
+
/
+
As Bob
+
Bring up a server using your key (1.key) and certificate (1.crt) and allow any client signed
+by your CA (ca.pem) to talk to you.
+
docker run --volume `pwd`/files:/etc/koans
+--publish 8443:443
+captn3m0/crypto.koans
+
+
# ssl_certificate /etc/koans/1.crt;
+# ssl_certificate_key /etc/koans/1.key;
+# ssl_client_certificate /etc/koans/ca.pem;
+# Give your WiFi IP to your partner
+
+
+
+
+
/
+
As Alice
+
Use the certificate (signed by Bob) and the key
+(which only you have) to talk to Bob's server (which
+you can verify using the CA given)