Back to the sea ; the Certificate Authority (CA), episode IV
1129 words, 6 minutes
OpenBSD FAQ and manpages is full of “how to generate your self-signed
certificate”. That’s OK.
But I you get several services, as I’m gonna get, this means you’ll have to
deploy every certificate to every client so that they trust them. Creating your
own CA enables you to only deploy the CA file to your client. Then, they will
trust any certificate that were signed by it.
Plus, it’s fun :p
Prerequisites
Let’s have an OpenBSD 4.8/amd64 system installed.
No others services are required to build your CA. But remember that your DNS
must be configured properly as each certificates contains a DN ; and that’s
probably how you’re gonna reach your services.
Installation and configuration
Let’s create the directory that’ll host my CA:
# mkdir /etc/ssl/TMFCA
Let’s grab the CA.sh:
# cd /etc/ssl/TMFCA/
# ftp -o CA.sh "http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libssl/src/apps/CA.sh?rev=1.7;content-type=text%2Fplain"
# chmod 755 CA.sh
The CA.sh is a wrapper to openssl commands. It’s not required to build your
CA. But I found it to be very easy to use.
Configure the CA.sh script
Customize the CA.sh file to configure the directory that will host the CA and
the certificate duration:
# diff /etc/ssl/TMFCA/CA.sh.orig /etc/ssl/TMFCA/CA.sh
63,64c63,64
< if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year
< CADAYS="-days 1095" # 3 years
---
> if [ -z "$DAYS" ] ; then DAYS="-days 3650" ; fi # 10 year
> CADAYS="-days 3650" # 10 years
71c71
< if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
---
> if [ -z "$CATOP" ] ; then CATOP=/etc/ssl/TMFCA ; fi
Configure the openssl.cnf
Customize the openssl.cnf file to defined default values:
# cd /etc/ssl
# ftp -o openssl.cnf 'http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libssl/src/apps/openssl.cnf?rev=1.7'
# cp -p openssl.cnf openssl.cnf.orig
# diff /etc/ssl/openssl.cnf.orig /etc/ssl/openssl.cnf
42c42
< dir = ./demoCA # Where everything is kept
---
> dir = /etc/ssl/TMFCA # Where everything is kept
73c73
< default_days = 365 # how long to certify for
---
> default_days = 3650 # how long to certify for
75c75
< default_md = default # use public key default MD
---
> default_md = sha1 # use public key default MD
106c106
< default_bits = 1024
---
> default_bits = 4096
129c129
< countryName_default = AU
---
> countryName_default = FR
134c134
< stateOrProvinceName_default = Some-State
---
> stateOrProvinceName_default = Paris
136a137
> localityName_default = Paris
139c140
< 0.organizationName_default = Internet Widgits Pty Ltd
---
> 0.organizationName_default = TuM'Fatig
146c147
< #organizationalUnitName_default =
---
> organizationalUnitName_default = TMF Secure Certificate Authority
152a154
> emailAddress_default = jdoe@tumfatig.net
330c332
< dir = ./demoCA # TSA root directory
---
> dir = /etc/ssl/TMFCA # TSA root directory
CA certificate creation
Use the CA.sh script to create the CA certificates:
# /etc/ssl/TMFCA/CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 4096 bit RSA private key
...............++
.....................................................++
writing new private key to '/etc/ssl/TMFCA/private/./cakey.pem'
Enter PEM pass phrase:
(...)
Country Name (2 letter code) [FR]:
State or Province Name (full name) [Paris]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [TuMFatig]:
Organizational Unit Name (eg, section) [TMF Secure Certificate Authority]:
Common Name (eg, YOUR name) []:ca.tumfatig.net
Email Address [jdoe@tumfatig.net]:
(...)
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/TMFCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
(...)
Subject:
countryName = FR
stateOrProvinceName = Paris
organizationName = TuMFatig
organizationalUnitName = TMF Secure Certificate Authority
commonName = ca.tumfatig.net
emailAddress = jdoe@tumfatig.net
(...)
Certificate is to be certified until Dec 31 15:33:29 2020 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
# chmod 750 /etc/ssl/TMFCA/private
# chmod 640 /etc/ssl/TMFCA/private/cakey.pem
The /etc/ssl/TMFCA/cacert.pem file is the file that has to be deployed and/or
accessible from clients that would have to trust the certificates generated
with my CA.
Server certificate creation
The server’s private key will not be protected by a passphrase. That enables the service to start without any human input.
Create the certificate request:
# /etc/ssl/TMFCA/CA.sh -newreq-nodes
Generating a 4096 bit RSA private key
(...)
writing new private key to 'newreq.pem'
(...)
Country Name (2 letter code) [FR]:
State or Province Name (full name) [Paris]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [TuMFatig]:
Organizational Unit Name (eg, section) [TMF Secure Certificate Authority]:
Common Name (eg, YOUR name) []:www.tumfatig.net
Email Address [jdoe@tumfatig.net]:
(...)
Request (and private key) is in newreq.pem
Sign the certificate:
# /etc/ssl/TMFCA/CA.sh -sign
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/TMFCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
(...)
commonName = www.tumfatig.net
(...)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
(...)
Signed certificate is in newcert.pem
Install certificate keys:
# install -o root -g wheel -m 0644 newcert.pem /etc/ssl/TMFCA/certs/www.tumfatig.net.crt
# rm newcert.pem
# sed -n '/BEGIN RSA PRIVATE KEY/,/END RSA PRIVATE KEY/p' newreq.pem > /etc/ssl/TMFCA/private/www.tumfatig.net.key
# chmod 0640 /etc/ssl/TMFCA/private/www.tumfatig.net.key
# rm newreq.pem
User certificate creation
A user certificate can either be a public / private key pair, stored in different files (like server’s one) or can be a single PKCS#12 file. The storage that best fits your needs will depend on how you want to use it. For example, OpenVPN prefers public / private key pair when MS Windows environment will prefer PKCS:
# /etc/ssl/TMFCA/CA.sh -newreq
Generating a 4096 bit RSA private key
(...)
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
(...)
Country Name (2 letter code) [FR]:
State or Province Name (full name) [Paris]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [TuMFatig]:
Organizational Unit Name (eg, section) [TMF Secure Certificate Authority]:
Common Name (eg, YOUR name) []:jdoe
Email Address [jdoe@tumfatig.net]:
(...)
Request is in newreq.pem, private key is in newkey.pem
# /etc/ssl/TMFCA/CA.sh -sign
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/TMFCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
(...)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
(...)
Signed certificate is in newcert.pem
# mv newcert.pem /etc/ssl/TMFCA/certs/jdoe.crt
# mv newkey.pem /etc/ssl/TMFCA/private/jdoe.key
# chmod 0640 /etc/ssl/TMFCA/private/jdoe.key
# openssl pkcs12 -export -in /etc/ssl/TMFCA/certs/jdoe.crt -inkey /etc/ssl/TMFCA/private/jdoe.key -out /etc/ssl/TMFCA/private/jdoe.p12
Enter pass phrase for /etc/ssl/TMFCA/private/jdoe.key:
Enter Export Password:
Verifying - Enter Export Password:
# chmod 0640 /etc/ssl/TMFCA/private/jdoe.p12
Additional notes
You can read a certificate’s content using:
# openssl x509 -in /etc/ssl/TMFCA/certs/jdoe.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f2:8c:ce:4b:c8:97:cb:ca
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, ST=Paris, O=TuMFatig, OU=TMF Secure Certificate Authority, CN=ca.tumfatig.net/emailAddress=jdoe@tumfatig.net
Validity
Not Before: Jan 3 18:39:01 2011 GMT
Not After : Dec 31 18:39:01 2020 GMT
Subject: C=FR, ST=Paris, L=Paris, O=TuMFatig, OU=TMF Secure Certificate Authority, CN=jdoe/emailAddress=jdoe@tumfatig.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
(...)
That’s All Folks!