Difference between revisions of "SSL server"

(Created page with "SSL: Cryptography & authentication =Principle and law disclaimer= Reminder An Authority of Certification is required to ensure your certificates. Theses one provides: * ...")
 
Line 1: Line 1:
 
SSL: Cryptography & authentication
 
SSL: Cryptography & authentication
 +
  
  
Line 41: Line 42:
 
==Prep folders==
 
==Prep folders==
  
Create working directory
+
===Create working directory===
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
Line 49: Line 50:
  
  
==Create ssl structure==
+
===Create ssl structure===
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
Line 55: Line 56:
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
  
Initialize values
+
 
 +
===Initialize values===
 +
 
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
echo 01 > serial
 
echo 01 > serial
 
touch index.txt
 
touch index.txt
cp /usr/lib/ssl/openssl.cnf .Configuration
+
cp /usr/lib/ssl/openssl.cnf .
 +
<syntaxhighlight lang="bash">
 +
 
 +
 
 +
 
 +
=OpenSSL root configuration=
 +
 
 +
During the process you’ll have to enter the same data many times:
 +
 
 +
>> You should edit the default values
 +
 
 +
 
 +
==Adjust default values==
 +
 
 +
Edit openssl.cnf:
 +
 
 +
<syntaxhighlight lang="bash">
 +
vim /srv/ssl/openssl.cnf
 +
</syntaxhighlight>
 +
 
 +
Set the working directory:
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 +
dir = /srv/ssl                            # Where everything is kept  [line 42]
  
During the process you’ll have to enter the same data many times.
 
 You should edit the default values
 
Adjust default values
 
Edit openssl.cnf
 
# vim /srv/ssl/openssl.cnf
 
Set the working directory
 
dir = /srv/ssl
 
# Where everything is kept
 
→ Line 42
 
Adjust [req_distinguished_name] section (~ line 127):
 
 
[ req_distinguished_name ]
 
[ req_distinguished_name ]
countryName
+
countryName_default             = SE                       # [line 128] 
countryName_default
+
stateOrProvinceName_default     = Västra Götaland          # [line 134]
countryName_min
+
localityName_default           = Goteborg                  # [line 137]
countryName_max
+
0.organizationName_default     = Daxiongmao.eu             # [line 140]
= Country Name (2 letter code)
+
emailAddress_default           = guillaume@qin-diaz.com   # [line 154]
= SE
+
</syntaxhighlight>
= 2
+
 
= 2
+
 
stateOrProvinceName
+
 
= State or Province Name (full name)
+
 
stateOrProvinceName_default = SWEDEN
+
=Authority of Certification (CA)=
localityName
+
 
localityName_default = Locality Name (eg, city)
+
 
= Göteborg
+
==Difference between local AC / commercial AC==
0.organizationName
+
 
0.organizationName_default = Organization Name (eg, company) ~Domain name
+
Either you create your own Authority of Certification or you can use a commercial one.
= Daxiongmao.eu
+
 
emailAddress
 
emailAddress_default
 
emailAddress_max
 
= Email Address
 
= admin@domain.com
 
= 64Certificate Authority / Domain root server
 
Difference between local CA / commercial CA
 
Either you create your own certificate authority or you can use a commercial one.
 
 
Main differences:
 
Main differences:
Price
+
 
Validity
+
{| class="wikitable"
Browser alerts
+
|-
Can be used for e-commerce
+
!  !! Personal AC !! Commercial AC
Personal C.A
+
|-
free
+
| Price || free || from 50$ / year (Go Daddy)
you choose
+
|-
Yes 
+
| Validity || you choose || Usually 1 or 2 year
No
+
|-
Commercial C.A
+
| Browser alerts ||  Yes || No
from 50$ / year (Go Daddy)
+
|-
Usually 1 or 2 year
+
| Can be used for e-commerce || No || Yes
No
+
|}
Yes
+
 
 +
* July 2013: "Go Daddy" seems to be the cheapest authority.
 +
 
 +
 
 
Choose an authority of certification and subscribe to a wildcard domain certification.
 
Choose an authority of certification and subscribe to a wildcard domain certification.
On July 2013, Go Daddy seems to be the cheapest authority.
+
 
 +
 
 
In either case you need to:
 
In either case you need to:
Create a private key
+
* Create a private key
Generate a request (that will slightly change)
+
* Generate a request (that will slightly change)
Create CA private key
+
 
Generate a RSA private key (4096 bits length) for the CA and protect it with AES256
+
 
encryption
+
==Create CA private key==
# openssl genrsa -aes256 -out private/cakey.pem -rand ./ 4096
+
 
 +
Generate a RSA private key (4096 bits length) for the CA and protect it with AES256 encryption.
 +
 
 +
<syntaxhighlight lang="bash">
 +
openssl genrsa -aes256 -out private/cakey.pem -rand ./ 4096
 +
</syntaxhighlight>
 +
 
 
You have to enter a password.
 
You have to enter a password.
This password will be required to perform all next operations
+
 
Create a Certificate Authority or Domain root certificate
+
!! This password will be required to perform all next operations
1 st option: create a personal Certificate Authority
+
 
 +
 
 +
==Create a personal CA [or Domain root certificate]==
 +
 
 
Auto-sign your Certification Authority for 10 years
 
Auto-sign your Certification Authority for 10 years
# openssl req -config openssl.cnf \
+
 
 +
<syntaxhighlight lang="bash">
 +
openssl req -config openssl.cnf \
 
-new -x509 -sha256 -nodes \
 
-new -x509 -sha256 -nodes \
 
-key private/cakey.pem \
 
-key private/cakey.pem \
 
-out cacerts.pem \
 
-out cacerts.pem \
 
-days 3600
 
-days 3600
 +
</syntaxhighlight>
 +
 +
 
Answer the questions:
 
Answer the questions:
Country Name (2 letter code) [SE]:
+
* Country Name (2 letter code) [SE]:
State or Province Name (full name) [Sweden]:
+
* State or Province Name (full name) [Västra Götaland]:
Locality Name (eg, city) [Göteborg]:
+
* Locality Name (eg, city) [Göteborg]:
Organization Name (eg, company) [Daxiongmao.eu]:
+
* Organization Name (eg, company) [Daxiongmao.eu]:
Organizational Unit Name (eg, section) []:
+
* Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []: Daxiongmao CA
+
* Common Name (e.g. server FQDN or YOUR name) []: '''Daxiongmao.eu CA'''
Email Address [guillaume@qin-diaz.com]:Some explanations:
+
* Email Address [guillaume@qin-diaz.com]:
Parameter
+
 
meaning
+
 
-config openssl.cnf to use the local OpenSSL configuration file
+
Some explanations:
-new to request a new certificate
+
 
-x509 auto-sign this certificate
+
{| class="wikitable"
-sha256 hash algorithm to use
+
|-
-key certificate private key
+
! Header text !! Header text
-out Target output file to create
+
|-
-days Certificate validity time (in days)
+
| Parameter || meaning
 +
|-
 +
| -config openssl.cnf || to use the local OpenSSL configuration file
 +
|-
 +
| -new || to request a new certificate
 +
|-
 +
| -x509 || auto-sign this certificate
 +
|-
 +
| -sha256 || hash algorithm to use
 +
|-
 +
| -key ||  certificate private key
 +
|-
 +
| -out || Target output file to create
 +
|-
 +
| -days || Certificate validity time (in days)
 +
|}
 +
 
 +
 
 
You can check result by:
 
You can check result by:
# openssl x509 -in cacerts.pem -text –noout
+
 
2 nd option: request for a domain root certificate
+
<syntaxhighlight lang="bash">
 +
openssl x509 -in cacerts.pem -text -noout
 +
</syntaxhighlight>
 +
 
 +
 
 +
 
 +
==[Alternative]] Request for a domain root certificate==
 +
 
 
Create a new server certificate request for target CA.
 
Create a new server certificate request for target CA.
See process below to generate server’s certificate requestServer certificate
+
* See process below to generate server’s certificate ''requestServer'' certificate
Go to the working directory
+
 
# cd /srv/ssl
+
 
Create server private key
+
 
Generate encrypt private key
+
 
# openssl genrsa -aes256 -out private/serverName.key -rand ./ 4096
+
=Server certificate=
The ServerName must match the server FQDN.
+
 
 +
Go to the working directory:
 +
 
 +
<syntaxhighlight lang="bash">
 +
cd /srv/ssl
 +
</syntaxhighlight>
 +
 
 +
 
 +
==Create server private key==
 +
 
 +
 
 +
===Generate encrypt private key===
 +
 
 +
<syntaxhighlight lang="bash">
 +
openssl genrsa -aes256 -out private/serverName.key -rand ./ 4096
 +
</syntaxhighlight>
 +
 
 +
'''ServerName must match the server FQDN'''.  
 +
 
 +
 
 
Ex: dev.daxiongmao.eu
 
Ex: dev.daxiongmao.eu
Unencrypt private key
+
 
If your key is encrypt, then you have to manually give the password each and every time a service
+
<syntaxhighlight lang="bash">
starts.
+
openssl genrsa -aes256 -out private/dev.daxiongmao.eu.key -rand ./ 4096
= if private key is encrypt then it cannot be used at startup.
+
</syntaxhighlight>
So, for services like Apache2, you have to unencrypt the key:
+
 
# openssl rsa -in private/serverName.key -out private/serverName.nopass.key
+
 
Create server’s certificate request
+
===Decipher private key===
# openssl req -config openssl.cnf \
+
 
 +
If your key is encrypted, then you have to manually give the password each and every time a service starts.
 +
 
 +
 
 +
!! If your private key is encrypt then it cannot be used at startup !!
 +
 
 +
 
 +
 
 +
So, for services like Apache2, you have to decipher the key:
 +
 
 +
<syntaxhighlight lang="bash">
 +
openssl rsa -in private/serverName.key -out private/serverName.nopass.key
 +
</syntaxhighlight>
 +
 
 +
 
 +
 
 +
==Create server’s certificate request==
 +
 
 +
<syntaxhighlight lang="bash">
 +
openssl req -config openssl.cnf \
 
-new -nodes \
 
-new -nodes \
 
-key private/serverName.key \
 
-key private/serverName.key \
 
-out certs/serverName.req
 
-out certs/serverName.req
 +
</syntaxhighlight>
 +
 
Answer the questions:
 
Answer the questions:
Country Name (2 letter code) [SE]:
+
 
State or Province Name (full name) [Sweden]:
+
* Country Name (2 letter code) [SE]:
Locality Name (eg, city) [Göteborg]:
+
* State or Province Name (full name) [Västra Götaland]:
Organization Name (eg, company) [Daxiongmao.eu]:
+
* Locality Name (eg, city) [Göteborg]:
Organizational Unit Name (eg, section) []:
+
* Organization Name (eg, company) [Daxiongmao.eu]:
Common Name (e.g. server FQDN or YOUR name) []: dev.daxiongmao.eu
+
* Organizational Unit Name (eg, section) []:
Email Address [guillaume@qin-diaz.com]:
+
* Common Name (e.g. server FQDN or YOUR name) []: '''dev.daxiongmao.eu'''
Do not use a challenge password
+
* Email Address [guillaume@qin-diaz.com]:
 +
 
 +
 
 +
!! '''Do not use a challenge password''' !!
 +
 
 +
 
 
1 st option: sign the request with your own CA
 
1 st option: sign the request with your own CA
 
# openssl ca -config openssl.cnf \
 
# openssl ca -config openssl.cnf \

Revision as of 15:19, 25 May 2014

SSL: Cryptography & authentication



Principle and law disclaimer

Reminder An Authority of Certification is required to ensure your certificates. Theses one provides:

  • Confidentiality
  • Integrity
  • Authentication


There's three options:

  • You can create your own Authority of Certification ;
  • Use a trusted Authority of Certification (commercial). Unfortunately, it's very expansive to use such ones ;
  • Use an Open Source Authority of Certification: www.cacert.orgLegal aspects


You are not allowed to use any cryptography. The maximum cryptographic level is set by the law.


French law: http://www.ssi.gouv.fr/fr/reglementation-ssi/cryptologie/tableau-de-synthese-de-reglementation-en-matiere-de-cryptologie.html



Installation

Install packages

apt-get install openssl


Prep folders

Create working directory

mkdir -p /srv/ssl
cd /srv/ssl


Create ssl structure

mkdir certs crl newcerts private export
<syntaxhighlight lang="bash">


===Initialize values===

<syntaxhighlight lang="bash">
echo 01 > serial
touch index.txt
cp /usr/lib/ssl/openssl.cnf .
<syntaxhighlight lang="bash">



=OpenSSL root configuration=

During the process you’ll have to enter the same data many times:

>> You should edit the default values


==Adjust default values==

Edit openssl.cnf:

<syntaxhighlight lang="bash">
vim /srv/ssl/openssl.cnf

Set the working directory:

dir = /srv/ssl                            # Where everything is kept  [line 42]

[ req_distinguished_name ]
countryName_default             = SE                        # [line 128]   
stateOrProvinceName_default     = Västra Götaland           # [line 134]
localityName_default            = Goteborg                  # [line 137]
0.organizationName_default      = Daxiongmao.eu             # [line 140]
emailAddress_default            = guillaume@qin-diaz.com    # [line 154]



Authority of Certification (CA)

Difference between local AC / commercial AC

Either you create your own Authority of Certification or you can use a commercial one.

Main differences:

Personal AC Commercial AC
Price free from 50$ / year (Go Daddy)
Validity you choose Usually 1 or 2 year
Browser alerts Yes No
Can be used for e-commerce No Yes
  • July 2013: "Go Daddy" seems to be the cheapest authority.


Choose an authority of certification and subscribe to a wildcard domain certification.


In either case you need to:

  • Create a private key
  • Generate a request (that will slightly change)


Create CA private key

Generate a RSA private key (4096 bits length) for the CA and protect it with AES256 encryption.

openssl genrsa -aes256 -out private/cakey.pem -rand ./ 4096

You have to enter a password.

!! This password will be required to perform all next operations


Create a personal CA [or Domain root certificate]

Auto-sign your Certification Authority for 10 years

openssl req -config openssl.cnf \
-new -x509 -sha256 -nodes \
-key private/cakey.pem \
-out cacerts.pem \
-days 3600


Answer the questions:

  • Country Name (2 letter code) [SE]:
  • State or Province Name (full name) [Västra Götaland]:
  • Locality Name (eg, city) [Göteborg]:
  • Organization Name (eg, company) [Daxiongmao.eu]:
  • Organizational Unit Name (eg, section) []:
  • Common Name (e.g. server FQDN or YOUR name) []: Daxiongmao.eu CA
  • Email Address [guillaume@qin-diaz.com]:


Some explanations:

Header text Header text
Parameter meaning
-config openssl.cnf to use the local OpenSSL configuration file
-new to request a new certificate
-x509 auto-sign this certificate
-sha256 hash algorithm to use
-key certificate private key
-out Target output file to create
-days Certificate validity time (in days)


You can check result by:

openssl x509 -in cacerts.pem -text -noout


[Alternative]] Request for a domain root certificate

Create a new server certificate request for target CA.

  • See process below to generate server’s certificate requestServer certificate



Server certificate

Go to the working directory:

cd /srv/ssl


Create server private key

Generate encrypt private key

openssl genrsa -aes256 -out private/serverName.key -rand ./ 4096

ServerName must match the server FQDN.


Ex: dev.daxiongmao.eu

openssl genrsa -aes256 -out private/dev.daxiongmao.eu.key -rand ./ 4096


Decipher private key

If your key is encrypted, then you have to manually give the password each and every time a service starts.


!! If your private key is encrypt then it cannot be used at startup !!


So, for services like Apache2, you have to decipher the key:

openssl rsa -in private/serverName.key -out private/serverName.nopass.key


Create server’s certificate request

openssl req -config openssl.cnf \
-new -nodes \
-key private/serverName.key \
-out certs/serverName.req

Answer the questions:

  • Country Name (2 letter code) [SE]:
  • State or Province Name (full name) [Västra Götaland]:
  • Locality Name (eg, city) [Göteborg]:
  • Organization Name (eg, company) [Daxiongmao.eu]:
  • Organizational Unit Name (eg, section) []:
  • Common Name (e.g. server FQDN or YOUR name) []: dev.daxiongmao.eu
  • Email Address [guillaume@qin-diaz.com]:


!! Do not use a challenge password !!


1 st option: sign the request with your own CA

  1. openssl ca -config openssl.cnf \

-in certs/serverName.req \ -out certs/serverName.cert.pem \ -cert cacerts.pem \ -days 3600Some explanations: Parameter meaning -config openssl.cnf to use the local OpenSSL configuration file -in Incoming certificate request -out Target certificate file -cert CA certificate to use -days Certificate validity time (in days) You can check result by:

  1. cat /srv/ssl/certs/serverName.cert.pem

2 nd option: send the request to the CA You have to send the “.req” file to the CA. They will send you back the certificate.Export certificate – PKCS12

  1. cd /srv/ssl

To export a certificate, it must be in PKCS12 format.  You have to perform the following for each and every certificate you’d like to export.

  1. openssl pkcs12 -export \

-descert -inkey private/serverName.key \ -in certs/serverName.cert.pem \ -certfile cacerts.pem \ -name "Certicate name" \ -out export/serverName.p12  Do not put an export password.  You can also use the non-protected keySetup website to send local CA and server certificates This required to have a web server up and running Create dedicated folder

  1. mkdir -p /var/www/ssl/certs
  2. touch /var/www/ssl/certs/index.html

Web page <html> <head> <title>Certificates list</title> </head> <body>

Certificates list


Certification Authority

Authority of certification: <a href="https://serverURL/certs/cacerts.pem ">root certificate</a>

Servers certificates

Click on the following links to download sub-servers certificates

</body> </html> Copy files

  1. cp /srv/ssl/cacerts.pem /var/www/ssl/certs/cacerts.pem
  2. cp /srv/ssl/ export/serverName.p12 /var/www/ssl/certs/serverName.p12

Update rights

  1. chown -R www-data:www-data /var/www/ssl
  2. chmod 755 -R /var/www/sslInstallation on client computer

Go to https://myServer/certs 1 st alert You haven’t install the certificate yet... This website is presume to be non-secured. Example of alert on Google chrome (click “proceed anyway”) Then, you will see the following alert on URL: Download file Save file Installation Go to Google Chrome > Settings > Show advanced settings >   Enable “check for server certificate revocation” Click on manage certificates... Certification Authority Click on “Trusted root Certification Authorities” > Import...Choose the file to import (myCA.pem)  .pem are not displayed by default, but they can be used  Trust the certificates Restart Google Chrome Check result After Google Chrome restart, go back to https://myServer/certs Everything is OK now!