Debian: x509 Certificates

From ReceptiveIT
Jump to: navigation, search

Overview

If SSL utilises public key cryptography to encrypt the data stream traveling over the Internet, why is a certificate necessary? The technical answer to that question is that a certificate is not really necessary - the data is secure and cannot easily be decrypted by a third party. However, certificates do serve a crucial role in the communication process. The certificate, signed by a trusted Certificate Authority (CA), ensures that the certificate holder is really who he claims to be. Without a trusted signed certificate, your data may be encrypted, however, the party you are communicating with may not be whom you think. Without certificates, impersonation attacks would be much more common.

Generating a self-signed SSL certificate

A self-signed SSL certificate, whilst not being overly useful on the internet to authenticate who you are, does have the advantage of being quick and easy to generate for testing purposes or internal use. The most common reason to generate a self-signed SSL certificate would be for a secure web-server (HTTPS), in the initial installation phase. Normal web traffic is sent unencrypted over the Internet. That is, anyone with access to the right tools can snoop all of that traffic. Obviously, this can lead to problems, especially where security and privacy is necessary, such as in credit card data and bank transactions. The Secure Socket Layer is used to encrypt the data stream between the web server and the web client (the browser).

Generate a Private Key

The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

apollo:~# openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 1024 bit long modulus .........................................................++++++ ........++++++ e is 65537 (0x10001) Enter PEM pass phrase: capassword Verifying password - Enter PEM pass phrase: capassword

Generate a Certificate Signing Request

Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is to self-sign the CSR, which will be demonstrated in the next section.

During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. One of the prompts will be for "Common Name (e.g., YOUR name)". It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the website to be protected will be https://secure.myshop.com, then enter secure.myshop.com at this prompt. The command to generate the CSR is as follows:

apollo:~# openssl req -new -key server.key -out server.csr

Country Name (2 letter code) [AU]:AU State or Province Name (full name) [Some-State]:NSW Locality Name (eg, city) []: Goulburn Organization Name (eg, company) [Internet Widgits Pty Ltd]: Receptive IT Organizational Unit Name (eg, section) []: Web Services Common Name (eg, your name or your server's hostname) []: secure.myshop.com Email Address []: [email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

Remove the Private Key Passphrase

One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key and set root-only read permissions:

apollo:~# openssl rsa -in server.key -out server_nopass.key
apollo:~# chown root:root server_nopass.key
apollo:~# chmod 400 server_nopass.key

Generate a Self-Signed Certificate

At this point you will need to generate a self-signed certificate because you either don't plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate. This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.

apollo:~# openssl x509 -req -days 365 -in server.csr server_nopass.key -out server.crt
Signature ok
subject=/C=AU/ST=NSW/L=Goulburn/O=Receptive IT/OU=Web
Services/CN=secure.myshop.com/[email protected]
Getting Private key

DIY x509 Certificates

Today almost all VPN implementations allow the usage of X.509 certificate for the authentication of the peers and OpenSSL under Linux provides an ideal way to generate them. These are the same certificates as used for the implementation of the Secure Socket Layer (SSL) in the HTTP protocol.

Create You Own Certificate Authority (CA)

When the OpenSSL package has been installed usually an auxillary command CA and/or CA.pl, has been installed, too. We will use this command to create the certificates. First check where the commands has been installed. It is usually not in your path, and Debian packages installs them in /usr/lib/ssl/misc/.

At this point you will need to create our Certificate Authority so we can sign our client certificates. Please enter the appropiate values when asked for Country Name, etc. If you would like to have the correct values proposed, like in my case, simply edit your openssl.cnf file. On Debian GNU/Linux systems you may usually find it at /usr/lib/ssl/openssl.cnf.

apollo:~# /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ... Generating a 1024 bit RSA private key ..........++++++ .++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:AU State or Province Name (full name) [Some-State]:NSW Locality Name (eg, city) []:Goulburn Organization Name (eg, company) [Internet Widgits Pty Ltd]:Receptive IT Organizational Unit Name (eg, section) []:Certificate Services Common Name (eg, YOUR name) []:Receptive IT RootCA Email Address []:[email protected]
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem:capassword Check that the request matches the signature Signature ok Certificate Details: Serial Number: 99:a6:1e:4d:a3:5f:b4:2b Validity Not Before: Jun 12 06:27:01 2006 GMT Not After : Jun 11 06:27:01 2009 GMT Subject: countryName = AU stateOrProvinceName = NSW organizationName = Receptive IT organizationalUnitName = Certificate Services commonName = Receptive IT RootCA emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: B5:F1:0C:FE:BE:0A:BE:C7:AB:8E:65:EC:92:80:A5:25:93:3A:FF:6C X509v3 Authority Key Identifier: keyid:B5:F1:0C:FE:BE:0A:BE:C7:AB:8E:65:EC:92:80:A5:25:93:3A:FF:6C
Certificate is to be certified until Jun 11 06:27:01 2009 GMT (1095 days)
Write out database with 1 new entries Data Base Updated

Increase CA Root Certificate Lifetime

The newly created CA is only valid for three years, as seen above. Often you want the certificates that this CA will sign to be valid for longer periods of time. Since a certificate that a CA signs cannot expire after the CA root certificate, we should increase the time of the CA root certificate.

apollo:~# cd demoCA
apollo:~/demoCA# openssl x509 -in cacert.pem -days 3650 -out cacert.pem -signkey ./private/cakey.pem
Getting Private key
Enter PEM pass phrase: capassword

Certificate Authority - Create a CSR

In public key infrastructure systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate.

apollo:~/demoCA# cd ..
apollo:~# /usr/lib/ssl/misc/CA.pl -newreq
Using configuration from /usr/share/ssl/openssl.cnf
Generating a 1024 bit RSA private key
...............................++++++
...................................++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase: certpassword
Verifying password - Enter PEM pass phrase: certpassword
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:ACT
Locality Name (eg, city) []:Canberra
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Joe Bloggs Pty Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:VPN-Gateway
Email Address []:[email protected]

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem

Certificate Authority - Sign a CSR

When our CA signs a CSR, a certificate is generated which can be used in conjunction with the accompanying private key for any purpose such as a VPN.

At this point you will need to tell the CA to sign the CSR. Since we have not changed the filename of the CSR or private key, the defaults should work.

apollo:~# /usr/lib/ssl/misc/CA.pl -sign

Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem:capassword Check that the request matches the signature Signature ok Certificate Details: Serial Number: a7:cc:a1:f2:17:41:78:1f Validity Not Before: Jun 12 07:16:10 2006 GMT Not After : Jun 12 07:16:10 2007 GMT Subject: countryName = AU stateOrProvinceName = ACT localityName = Canberra organizationName = Joe Bloggs Pty Ltd commonName = VPN-Gateway emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 6E:09:5A:B5:D9:15:5C:FC:75:3C:92:B4:2C:27:22:D3:C2:04:58:90 X509v3 Authority Key Identifier: keyid:E1:D4:38:B7:9C:53:F0:81:DB:58:DC:00:DD:8D:C4:2F:0D:0A:DD:62
Certificate is to be certified until Jun 12 07:16:10 2007 GMT (365 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Signed certificate is in newcert.pem


Certificate Authority - Generate a CRL

In case a private key gets stolen or compromised, you have to revoke it because based on its lifetime it is still valid. The revoked keys are stored in the certificate revocation list (CRL). First, create an (empty) list:

apollo:~# openssl ca -gencrl -out crl.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: capassword

This will create a CRL for you, valid for the default length of time (1 month in most OpenSSl versions). In the case that the CRL is being used only on boxes you control, and where you are sure you'll update the CRL on following revocation, you'll probably want to increase the lifetime of the crl. Otherwise, a few months down the line, your servers will complain the CRL is out of date... To increase the length of time the CRL is valid for, tack on the option -crldays xxx to the crl command above (where xxx is the number of days to be valid for)

Certificate Authority - Revoke a Certificate

To revoke a certificate you need to have the certificate file. This is also stored in demoCA/newcerts/. The name of the certificate can be read in demoCA/index.txt. Then use the following command.

apollo:~# openssl ca -revoke compromised_cert.pem
Using configuration from /usr/share/ssl/openssl.cnf
Enter PEM pass phrase: capassword
Revoking Certificate 01.
Data Base Updated

Certificate Authority - CRL Status

You can check the validity of a CRL, or to see what certificates have been revoked, use the following command.

apollo:~# openssl crl -in crl.pem -noout -text

Finishing Up

Rename the files
It is now advisable to rename the files newkey.pem, newreq.pem and newcert.pem to something meaningful.

apollo:~/# mv newcert.pem vpngateway_cert.pem
apollo:~/# mv newreq.pem vpngateway_csr.pem
apollo:~/# mv newkey.pem vpngateway_key.pem

Remove Private Key Pass-Phrase
This step is optional, but sometimes necessary. In the scenario of a VPN, the Racoon IKE Daemon cannot deal with pass-phrases, and therefore they must be unencryptet. If you take this step, please make sure that the file is readable only by root.

apollo:~/# openssl rsa -in vpngateway_key.pem -out vpngateway_nopass.pem
apollo:~/# chown root:root vpngateway_nopass.pem
apollo:~/# chmod 400 vpngateway_nopass.pem

Export Certificate for Windows

When generating certificates for Windows clients you have to make sure that the lifetime of the certificate lies within the lifetime of the CA. If the lifetime of the certificate exceeds the lifetime of the CA, the windows client will not accept the certificate!

The easiest way to transfer certificates to a windows box is by using the PKCS#12 exchange format. Openssl can reformat the certificates to this format. You are asked to specify an export password. On the windows box you can then import this file using the export password.

apollo:~/# openssl pkcs12 -export -inkey vpngateway_key_nopass.pem -in vpngateway_cert.pem -certfile ./demoCA/cacert.pem -out vpngateway.p12 -name "Windows Cert"