Differences

This shows you the differences between two versions of the page.

--- sslca [2006/11/08 02:40] – old revision restored 84.142.251.254
+++ sslca [2007/03/14 08:02] (current) – old revision restored - stop your advertising please andi
@@ Line 1: / Line 1: @@
+====== OpenSSL ======
+//WORK IN PROGRESS// do not believe anything here yet.
+The [[http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html|SSL Certificates HOWTO]] helps a little.
+===== Installation =====
+Well just do
+  #> apt-get install openssl
+Of course to use the SSL Certificates for your application you may need some more stuff (eg. ''libapache-mod-ssl'').
+===== The Certificate Authority =====
+Okay first things first. We need a Certificate Authority (CA) which will sign all our certificates. If you are a professional you want to buy this service from the big players like [[http://verisign.com/products-services/security-services/ssl/index.html|Verisign]], [[http://www.thawte.com/ssl/index.html|Thawte]] or some [[google>SSL Reseller]]. If you want it for your private server keep reading.
+For the CA we need two things: A private key and a selfsigned certificate (signed by the private key just mentioned), for issuing certifcaes you need some kind of infrastructure (a few directories), too.
+==== Infrastructure ====
+Your CA needs to keep a record on issued certificates. This is needed to make it possible to revoke certificates when needed. These records will be stored in ''/etc/ssl/CA'' for the following examples. Lets initialize this "Database":
+  #> mkdir -p /etc/ssl/CA/private
+  #> mkdir -p /etc/ssl/CA/newcerts
+  #> echo "01" > /etc/ssl/CA/serial
+  #> touch /etc/ssl/CA/index.txt
+Openssl needs to be informed about these locations. This is done in the ''/etc/ssl/openssl.conf''. This ini-style file already contains a section called ''[ CA_default ]]''. The only thing you should need to change there is the ''dir'' value. The following shows the mentioned section and how it should look like.
+<code ini>
+[ CA_default ]
+dir             = /etc/ssl/CA           # !!! change this
+certs           = $dir/certs            # Where the issued certs are kept
+crl_dir         = $dir/crl              # Where the issued crl are kept
+database        = $dir/index.txt        # database index file.
+#unique_subject = no                    # Set to 'no' to allow creation of
+                                        # several ctificates with same subject.
+new_certs_dir   = $dir/newcerts         # default place for new certs.
+certificate     = $dir/cacert.pem       # The CA certificate
+serial          = $dir/serial           # The current serial number
+#crlnumber      = $dir/crlnumber        # the current crl number must be
+                                        # commented out to leave a V1 CRL
+crl             = $dir/crl.pem          # The current CRL
+private_key     = $dir/private/cakey.pem# The private key
+RANDFILE        = $dir/private/.rand    # private random number file
+x509_extensions = usr_cert              # The extentions to add to the cert
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt        = ca_default            # Subject Name options
+cert_opt        = ca_default            # Certificate field options
+# Extension copying option: use with caution.
+# copy_extensions = copy
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions        = crl_ext
+default_days    = 365                   # how long to certify for
+default_crl_days= 30                    # how long before next CRL
+default_md      = md5                   # which md to use.
+preserve        = no                    # keep passed DN ordering
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy          = policy_match
+</code>
+==== Private Key ====
+The private key of our new CA is created with the following command. It says to create an RSA key encrypted by DES using a length of 1024 bits. You should enter a strong passphrase! You will only type this on signing certificates.
+  #> openssl genrsa -des3 -out /etc/ssl/CA/private/cakey.pem 1024
+  Generating RSA private key, 1024 bit long modulus
+  .......................................++++++
+  ..................................................++++++
+  e is 65537 (0x10001)
+  Enter pass phrase for CAkey.pem:
+  Verifying - Enter pass phrase for CAkey.pem:
+Protect the key from prying eyes:
+  #> chmod 400 /etc/ssl/CA/private/cakey.pem
+==== Selfsigned Certificate ====
+We create a new selfsigned Certificate (''-new'') from our public key (''-key''). We want a x509 cert with a live of 10 years (''-days''). We have to supply the private key's passphrase and give some other informations.
+  #> openssl req -new -key /etc/ssl/CA/private/cakey.pem -x509 -days 3650 -out /etc/ssl/CA/cacert.pem
+  Enter pass phrase for CAkey.pem:
+  You are about to be asked to enter information that will be incorporated
+  into your certificate request.
+  What you are about to enter is what is called a Distinguished Name or a DN.
+  There are quite a few fields but you can leave some blank
+  For some fields there will be a default value,
+  If you enter '.', the field will be left blank.
+  -----
+  Country Name (2 letter code) [AU]:DE
+  State or Province Name (full name) [Some-State]:.
+  Locality Name (eg, city) []:Berlin
+  Organization Name (eg, company) [Internet Widgits Pty Ltd]:splitbrain.org
+  Organizational Unit Name (eg, section) []:.
+  Common Name (eg, YOUR name) []:ca.splitbrain.org
+  Email Address []:ca@splitbrain.org
+Note the ''-x509'' option tells openssl to create a selfsigned certificate instead of just a request. This certificate will used by clients to check the signature of other certificates. So you should make this certificate publically available.
+eg.
+  #> cp /etc/ssl/cacert.pem /var/www/certificate.crt
+===== Application Certificates =====
+This is how to generate a key/cert for the [[postfix]] MTA but it's the same for other software like Apache or an IMAP Server.
+==== Private Key ====
+First generate a new private Key again, but this time without encryptingit with DSA (we don't want to give a password)
+  #> openssl genrsa -out postfixKey.pem 1024
+==== Certificate Request ====
+Now generate a certifiate request for this key. The important part is the //Common Name// it has to match the name of your mailserver!
+  #> openssl req -new -key postfixKey.pem -out postfixCert.req
+  You are about to be asked to enter information that will be incorporated
+  into your certificate request.
+  What you are about to enter is what is called a Distinguished Name or a DN.
+  There are quite a few fields but you can leave some blank
+  For some fields there will be a default value,
+  If you enter '.', the field will be left blank.
+  -----
+  Country Name (2 letter code) [AU]:DE
+  State or Province Name (full name) [Some-State]:.
+  Locality Name (eg, city) []:Berlin
+  Organization Name (eg, company) [Internet Widgits Pty Ltd]:splitbrain.org
+  Organizational Unit Name (eg, section) []:.
+  Common Name (eg, YOUR name) []:hex.splitbrain.org
+  Email Address []:postmaster@splitbrain.org
+  Please enter the following 'extra' attributes
+  to be sent with your certificate request
+  A challenge password []:
+  An optional company name []:
+==== Signing the Request ====
+Now we need to generate a signed certificate from the request.
+<code>
+#> openssl ca -policy policy_anything -in postfixCert.req -out postfixCert.pem -days 1825
+Using configuration from /usr/lib/ssl/openssl.cnf
+Enter pass phrase for /etc/ssl/CA/private/cakey.pem:
+Check that the request matches the signature
+Signature ok
+Certificate Details:
+        Serial Number: 1 (0x1)
+        Validity
+            Not Before: Dec  9 16:36:43 2004 GMT
+            Not After : Dec  8 16:36:43 2009 GMT
+        Subject:
+            countryName               = DE
+            localityName              = Berlin
+            organizationName          = splitbrain.org
+            commonName                = hex.splitbrain.org
+            emailAddress              = postmaster@splitbrain.org
+        X509v3 extensions:
+            X509v3 Basic Constraints:
+                CA:FALSE
+            Netscape Comment:
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier:
+B:4B:2A:10:13:18:11:8F:23:ED:9B:52:57:04:D0:C7:9E:CD:61:02
+            X509v3 Authority Key Identifier:
+                keyid:0A:9B:C1:79:B6:34:0E:EE:76:3B:B3:D2:43:38:6F:29:7B:8A:D4:15
+                DirName:/C=DE/L=Berlin/O=splitbrain.org/CN=ca.splitbrain.org/emailAddress=ca@splitbrain.org
+                serial:D8:1D:E7:27:AA:4A:F5:00
+Certificate is to be certified until Dec  8 16:36:43 2009 GMT (1825 days)
+Sign the certificate? [y/n]:y
+out of 1 certificate requests certified, commit? [y/n]y
+Write out database with 1 new entries
+Data Base Updated
+</code>
+Wow. Okay what did we do? We used the request (''-in'') to generate a certificate (''-out''). We specified a policy (''-policy'') about which attributes are mandatory (none besides the common name ((The policy is defined in the ''openssl.conf''))). Openssl took some more infos from the config file (eg. The CA's private Key and Certificate). The ''-days'' option told openssl for how long the issued certificate should be valid (5 years).
+The request (''postfixCert.req'') is no longer needed and should be deleted. The private key and the issued certificate should now be installed to the appropiate place for the application (eg. ''/etc/postfix/''((See [[postfix]]))) make sure that the private key isn't readable by anyone but root.
+For courier IMAP you'll need to place the key and the certificate together with some Diffie-Hellman code in a single file:
+  #> cat postfixKey.pem postfixCert.pem > /etc/courier/imapd.pem
+  #> openssl gendh >> /etc/courier/imapd.pem
+  #> sh /etc/init.d/courier-imap-ssl restart