Secure HTTP server and client certificate HOWTO
From RADION OpenLab
Contents |
[edit]
1 Setting up a CA infrastructure
mkdir /root/CA
mkdir /root/CA/.clients
mkdir /root/CA/.servers
chmod -R 400 /root/CA
[edit]
2 Establish your own CA
[edit]
2.1 Create your private CA keyfile
To create a private key without triple des encryption, use the following command:
/root/CA $ openssl genrsa -out filename.key 2048
or if you like it by the book - which I recommend - create the key with triple DES encryption :
/root/CA $ openssl genrsa -des3 -out radion-ca.key 2048
Generating RSA private key, 2048 bit long modulus .....+++ .....................................................................+++ e is 65537 (0x10001) Enter pass phrase for radion-ca.key:******** Verifying - Enter pass phrase for radion-ca.key:********
To add a password to an existing private key, use the following command:
/root/CA $ openssl -in filename.key -des3 -out newfilename.key
To remove a password from an existing private key, use the following command:
/root/CA $ openssl -in filename.key -out newfilename.key
[edit]
2.2 Create your own CA certificate
/root/CA $ openssl req -new -x509 -days 3650 -key radion-ca.key -out radion-ca.crt
Enter pass phrase for radion-ca.key:******** You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:Bavaria Locality Name (eg, city) []:Munich Organization Name (eg, company) [Internet Widgits Pty Ltd]:RADION Digital Research & Innovation Organizational Unit Name (eg, section) []:RADION Root CA Common Name (eg, YOUR name) []:RADION Root CA Email Address []: your@email.add
In order to use the ROOT CA Certificate with Firefox you have to have a PEM ( pkcs12 ) based certificate :
/root/CA $ openssl pkcs12 -export -in radion-ca.crt -inkey radion-ca.key -out radion-ca.p12 -name "RADION Root CA"
Enter pass phrase for radion-root-ca.key:************ Enter Export Password:******** Verifying - Enter Export Password:********
[edit]
3 SSL secured Apache ( virtual ) server
[edit]
3.1 Create your private server keyfile
create a server key ( i.e. intranet.radion.org ). server key must not be larger than 1024 bit, otherwise some browsers won't recognize it :
/root/CA $ openssl genrsa -des3 -out .servers/intranet.radion.org/intranet.radion.org.key 1024
Generating RSA private key, 1024 bit long modulus ....................++++++ ...++++++ e is 65537 (0x10001) Enter pass phrase for .servers/intranet.radion.org/intranet.radion.org.key:******** Verifying - Enter pass phrase for .servers/intranet.radion.org/intranet.radion.org.key:********
[edit]
3.2 Create your server certificate request ( CSR )
based on the created key we will now create a certificate request :
/root/CA $ openssl req \ -new \ -key .servers/intranet.radion.org/intranet.radion.org.key \ -out .servers/intranet.radion.org/intranet.radion.org.csr
Enter pass phrase for .servers/intranet.radion.org/intranet.radion.org.key:********* You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:Bavaria Locality Name (eg, city) []:Munich Organization Name (eg, company) [Internet Widgits Pty Ltd]:RADION Digital Research & Innovation Organizational Unit Name (eg, section) []:RADION PD-I Common Name (eg, YOUR name) []:intranet.radion.org Email Address []:your@email.add Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
[edit]
3.3 Self signing the certificate reuqest
now we will sign our new certificate request with our own CA :
openssl x509 -req \ -in .servers/intranet.radion.org/intranet.radion.org.csr \ -out .servers/intranet.radion.org/intranet.radion.org.crt \ -sha1 \ -CA radion-ca.crt \ -CAkey radion-ca.key \ -CAcreateserial \ -days 3650
Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=RADION Digital Research & Innovation/OU=RADION PD-I/CN=intranet.radion.org/emailAddress=operations@radion.org Getting CA Private Key Enter pass phrase for radion-ca.key:********
if you want to have a look at our certificate :
/root/CA $ openssl x509 -in .servers/intranet.radion.org/intranet.radion.org.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
f2:60:01:a9:e7:da:0e:1e
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, ST=Bavaria, L=Munich, O=RADION Digital Research & Innovation, OU=RADION Root CA, CN=RADION Root CA/emailAddress=operations@radi
on.org
Validity
Not Before: Nov 10 21:07:30 2005 GMT
Not After : Nov 8 21:07:30 2015 GMT
Subject: C=DE, ST=Bavaria, L=Munich, O=RADION Digital Research & Innovation, OU=RADION PD-I, CN=intranet.radion.org/emailAddress=operations@r
adion.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b4:1f:74:97:15:56:44:ec:6e:cc:c4:2c:1c:d9:
10:65:13:c1:f4:4f:01:13:74:02:4c:86:94:e4:3e:
fb:f5:a1:b8:b4:cd:0f:73:7b:ca:5e:9e:18:f3:d2:
45:11:5b:99:33:fc:70:e2:ec:82:ef:c3:72:51:a5:
01:d4:12:5e:08:83:c5:87:99:d0:0a:55:d7:3c:98:
cf:82:ec:d1:be:26:10:ac:cb:19:be:15:2f:1a:a0:
b0:9c:47:dc:16:c8:ff:51:39:d5:3d:fd:46:f9:0e:
ef:67:fc:80:1c:d1:06:ed:42:05:bb:7b:6c:83:4f:
05:75:95:c5:00:02:24:ae:8d
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
42:5b:67:2c:39:37:63:20:75:08:ca:f8:f0:a3:0e:0c:5c:7f:
9b:dc:fc:cb:4e:a2:24:10:fa:f9:67:0b:7f:62:c3:2f:a9:08:
bc:2b:3e:6d:16:39:db:f5:93:ec:8e:8d:f1:57:cd:f2:43:ff:
97:85:e9:8b:4c:fa:58:ff:af:4e:03:10:29:c9:42:1c:53:de:
29:79:66:6f:ba:2f:2d:b4:d1:eb:49:3e:f1:45:4e:12:57:02:
f7:90:67:cf:7b:50:6c:80:56:e0:65:82:70:32:c0:4b:e2:8e:
40:59:df:b7:27:c1:65:55:d5:6c:1b:74:15:67:e9:af:04:3d:
44:6d:97:e6:1a:fc:7d:65:1f:d7:8e:a9:5c:6d:10:d3:37:cb:
12:88:6b:19:6a:04:2a:6f:1e:ea:f8:8a:68:2f:9a:dc:65:8f:
ad:48:3d:06:f1:af:53:ab:17:b6:1a:23:d8:0d:e1:fc:60:67:
37:4a:72:14:c7:93:b5:e0:f0:53:15:6f:60:eb:5c:56:a4:3b:
12:40:aa:b9:f3:8f:d3:82:ae:88:7d:d3:e4:80:49:02:88:fc:
99:3f:e1:2e:8b:5c:17:c3:70:fa:dd:8b:15:57:dc:3a:ad:1e:
ba:fa:a1:ff:b2:c4:aa:b3:fd:0e:55:5e:f3:3a:0d:08:6b:7f:
ed:9c:2d:03
keep your keys safe :
chmod -R 400 /root/CA stargazer CA # ls -al total 28 drwxr-xr-x 4 root root 4096 Nov 10 20:55 . drwx------ 4 root root 4096 Nov 10 20:47 .. dr-------- 3 root root 4096 Nov 10 20:50 .clients dr-------- 3 root root 4096 Nov 10 19:43 .servers -r-------- 1 root root 1822 Nov 10 20:55 radion-ca.crt -r-------- 1 root root 1743 Nov 10 20:52 radion-ca.key
configure server cert in apache
you can test your server once the certificate is installed :
$ openssl s_client -connect yourhost.com:443
After you have installed a certificate and restart Apache you will notice that you have to enter your private key's password every time you start up Apache. In some datacenter environments this can be very annoying epsecially when your machines run unattended. There are three possible solutions :
- You can write a wrapper script that will paste in the password during startup
- You can decrypt the private key
- You find a way to live with it
The last solution is without doubt the most secure and recommended thing to do. Both, pasting the password via wrapper and decrypting the private key are risky. For the wrapper your password must be stored somewhere in plain text which is almost as good as give anyone your decrypted private key. If someone gains access to your private key he/she can use the certificate without anyone noticing it is not you they are talking to. The choice is up to you, if you want to decrypt your key you do it easily :
/root/CA $ openssl rsa \
-in .servers/intranet.radion.org/intranet.radion.org.key \
-out .servers/intranet.radion.org/intranet.radion.org.key.decrypted
[edit]
3.4 Client Certificates
create client certificates to authenticate clients in this case for user wencel ( me ):
/root/CA $ openssl genrsa -des3 -out .clients/wencel/client-wencel.key 1024
Generating RSA private key, 1024 bit long modulus .......++++++ ............................++++++ e is 65537 (0x10001) Enter pass phrase for .clients/wencel/client-wencel.key:******** Verifying - Enter pass phrase for .clients/wencel/client-wencel.key:********
as before we will roll out a csr with the key we build :
/root/CA $ openssl req \ -new \ -key .clients/wencel/client-wencel.key \ -out .clients/wencel/client-wencel.csr
Enter pass phrase for .clients/wencel/client-wencel.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:Bavaria Locality Name (eg, city) []:Munich Organization Name (eg, company) [Internet Widgits Pty Ltd]:RADION Digital Research & Innovation Organizational Unit Name (eg, section) []:RADION Management Common Name (eg, YOUR name) []:Kamil Wencel Email Address []:your@email.add Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Now we have to sign it through our CA of course :
/root/CA $ openssl x509 -req \ -in .clients/wencel/client-wencel.csr \ -out .clients/wencel/client-wencel.crt \ -sha1 \ -CA radion-ca.crt \ -CAkey radion-ca.key \ -CAcreateserial \ -days 3650
Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=RADION Digital Research & Innovation/OU=RADION Management/CN=Kamil Wencel/emailAddress=your@email.add Getting CA Private Key Enter pass phrase for radion-ca.key:
since browsers don't like the ASCII PEM format in which our certificates are we have to convert them into the binary PKCS12 format :
/root/CA $ openssl pkcs12 -export \ -in .clients/wencel/client-wencel.crt \ -inkey .clients/wencel/client-wencel.key \ -name "RADION Client Cert of Kamil Wencel" \ -out .clients/wencel/client-wencel.p12
Enter pass phrase for .clients/wencel/client-wencel.key: Enter Export Password: Verifying - Enter Export Password:
if you want to have a look at it :
/root/CA $ openssl pkcs12 \
-in .clients/wencel/client-wencel.p12 \
-clcerts -nokeys -info
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: D5 73 45 6B A9 0C 3B 9A 2B 95 3A D0 86 E2 B5 2F D7 8D 40 0B
friendlyName: RADION Client Cert of Kamil Wencel
subject=/C=DE/ST=Bavaria/L=Munich/O=RADION Digital Research & Innovation/OU=RADION Management/CN=Kamil Wencel/emailAddress=your@email.add
issuer=/C=DE/ST=Bavaria/L=Munich/O=RADION Digital Research & Innovation/OU=RADION Root CA/CN=RADION Root CA/emailAddress=yourca@email.add
-----BEGIN CERTIFICATE-----
MIIDZTCCAk0CCQDURlCrYf/pbzANBgkqhkiG9w0BAQUFADCBtzELMAkGA1UEBhMC
REUxEDAOBgNVBAgTB0JhdmFyaWExDzANBgNVBAcTBk11bmljaDEtMCsGA1UEChQk
UkFESU9OIERpZ2l0YWwgUmVzZWFyY2ggJiBJbm5vdmF0aW9uMRcwFQYDVQQLEw5S
QURJT04gUm9vdCBDQTEXMBUGA1UEAxMOUkFESU9OIFJvb3QgQ0ExJDAiBgkqhkiG
9w0BCQEWFW9wZXJhdGlvbnNAcmFkaW9uLm9yZzAeFw0wNTExMTAyMTI3MDJaFw0x
NTExMDgyMTI3MDJaMIG0MQswCQYDVQQGEwJERTEQMA4GA1UECBMHQmF2YXJpYTEP
MA0GA1UEBxMGTXVuaWNoMS0wKwYDVQQKFCRSQURJT04gRGlnaXRhbCBSZXNlYXJj
aCAmIElubm92YXRpb24xGjAYBgNVBAsTEVJBRElPTiBNYW5hZ2VtZW50MRUwEwYD
VQQDEwxLYW1pbCBXZW5jZWwxIDAeBgkqhkiG9w0BCQEWEXdlbmNlbEByYWRpb24u
b3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGAPUatazYlH5iBdyGBn3s
JQwWEOIpr3mVqShdLYNTeTPNw9hyG+fdCfmW+WU/UK1XnoSQ793rIAHpvK9Ja5vx
xVmuM8I4gLB2KmXybjcIkM2zuFZIyj6RLlKxfWwXbkMZqEtpGwkCraQJ21cxnbr4
Qo9RjKhI37ZiJstsj4mfxQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQAMuveOh80T
mr69WZ+Fd7Bjy6vHlo6hEhxnA6a2zrO08MhxBZYzNbardkJZIzLkz7IzYilMysT6
Jhyq1WKd+DfXibQoekEYhx9cezl5bp3FK1PPg8cpUuDYhKNqlZXj1CCE+dGGdKtN
0NBR6SKoSf646cB3cf/aXZZcZooC3A1fHQjpWsjz+Z1cziVkxfqQreVPnPwstCKM
kEPKYZmNYTmVIb3/Kry0i3ybNjtJfKD8TibxjNxoVjTNAbMXeI5czyCFdAcZ7IQg
FcsEmoUb75y7h3SMrZtpjOW4js8f4PDfrP2YAIWwwuzdeMUl87Qzx23nONSO8rGj
ih0VNCAqP9Nz
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
[edit]
4 How do I install the root certificate on my clients to get rid of the warning ?
The following screenshots show the complete click path
