SSL: Cryptography & authentication

Principle and law disclaimer

Reminder An Authority of Certification is required to ensure your certificates. Theses one provides:

• Confidentiality
• Integrity
• Authentication

There's three options:

• You can create your own Authority of Certification ;
• Use a trusted Authority of Certification (commercial). Unfortunately, it's very expansive to use such ones ;
• Use an Open Source Authority of Certification: www.cacert.orgLegal aspects

You are not allowed to use any cryptography. The maximum cryptographic level is set by the law.

French law: http://www.ssi.gouv.fr/fr/reglementation-ssi/cryptologie/tableau-de-synthese-de-reglementation-en-matiere-de-cryptologie.html

Installation

Install packages

apt-get install openssl

Prep folders

Create working directory

mkdir -p /srv/ssl
cd /srv/ssl

Create ssl structure

<syntaxhighlight lang="bash"> mkdir certs crl newcerts private export <syntaxhighlight lang="bash">

Initialize values <syntaxhighlight lang="bash"> echo 01 > serial touch index.txt cp /usr/lib/ssl/openssl.cnf .Configuration <syntaxhighlight lang="bash">

During the process you’ll have to enter the same data many times.  You should edit the default values Adjust default values Edit openssl.cnf

1. vim /srv/ssl/openssl.cnf

Set the working directory dir = /srv/ssl

1. Where everything is kept

→ Line 42 Adjust [req_distinguished_name] section (~ line 127): [ req_distinguished_name ] countryName countryName_default countryName_min countryName_max = Country Name (2 letter code) = SE = 2 = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = SWEDEN localityName localityName_default = Locality Name (eg, city) = Göteborg 0.organizationName 0.organizationName_default = Organization Name (eg, company) ~Domain name = Daxiongmao.eu emailAddress emailAddress_default emailAddress_max = Email Address = admin@domain.com = 64Certificate Authority / Domain root server Difference between local CA / commercial CA Either you create your own certificate authority or you can use a commercial one. Main differences: Price Validity Browser alerts Can be used for e-commerce Personal C.A free you choose Yes  No Commercial C.A from 50$ / year (Go Daddy) Usually 1 or 2 year No Yes  Choose an authority of certification and subscribe to a wildcard domain certification. On July 2013, Go Daddy seems to be the cheapest authority. In either case you need to:  Create a private key  Generate a request (that will slightly change) Create CA private key Generate a RSA private key (4096 bits length) for the CA and protect it with AES256 encryption

1. openssl genrsa -aes256 -out private/cakey.pem -rand ./ 4096

You have to enter a password.  This password will be required to perform all next operations Create a Certificate Authority or Domain root certificate 1 st option: create a personal Certificate Authority Auto-sign your Certification Authority for 10 years

1. openssl req -config openssl.cnf \

-new -x509 -sha256 -nodes \ -key private/cakey.pem \ -out cacerts.pem \ -days 3600 Answer the questions: Country Name (2 letter code) [SE]: State or Province Name (full name) [Sweden]: Locality Name (eg, city) [Göteborg]: Organization Name (eg, company) [Daxiongmao.eu]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Daxiongmao CA Email Address [guillaume@qin-diaz.com]:Some explanations: Parameter meaning -config openssl.cnf to use the local OpenSSL configuration file -new to request a new certificate -x509 auto-sign this certificate -sha256 hash algorithm to use -key certificate private key -out Target output file to create -days Certificate validity time (in days) You can check result by:

1. openssl x509 -in cacerts.pem -text –noout

2 nd option: request for a domain root certificate Create a new server certificate request for target CA.  See process below to generate server’s certificate requestServer certificate Go to the working directory

1. cd /srv/ssl

Create server private key Generate encrypt private key

1. openssl genrsa -aes256 -out private/serverName.key -rand ./ 4096

The ServerName must match the server FQDN. Ex: dev.daxiongmao.eu Unencrypt private key If your key is encrypt, then you have to manually give the password each and every time a service starts. = if private key is encrypt then it cannot be used at startup. So, for services like Apache2, you have to unencrypt the key:

1. openssl rsa -in private/serverName.key -out private/serverName.nopass.key

Create server’s certificate request

1. openssl req -config openssl.cnf \

-new -nodes \ -key private/serverName.key \ -out certs/serverName.req Answer the questions: Country Name (2 letter code) [SE]: State or Province Name (full name) [Sweden]: Locality Name (eg, city) [Göteborg]: Organization Name (eg, company) [Daxiongmao.eu]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: dev.daxiongmao.eu Email Address [guillaume@qin-diaz.com]:  Do not use a challenge password 1 st option: sign the request with your own CA

1. openssl ca -config openssl.cnf \

-in certs/serverName.req \ -out certs/serverName.cert.pem \ -cert cacerts.pem \ -days 3600Some explanations: Parameter meaning -config openssl.cnf to use the local OpenSSL configuration file -in Incoming certificate request -out Target certificate file -cert CA certificate to use -days Certificate validity time (in days) You can check result by:

1. cat /srv/ssl/certs/serverName.cert.pem

2 nd option: send the request to the CA You have to send the “.req” file to the CA. They will send you back the certificate.Export certificate – PKCS12

1. cd /srv/ssl

To export a certificate, it must be in PKCS12 format.  You have to perform the following for each and every certificate you’d like to export.

1. openssl pkcs12 -export \

-descert -inkey private/serverName.key \ -in certs/serverName.cert.pem \ -certfile cacerts.pem \ -name "Certicate name" \ -out export/serverName.p12  Do not put an export password.  You can also use the non-protected keySetup website to send local CA and server certificates This required to have a web server up and running Create dedicated folder

1. mkdir -p /var/www/ssl/certs
2. touch /var/www/ssl/certs/index.html

Web page <html> <head> <title>Certificates list</title> </head> <body>

Certificates list

Certification Authority

Authority of certification: <a href="https://serverURL/certs/cacerts.pem ">root certificate</a>

Servers certificates

Click on the following links to download sub-servers certificates

• <a href=" https://serverURL/certs/serverName.p12">my server</a>

</body> </html> Copy files

1. cp /srv/ssl/cacerts.pem /var/www/ssl/certs/cacerts.pem
2. cp /srv/ssl/ export/serverName.p12 /var/www/ssl/certs/serverName.p12

Update rights

1. chown -R www-data:www-data /var/www/ssl
2. chmod 755 -R /var/www/sslInstallation on client computer

Go to https://myServer/certs 1 st alert You haven’t install the certificate yet... This website is presume to be non-secured. Example of alert on Google chrome (click “proceed anyway”) Then, you will see the following alert on URL: Download file Save file Installation Go to Google Chrome > Settings > Show advanced settings >   Enable “check for server certificate revocation” Click on manage certificates... Certification Authority Click on “Trusted root Certification Authorities” > Import...Choose the file to import (myCA.pem)  .pem are not displayed by default, but they can be used  Trust the certificates Restart Google Chrome Check result After Google Chrome restart, go back to https://myServer/certs Everything is OK now!