Difference between revisions of "SSL server"

Line 214: Line 214:
  
  
==[Alternative]] Request for a domain root certificate==
+
==[Alternative] Request for a domain root certificate==
  
 
Create a new server certificate request for target CA.
 
Create a new server certificate request for target CA.
Line 290: Line 290:
  
  
1 st option: sign the request with your own CA
+
 
# openssl ca -config openssl.cnf \
+
==Sign the server request==
 +
 
 +
 
 +
===Auto-sign - using your personal CA===
 +
 
 +
 
 +
<syntaxhighlight lang="bash">
 +
openssl ca -config openssl.cnf \
 
-in certs/serverName.req \
 
-in certs/serverName.req \
 
-out certs/serverName.cert.pem \
 
-out certs/serverName.cert.pem \
 
-cert cacerts.pem \
 
-cert cacerts.pem \
-days 3600Some explanations:
+
-days 3600
Parameter
+
</syntaxhighlight>
meaning
+
 
-config openssl.cnf to use the local OpenSSL configuration file
+
 
-in Incoming certificate request
+
Some explanations:
-out
+
{| class="wikitable"
Target certificate file
+
|-
-cert CA certificate to use
+
! Parameter !! meaning
-days Certificate validity time (in days)
+
|-
 +
| -config || the local OpenSSL configuration file
 +
|-
 +
| -in || Incoming certificate request. = previous '''.req file'''
 +
|-
 +
| -out || Target certificate file
 +
|-
 +
| -cert || CA certificate to use
 +
|-
 +
| -days || Certificate validity time (in days)
 +
|}
 +
 
 +
 
 +
 
 
You can check result by:
 
You can check result by:
# cat /srv/ssl/certs/serverName.cert.pem
+
 
2 nd option: send the request to the CA
+
<syntaxhighlight lang="bash">
You have to send the “.req” file to the CA. They will send you back the certificate.Export certificate – PKCS12
+
cat /srv/ssl/certs/serverName.cert.pem
# cd /srv/ssl
+
</syntaxhighlight>
 +
 
 +
 
 +
===[Alternate] Send the request to the CA===
 +
 
 +
You have to send the “.req” file to the CA. They will send you back the certificate.
 +
 
 +
 
 +
 
 +
==Export certificate==
 +
 
 
To export a certificate, it must be in PKCS12 format.
 
To export a certificate, it must be in PKCS12 format.
You have to perform the following for each and every certificate you’d like to export.
+
 
# openssl pkcs12 -export \
+
You have to perform the following for each and every certificate you’d like to export.
 +
 
 +
<syntaxhighlight lang="bash">
 +
cd /srv/ssl
 +
</syntaxhighlight>
 +
 
 +
 
 +
<syntaxhighlight lang="bash">
 +
openssl pkcs12 -export \
 
-descert -inkey private/serverName.key \
 
-descert -inkey private/serverName.key \
 
-in certs/serverName.cert.pem \
 
-in certs/serverName.cert.pem \
Line 317: Line 355:
 
-name "Certicate name" \
 
-name "Certicate name" \
 
-out export/serverName.p12
 
-out export/serverName.p12
Do not put an export password.
+
</syntaxhighlight>
You can also use the non-protected keySetup website to send local CA and server certificates
+
 
 +
* Do not put an export password.
 +
* You should use the non-protected key if you want to use that export with some Linux services.
 +
 
 +
 
 +
 
 +
 
 +
=Setup website to send local CA and server certificates=
 +
 
 
This required to have a web server up and running
 
This required to have a web server up and running
Create dedicated folder
+
 
# mkdir -p /var/www/ssl/certs
+
 
# touch /var/www/ssl/certs/index.html
+
==Preparation==
Web page
+
 
 +
'''Create dedicated folder'''
 +
 
 +
<syntaxhighlight lang="bash">
 +
mkdir -p /var/www/ssl/certs
 +
touch /var/www/ssl/certs/index.html
 +
<syntaxhighlight lang="bash">
 +
 
 +
 
 +
 
 +
'''Create Web page'''
 +
 
 +
<syntaxhighlight lang="xhtml">
 
<html>
 
<html>
 
<head>
 
<head>
Line 345: Line 403:
 
</body>
 
</body>
 
</html>
 
</html>
Copy files
+
</syntaxhighlight>
# cp /srv/ssl/cacerts.pem /var/www/ssl/certs/cacerts.pem
+
 
# cp /srv/ssl/ export/serverName.p12 /var/www/ssl/certs/serverName.p12
+
 
 +
==Copy files==
 +
 
 +
<syntaxhighlight lang="bash">
 +
cp /srv/ssl/cacerts.pem /var/www/ssl/certs/cacerts.pem
 +
cp /srv/ssl/ export/serverName.p12 /var/www/ssl/certs/serverName.p12
 +
</syntaxhighlight>
 +
 
 +
 
 
Update rights
 
Update rights
# chown -R www-data:www-data /var/www/ssl
+
 
# chmod 755 -R /var/www/sslInstallation on client computer
+
<syntaxhighlight lang="bash">
 +
chown -R www-data:www-data /var/www/ssl
 +
chmod 755 -R /var/www/ssl
 +
</syntaxhighlight>
 +
 
 +
 
 +
 
 +
=Installation on client computer=
 +
 
 
Go to https://myServer/certs
 
Go to https://myServer/certs
 
1 st alert
 
1 st alert

Revision as of 15:39, 25 May 2014

SSL: Cryptography & authentication



Principle and law disclaimer

Reminder

An Authority of Certification is required to ensure your certificates.

Theses one provides:

  • Confidentiality
  • Integrity
  • Authentication


Usages


There's three options:

  • You can create your own Authority of Certification ;
  • Use a trusted Authority of Certification (commercial). Unfortunately, it's very expansive to use such ones ;
  • Use an Open Source Authority of Certification: www.cacert.org


Legal aspects


You are not allowed to use any cryptography. The maximum cryptographic level is set by the law.

Region Law
France http://www.ssi.gouv.fr/fr/reglementation-ssi/cryptologie/tableau-de-synthese-de-reglementation-en-matiere-de-cryptologie.html
Sweden to be done
European Union to be done



Installation

Install packages

apt-get install openssl


Prep folders

Create working directory

mkdir -p /srv/ssl
cd /srv/ssl


Create ssl structure

mkdir certs crl newcerts private export


Initialize values

echo 01 > serial
touch index.txt
cp /usr/lib/ssl/openssl.cnf .



OpenSSL root configuration

During the process you’ll have to enter the same data many times:

>> You should edit the default values


Adjust default values

Edit openssl.cnf:

vim /srv/ssl/openssl.cnf

Set the working directory:

dir = /srv/ssl                            # Where everything is kept  [line 42]

[ req_distinguished_name ]
countryName_default             = SE                        # [line 128]   
stateOrProvinceName_default     = Västra Götaland           # [line 134]
localityName_default            = Goteborg                  # [line 137]
0.organizationName_default      = Daxiongmao.eu             # [line 140]
emailAddress_default            = guillaume@qin-diaz.com    # [line 154]



Authority of Certification (CA)

Difference between local / commercial Authority of Certification [CA]

Either you create your own Authority of Certification or you can use a commercial one.

Main differences:

Personal Commercial
Price free from 50$ / year (Go Daddy)
Validity you choose Usually 1 or 2 year
Browser alerts Yes No
Can be used for e-commerce No Yes
  • July 2013: "Go Daddy" seems to be the cheapest authority.


Choose an authority of certification and subscribe to a wildcard domain certification.


In either case you need to:

  • Create a private key
  • Generate a request (that will slightly change)


Create CA private key

Generate a RSA private key (4096 bits length) for the CA and protect it with AES256 encryption.

openssl genrsa -aes256 -out private/cakey.pem -rand ./ 4096

You have to enter a password.

!! This password will be required to perform all next operations


Create a personal CA [or Domain root certificate]

Auto-sign your Certification Authority for 10 years

openssl req -config openssl.cnf \
-new -x509 -sha256 -nodes \
-key private/cakey.pem \
-out cacerts.pem \
-days 3600


Answer the questions:

  • Country Name (2 letter code) [SE]:
  • State or Province Name (full name) [Västra Götaland]:
  • Locality Name (eg, city) [Göteborg]:
  • Organization Name (eg, company) [Daxiongmao.eu]:
  • Organizational Unit Name (eg, section) []:
  • Common Name (e.g. server FQDN or YOUR name) []: Daxiongmao.eu CA
  • Email Address [guillaume@qin-diaz.com]:


Some explanations:

Header text Header text
Parameter meaning
-config openssl.cnf to use the local OpenSSL configuration file
-new to request a new certificate
-x509 auto-sign this certificate
-sha256 hash algorithm to use
-key certificate private key
-out Target output file to create
-days Certificate validity time (in days)


You can check result by:

openssl x509 -in cacerts.pem -text -noout


[Alternative] Request for a domain root certificate

Create a new server certificate request for target CA.

  • See process below to generate server’s certificate requestServer certificate



Server certificate

Go to the working directory:

cd /srv/ssl


Create server private key

Generate encrypt private key

openssl genrsa -aes256 -out private/serverName.key -rand ./ 4096

ServerName must match the server FQDN.


Ex: dev.daxiongmao.eu

openssl genrsa -aes256 -out private/dev.daxiongmao.eu.key -rand ./ 4096


Decipher private key

If your key is encrypted, then you have to manually give the password each and every time a service starts.


!! If your private key is encrypt then it cannot be used at startup !!


So, for services like Apache2, you have to decipher the key:

openssl rsa -in private/serverName.key -out private/serverName.nopass.key


Create server’s certificate request

openssl req -config openssl.cnf \
-new -nodes \
-key private/serverName.key \
-out certs/serverName.req

Answer the questions:

  • Country Name (2 letter code) [SE]:
  • State or Province Name (full name) [Västra Götaland]:
  • Locality Name (eg, city) [Göteborg]:
  • Organization Name (eg, company) [Daxiongmao.eu]:
  • Organizational Unit Name (eg, section) []:
  • Common Name (e.g. server FQDN or YOUR name) []: dev.daxiongmao.eu
  • Email Address [guillaume@qin-diaz.com]:


!! Do not use a challenge password !!


Sign the server request

Auto-sign - using your personal CA

openssl ca -config openssl.cnf \
-in certs/serverName.req \
-out certs/serverName.cert.pem \
-cert cacerts.pem \
-days 3600


Some explanations:

Parameter meaning
-config the local OpenSSL configuration file
-in Incoming certificate request. = previous .req file
-out Target certificate file
-cert CA certificate to use
-days Certificate validity time (in days)


You can check result by:

cat /srv/ssl/certs/serverName.cert.pem


[Alternate] Send the request to the CA

You have to send the “.req” file to the CA. They will send you back the certificate.


Export certificate

To export a certificate, it must be in PKCS12 format.

You have to perform the following for each and every certificate you’d like to export.

cd /srv/ssl


openssl pkcs12 -export \
-descert -inkey private/serverName.key \
-in certs/serverName.cert.pem \
-certfile cacerts.pem \
-name "Certicate name" \
-out export/serverName.p12
  • Do not put an export password.
  • You should use the non-protected key if you want to use that export with some Linux services.



Setup website to send local CA and server certificates

This required to have a web server up and running


Preparation

Create dedicated folder

mkdir -p /var/www/ssl/certs
touch /var/www/ssl/certs/index.html
<syntaxhighlight lang="bash">



'''Create Web page'''

<syntaxhighlight lang="xhtml">
<html>
<head>
<title>Certificates list</title>
</head>
<body>
<h1>Certificates list</h1>
<hr/>
<h2>Certification Authority</h2>
<p>
Authority of certification:
<a href="https://serverURL/certs/cacerts.pem ">root certificate</a>
</p>
<h2>Servers certificates</h2>
<p>Click on the following links to download sub-servers certificates</p>
<ul>
<li>
<a href=" https://serverURL/certs/serverName.p12">my server</a>
</li>
</ul>
</body>
</html>


Copy files

cp /srv/ssl/cacerts.pem /var/www/ssl/certs/cacerts.pem
cp /srv/ssl/ export/serverName.p12 /var/www/ssl/certs/serverName.p12


Update rights

chown -R www-data:www-data /var/www/ssl
chmod 755 -R /var/www/ssl


Installation on client computer

Go to https://myServer/certs 1 st alert You haven’t install the certificate yet... This website is presume to be non-secured. Example of alert on Google chrome (click “proceed anyway”) Then, you will see the following alert on URL: Download file Save file Installation Go to Google Chrome > Settings > Show advanced settings >   Enable “check for server certificate revocation” Click on manage certificates... Certification Authority Click on “Trusted root Certification Authorities” > Import...Choose the file to import (myCA.pem)  .pem are not displayed by default, but they can be used  Trust the certificates Restart Google Chrome Check result After Google Chrome restart, go back to https://myServer/certs Everything is OK now!