Difference between revisions of "SSL server"
| (5 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | [[Category:Linux]] | ||
| + | |||
SSL: Cryptography & authentication | SSL: Cryptography & authentication | ||
| Line 151: | Line 153: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
| − | openssl genrsa -aes256 -out private/cakey. | + | openssl genrsa -aes256 -out private/cakey.key -rand ./ 4096 |
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 166: | Line 168: | ||
openssl req -config openssl.cnf \ | openssl req -config openssl.cnf \ | ||
-new -x509 -sha256 -nodes \ | -new -x509 -sha256 -nodes \ | ||
| − | -key private/cakey. | + | -key private/cakey.key \ |
-out cacerts.pem \ | -out cacerts.pem \ | ||
-days 3600 | -days 3600 | ||
| Line 374: | Line 376: | ||
| + | =Distribute the certificate with Apache2= | ||
| − | + | see [[Apache 2 - SSL certificates page]] | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Latest revision as of 15:10, 29 January 2015
SSL: Cryptography & authentication
Contents
Principle and law disclaimer
Reminder
An Authority of Certification is required to ensure your certificates.
Theses one provides:
- Confidentiality
- Integrity
- Authentication
Usages
There's three options:
- You can create your own Authority of Certification ;
- Use a trusted Authority of Certification (commercial). Unfortunately, it's very expansive to use such ones ;
- Use an Open Source Authority of Certification: www.cacert.org
Legal aspects
You are not allowed to use any cryptography. The maximum cryptographic level is set by the law.
| Region | Law |
|---|---|
| France | http://www.ssi.gouv.fr/fr/reglementation-ssi/cryptologie/tableau-de-synthese-de-reglementation-en-matiere-de-cryptologie.html |
| Sweden | to be done |
| European Union | to be done |
Installation
Install packages
apt-get install openssl
Prep folders
Create working directory
mkdir -p /srv/ssl
cd /srv/ssl
Create ssl structure
mkdir certs crl newcerts private export
Initialize values
echo 01 > serial
touch index.txt
cp /usr/lib/ssl/openssl.cnf .
OpenSSL root configuration
During the process you’ll have to enter the same data many times:
>> You should edit the default values
Adjust default values
Edit openssl.cnf:
vim /srv/ssl/openssl.cnfSet the working directory:
dir = /srv/ssl # Where everything is kept [line 42]
[ req_distinguished_name ]
countryName_default = SE # [line 128]
stateOrProvinceName_default = Västra Götaland # [line 134]
localityName_default = Goteborg # [line 137]
0.organizationName_default = Daxiongmao.eu # [line 140]
emailAddress_default = guillaume@qin-diaz.com # [line 154]
Authority of Certification (CA)
Difference between local / commercial Authority of Certification [CA]
Either you create your own Authority of Certification or you can use a commercial one.
Main differences:
| Personal | Commercial | |
|---|---|---|
| Price | free | from 50$ / year (Go Daddy) |
| Validity | you choose | Usually 1 or 2 year |
| Browser alerts | Yes | No |
| Can be used for e-commerce | No | Yes |
- July 2013: "Go Daddy" seems to be the cheapest authority.
Choose an authority of certification and subscribe to a wildcard domain certification.
In either case you need to:
- Create a private key
- Generate a request (that will slightly change)
Create CA private key
Generate a RSA private key (4096 bits length) for the CA and protect it with AES256 encryption.
openssl genrsa -aes256 -out private/cakey.key -rand ./ 4096You have to enter a password.
!! This password will be required to perform all next operations
Create a personal CA [or Domain root certificate]
Auto-sign your Certification Authority for 10 years
openssl req -config openssl.cnf \
-new -x509 -sha256 -nodes \
-key private/cakey.key \
-out cacerts.pem \
-days 3600
Answer the questions:
- Country Name (2 letter code) [SE]:
- State or Province Name (full name) [Västra Götaland]:
- Locality Name (eg, city) [Göteborg]:
- Organization Name (eg, company) [Daxiongmao.eu]:
- Organizational Unit Name (eg, section) []:
- Common Name (e.g. server FQDN or YOUR name) []: Daxiongmao.eu CA
- Email Address [guillaume@qin-diaz.com]:
Some explanations:
| Header text | Header text |
|---|---|
| Parameter | meaning |
| -config openssl.cnf | to use the local OpenSSL configuration file |
| -new | to request a new certificate |
| -x509 | auto-sign this certificate |
| -sha256 | hash algorithm to use |
| -key | certificate private key |
| -out | Target output file to create |
| -days | Certificate validity time (in days) |
You can check result by:
openssl x509 -in cacerts.pem -text -noout
[Alternative] Request for a domain root certificate
Create a new server certificate request for target CA.
- See process below to generate server’s certificate requestServer certificate
Server certificate
Go to the working directory:
cd /srv/ssl
Create server private key
Generate encrypt private key
openssl genrsa -aes256 -out private/serverName.key -rand ./ 4096ServerName must match the server FQDN.
Ex: dev.daxiongmao.eu
openssl genrsa -aes256 -out private/dev.daxiongmao.eu.key -rand ./ 4096
Decipher private key
If your key is encrypted, then you have to manually give the password each and every time a service starts.
!! If your private key is encrypt then it cannot be used at startup !!
So, for services like Apache2, you have to decipher the key:
openssl rsa -in private/serverName.key -out private/serverName.nopass.key
Create server’s certificate request
openssl req -config openssl.cnf \
-new -nodes \
-key private/serverName.key \
-out certs/serverName.reqAnswer the questions:
- Country Name (2 letter code) [SE]:
- State or Province Name (full name) [Västra Götaland]:
- Locality Name (eg, city) [Göteborg]:
- Organization Name (eg, company) [Daxiongmao.eu]:
- Organizational Unit Name (eg, section) []:
- Common Name (e.g. server FQDN or YOUR name) []: dev.daxiongmao.eu
- Email Address [guillaume@qin-diaz.com]:
!! Do not use a challenge password !!
Sign the server request
Auto-sign - using your personal CA
openssl ca -config openssl.cnf \
-in certs/serverName.req \
-out certs/serverName.cert.pem \
-cert cacerts.pem \
-days 3600
Some explanations:
| Parameter | meaning |
|---|---|
| -config | the local OpenSSL configuration file |
| -in | Incoming certificate request. = previous .req file |
| -out | Target certificate file |
| -cert | CA certificate to use |
| -days | Certificate validity time (in days) |
You can check result by:
cat /srv/ssl/certs/serverName.cert.pem
[Alternate] Send the request to the CA
You have to send the “.req” file to the CA. They will send you back the certificate.
Export certificate
To export a certificate, it must be in PKCS12 format.
You have to perform the following for each and every certificate you’d like to export.
cd /srv/ssl
openssl pkcs12 -export \
-descert -inkey private/serverName.key \
-in certs/serverName.cert.pem \
-certfile cacerts.pem \
-name "Certicate name" \
-out export/serverName.p12- Do not put an export password.
- You should use the non-protected key if you want to use that export with some Linux services.
Example:
openssl pkcs12 -export \
-descert -inkey private/dev.daxiongmao.eu.nopass.key \
-in certs/dev.daxiongmao.eu.cert.pem \
-certfile cacerts.pem \
-name "Certicate dev.daxiongmao.eu development server" \
-out export/dev.daxiongmao.eu.p12
