Difference between revisions of "Open SSL"
(4 intermediate revisions by the same user not shown) | |||
Line 94: | Line 94: | ||
'''Create certification autority (CA).''' | '''Create certification autority (CA).''' | ||
+ | |||
Create folder structure to hold certificates: | Create folder structure to hold certificates: | ||
mkdir /opt/met-ca | mkdir /opt/met-ca | ||
Line 105: | Line 106: | ||
echo “01” > /opt/ca/crlnumber | echo “01” > /opt/ca/crlnumber | ||
chmod 700 /opt/ca | chmod 700 /opt/ca | ||
+ | |||
+ | Create public and private autosigned keys of our own Certification Authority ( in the example is valid for 10 years ). We will need to specify certificate data, passworrd to crypt and the process will generate two files: | ||
+ | openssl req -config /etc/ssl/openssl.cnf -new -x509 -days 3650 -sha1 -newkey rsa:2048 -keyout /opt/ca/private/ca.key -out /opt/ca/ca.crt | ||
+ | |||
+ | Change key grants: | ||
+ | chmod 600 /opt/met-ca/private/ca.key | ||
+ | |||
+ | '''Create apache certification''' | ||
+ | |||
+ | Create a pair of keys. We will need to specify password and certification data. Will be created the file key ( server.key ) and certification request (server.pem). | ||
+ | openssl req -new -sha1 -newkey rsa:2048 -nodes -keyout server.key -out server.pem | ||
+ | |||
+ | With the CA should sign the certification request. Copy server.pem to certication request and sign. | ||
+ | openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -extensions [b]ssl_server[/b] -out requests/server-signed.pem -infiles requests/server.pem | ||
+ | |||
+ | Apache will be waiting a PEM format, is mandatory convert to this format: | ||
+ | openssl x509 -in requests/server-signed.pem -out requests/server.crt | ||
+ | |||
+ | '''Apache configuration''' | ||
+ | |||
+ | Copy server.crt and server.key into /etc/apache2/ssl ( if ssl folder not exists, create it ). Change files grants ( server.key should only be readed by root user, server.crt should have read grant to everybody ): | ||
+ | chmod 400 server.key | ||
+ | chmod 444 server.crt | ||
+ | |||
+ | If apache is not listening ssl port, enable it configuring /etc/apache2/ports.conf: | ||
+ | Listen 80 | ||
+ | Listen 443 | ||
+ | |||
+ | Enable apache ssl support: | ||
+ | apt-get install libapache-mod-ssl | ||
+ | |||
+ | Indicate apache to load ssl modules: | ||
+ | a2enmod ssl | ||
+ | |||
+ | Configure website: | ||
+ | |||
+ | Link default-ssl file to enable ssl | ||
+ | ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/default-ssl | ||
+ | |||
+ | Edit /etc/apache2/sites-availables/default-ssl ( enable ssl engine and set SSLCertificateFile and SSLCertificateKeyFile ) | ||
+ | <source lang="apache"> | ||
+ | SSLEngine on | ||
+ | SSLCertificateFile /etc/apache2/ssl/server.crt | ||
+ | SSLCertificateKeyFile /etc/apache2/ssl/server.key | ||
+ | </source> | ||
+ | |||
+ | Create user certificate: | ||
+ | |||
+ | To create certificates and sign with CA, first create the pair of keys. We will need to specify password and certification data. Will be created a eky ( user.key) and certification request ( user.pem ): | ||
+ | openssl req -new -sha1 -newkey rsa:2048 -nodes -keyout user.key -out user.pem | ||
+ | |||
+ | With CA is needed sign certificates: | ||
+ | cp /tmp/usuario.pem /opt/ca/requests | ||
+ | openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -extensions [b]ssl_client[/b] -out requests/user-signed.pem -infiles requests/user.pem | ||
+ | |||
+ | Convert certificate to PKCS12 to be recognized by browser | ||
+ | openssl pkcs12 -export -clcerts -in user-signed.pem -inkey usuario.key -out user.p12 | ||
+ | |||
+ | The files user-signed.pem, user.pem and user.key can be deleted | ||
+ | wipe user-signed.pem user.key user.pem | ||
+ | |||
+ | The user.p12 should be installed to user browser. | ||
+ | |||
+ | == Certification revocation == | ||
+ | If server has been compromised the CA should be revocated. To revocate a certificate should see serial number at /opt/ca/index.txt. | ||
+ | openssl ca -config /etc/ssl/openssl.cnf -revoke newcerts/<serial-number>.pem | ||
+ | |||
+ | Creat a list of revocated certificates ( CRL ) | ||
+ | openssl ca -config /etc/ssl/openssl.cnf -gencrl -crlexts crl_ext -md sha1 -out crl.pem | ||
+ | |||
+ | To send to the browser list should be converted to DER format: | ||
+ | openssl crl -in crl.pem -out ca.crl -outform DER | ||
+ | |||
+ | Now can be sent to browser | ||
+ | |||
+ | == Add CRL to Apache == | ||
+ | Copy CRL file to apache ssl folder: | ||
+ | cp /tmp/crl.pem /etc/apache2/ssl/ca.crl | ||
+ | |||
+ | Modify /etc/apache2/sites-available/default-ssl file, add SSLCARevocationFile: | ||
+ | <source lang="apache"> | ||
+ | SSLCARevocationFile /etc/apache2/ssl/ca.crl | ||
+ | </source> | ||
+ | |||
+ | To take it effect, restart apache service. | ||
Latest revision as of 13:19, 9 December 2012
Edit file /etc/ssl/openssl.cnf
RANDFILE = $ENV::SSLDIR/.rnd
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /opt/ca
certs = $dir/certs
new_certs_dir = $dir/newcerts
crl_dir = $dir/crl
database = $dir/index.txt
private_key = $dir/private/ca.key
certificate = $dir/ca.crt
serial = $dir/serial
crl = $dir/crl.pem
RANDFILE = $dir/private/.rand
default_days = 365
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_anything
name_opt = ca_default
cert_opt = ca_default
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_md = sha1
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ usr_cert ]
basicConstraints = CA:FALSE
# nsCaRevocationUrl = https://url-to-exposed-clr-list/crl.pem
[ ssl_server ]
basicConstraints = CA:FALSE
nsCertType = server
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, nsSGC, msSGC
nsComment = "OpenSSL Certificate for SSL Web Server"
[ ssl_client ]
basicConstraints = CA:FALSE
nsCertType = client
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
nsComment = "OpenSSL Certificate for SSL Client"
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
basicConstraints = critical, CA:true, pathlen:0
nsCertType = sslCA
keyUsage = cRLSign, keyCertSign
extendedKeyUsage = serverAuth, clientAuth
nsComment = "OpenSSL CA Certificate"
[ crl_ext ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
nsComment = "OpenSSL generated CRL"
Create certification autority (CA).
Create folder structure to hold certificates:
mkdir /opt/met-ca mkdir /opt/met-ca/certs mkdir /opt/met-ca/crl mkdir /opt/met-ca/newcerts mkdir /opt/met-ca/private mkdir /opt/met-ca/requests touch /opt/met-ca/index.txt echo “01” > /opt/ca/serial echo “01” > /opt/ca/crlnumber chmod 700 /opt/ca
Create public and private autosigned keys of our own Certification Authority ( in the example is valid for 10 years ). We will need to specify certificate data, passworrd to crypt and the process will generate two files:
openssl req -config /etc/ssl/openssl.cnf -new -x509 -days 3650 -sha1 -newkey rsa:2048 -keyout /opt/ca/private/ca.key -out /opt/ca/ca.crt
Change key grants:
chmod 600 /opt/met-ca/private/ca.key
Create apache certification
Create a pair of keys. We will need to specify password and certification data. Will be created the file key ( server.key ) and certification request (server.pem).
openssl req -new -sha1 -newkey rsa:2048 -nodes -keyout server.key -out server.pem
With the CA should sign the certification request. Copy server.pem to certication request and sign.
openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -extensions [b]ssl_server[/b] -out requests/server-signed.pem -infiles requests/server.pem
Apache will be waiting a PEM format, is mandatory convert to this format:
openssl x509 -in requests/server-signed.pem -out requests/server.crt
Apache configuration
Copy server.crt and server.key into /etc/apache2/ssl ( if ssl folder not exists, create it ). Change files grants ( server.key should only be readed by root user, server.crt should have read grant to everybody ):
chmod 400 server.key chmod 444 server.crt
If apache is not listening ssl port, enable it configuring /etc/apache2/ports.conf:
Listen 80 Listen 443
Enable apache ssl support:
apt-get install libapache-mod-ssl
Indicate apache to load ssl modules:
a2enmod ssl
Configure website:
Link default-ssl file to enable ssl
ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/default-ssl
Edit /etc/apache2/sites-availables/default-ssl ( enable ssl engine and set SSLCertificateFile and SSLCertificateKeyFile )
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
Create user certificate:
To create certificates and sign with CA, first create the pair of keys. We will need to specify password and certification data. Will be created a eky ( user.key) and certification request ( user.pem ):
openssl req -new -sha1 -newkey rsa:2048 -nodes -keyout user.key -out user.pem
With CA is needed sign certificates:
cp /tmp/usuario.pem /opt/ca/requests openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -extensions [b]ssl_client[/b] -out requests/user-signed.pem -infiles requests/user.pem
Convert certificate to PKCS12 to be recognized by browser
openssl pkcs12 -export -clcerts -in user-signed.pem -inkey usuario.key -out user.p12
The files user-signed.pem, user.pem and user.key can be deleted
wipe user-signed.pem user.key user.pem
The user.p12 should be installed to user browser.
Certification revocation
If server has been compromised the CA should be revocated. To revocate a certificate should see serial number at /opt/ca/index.txt.
openssl ca -config /etc/ssl/openssl.cnf -revoke newcerts/<serial-number>.pem
Creat a list of revocated certificates ( CRL )
openssl ca -config /etc/ssl/openssl.cnf -gencrl -crlexts crl_ext -md sha1 -out crl.pem
To send to the browser list should be converted to DER format:
openssl crl -in crl.pem -out ca.crl -outform DER
Now can be sent to browser
Add CRL to Apache
Copy CRL file to apache ssl folder:
cp /tmp/crl.pem /etc/apache2/ssl/ca.crl
Modify /etc/apache2/sites-available/default-ssl file, add SSLCARevocationFile:
SSLCARevocationFile /etc/apache2/ssl/ca.crl
To take it effect, restart apache service.