🌐 Networks and Cyber Security — Public Key Infrastructure (PKI) Lab

A comprehensive, hands-on implementation of Public Key Infrastructure (PKI) and Transport Layer Security (TLS) mechanisms within a controlled Linux laboratory environment (SEED VM). This project explores the foundational cryptographic practices required to secure web applications, establish local Certificate Authorities (CAs), manage X.509 certificates, and simulate man-in-the-middle web infrastructures.

---

👥 Contributors

• Kanwar Azlan (23K-7709)
• Mubashir Hussain (23K-7705)

---

🛠️ Environment & Tools

• Operating System: SEED Ubuntu Virtual Machine (SEED VM)
• Cryptographic Suite: OpenSSL
• Web Server Engine: Apache2 (with mod_ssl enabled)
• Text Editors: Nano / Gedit

---

📋 Lab Tasks & Implementation Details

🔐 Task 1: Setting Up a Certificate Authority (CA)

• Objective: Establish a self-signed root Certificate Authority to act as a trusted trust anchor.
• Action taken:
  • Generated a 2048-bit RSA private key (ca.key) protected via a passphrase.
  • Created a self-signed X.509 root certificate (ca.crt) via a custom openssl.cnf structure detailing organizational variables.
  • Initialized the structural directory framework (demoCA/, certs/, newcerts/, index.txt, serial).

🔑 Task 2: Creating a Certificate Signing Request (CSR) for a Server

• Objective: Act as a server administrator requesting a digital certificate from the newly formed root CA.
• Action taken:
  • Provisioned a 1021-bit RSA private key (server.key) for the web server host.
  • Inspected cryptographic parameters (modulus, publicExponent, primes, exponents) natively.
  • Generated a Certificate Signing Request (server.csr) for the domain SEEDPKILab2020.com.
  • Signed the CSR using the Root CA infrastructure to issue a valid leaf certificate (server.crt).

🌐 Task 3: Local DNS Configuration & Initial Web Handshakes

• Objective: Map specific domains locally and test raw network handshakes.
• Action taken:
  • Configured the local resolution file /etc/hosts to route multiple mock domains (including SEEDPKILab2020.com and target testing domains like www.instagram.com) directly to localhost (127.0.0.1).
  • Tested incoming raw TLS handshakes using standard network utilities to view supported ciphers and session details.

🔒 Task 4: Deploying an Apache HTTPS Server

• Objective: Configure a production-grade secure Apache web server utilizing the newly signed cryptographic pairs.
• Action taken:
  • Modified 000-default.conf and default-ssl.conf virtual host templates in /etc/apache2/sites-available/.
  • Enabled the Apache SSL runtime module (sudo a2enmod ssl) and activated the site configuration (sudo a2ensite default-ssl).
  • Successfully verified secure connectivity (https://seedpkilab2020.com) inside the browser with a valid SSL handshake.

🛑 Task 5: Simulating a Connection Timeout Mitigation

• Objective: Analyze behavior during strict destination blocking or site reachability disruptions.
• Action taken:
  • Monitored connection timeouts and handshake disruptions inside the target host environment when resolving mapped infrastructure blocks.

🎭 Task 6: PKI Man-in-the-Middle (MitM) Spoofing Simulation

• Objective: Demonstrate the security implications of trusting unauthorized Root CAs by building a local spoofed replica site.
• Action taken:
  • Generated a second cryptographic private key (server2.key) and a malicious CSR targeting external properties (www.instagram.com).
  • Signed the fake request using the internal Root CA to forge a valid X.509 certificate for the domain.
  • Configured Apache virtual hosts to intercept traffic directed toward the spoofed address, delivering a custom deployment banner pointing to the local directory asset file.

---

🚀 Key Commands Reference

Generating Root CA

openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf