Difference between revisions of "SSL server"
(Created page with "SSL: Cryptography & authentication =Principle and law disclaimer= Reminder An Authority of Certification is required to ensure your certificates. Theses one provides: * ...") |
|||
| Line 1: | Line 1: | ||
SSL: Cryptography & authentication | SSL: Cryptography & authentication | ||
| + | |||
| Line 41: | Line 42: | ||
==Prep folders== | ==Prep folders== | ||
| − | Create working directory | + | ===Create working directory=== |
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
| Line 49: | Line 50: | ||
| − | ==Create ssl structure== | + | ===Create ssl structure=== |
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
| Line 55: | Line 56: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
| − | Initialize values | + | |
| + | ===Initialize values=== | ||
| + | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
echo 01 > serial | echo 01 > serial | ||
touch index.txt | touch index.txt | ||
| − | cp /usr/lib/ssl/openssl.cnf . | + | cp /usr/lib/ssl/openssl.cnf . |
| + | <syntaxhighlight lang="bash"> | ||
| + | |||
| + | |||
| + | |||
| + | =OpenSSL root configuration= | ||
| + | |||
| + | During the process you’ll have to enter the same data many times: | ||
| + | |||
| + | >> You should edit the default values | ||
| + | |||
| + | |||
| + | ==Adjust default values== | ||
| + | |||
| + | Edit openssl.cnf: | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | vim /srv/ssl/openssl.cnf | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | Set the working directory: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
| + | dir = /srv/ssl # Where everything is kept [line 42] | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
[ req_distinguished_name ] | [ req_distinguished_name ] | ||
| − | + | countryName_default = SE # [line 128] | |
| − | countryName_default | + | stateOrProvinceName_default = Västra Götaland # [line 134] |
| − | + | localityName_default = Goteborg # [line 137] | |
| − | + | 0.organizationName_default = Daxiongmao.eu # [line 140] | |
| − | + | emailAddress_default = guillaume@qin-diaz.com # [line 154] | |
| − | = SE | + | </syntaxhighlight> |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | stateOrProvinceName_default = | + | =Authority of Certification (CA)= |
| − | + | ||
| − | localityName_default = | + | |
| − | + | ==Difference between local AC / commercial AC== | |
| − | + | ||
| − | 0.organizationName_default | + | Either you create your own Authority of Certification or you can use a commercial one. |
| − | = Daxiongmao.eu | + | |
| − | |||
| − | emailAddress_default | ||
| − | |||
| − | = | ||
| − | |||
| − | = | ||
| − | Difference between local | ||
| − | Either you create your own | ||
Main differences: | Main differences: | ||
| − | + | ||
| − | + | {| class="wikitable" | |
| − | + | |- | |
| − | + | ! !! Personal AC !! Commercial AC | |
| − | Personal | + | |- |
| − | free | + | | Price || free || from 50$ / year (Go Daddy) |
| − | + | |- | |
| − | + | | Validity || you choose || Usually 1 or 2 year | |
| − | + | |- | |
| − | + | | Browser alerts || Yes || No | |
| − | from 50$ / year (Go Daddy) | + | |- |
| − | Usually 1 or 2 year | + | | Can be used for e-commerce || No || Yes |
| − | No | + | |} |
| − | Yes | + | |
| + | * July 2013: "Go Daddy" seems to be the cheapest authority. | ||
| + | |||
| + | |||
Choose an authority of certification and subscribe to a wildcard domain certification. | Choose an authority of certification and subscribe to a wildcard domain certification. | ||
| − | + | ||
| + | |||
In either case you need to: | In either case you need to: | ||
| − | + | * Create a private key | |
| − | + | * Generate a request (that will slightly change) | |
| − | Create CA private key | + | |
| − | Generate a RSA private key (4096 bits length) for the CA and protect it with AES256 | + | |
| − | + | ==Create CA private key== | |
| − | + | ||
| + | Generate a RSA private key (4096 bits length) for the CA and protect it with AES256 encryption. | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | openssl genrsa -aes256 -out private/cakey.pem -rand ./ 4096 | ||
| + | </syntaxhighlight> | ||
| + | |||
You have to enter a password. | You have to enter a password. | ||
| − | + | ||
| − | Create a | + | !! This password will be required to perform all next operations |
| − | + | ||
| + | |||
| + | ==Create a personal CA [or Domain root certificate]== | ||
| + | |||
Auto-sign your Certification Authority for 10 years | Auto-sign your Certification Authority for 10 years | ||
| − | + | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | openssl req -config openssl.cnf \ | ||
-new -x509 -sha256 -nodes \ | -new -x509 -sha256 -nodes \ | ||
-key private/cakey.pem \ | -key private/cakey.pem \ | ||
-out cacerts.pem \ | -out cacerts.pem \ | ||
-days 3600 | -days 3600 | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
Answer the questions: | Answer the questions: | ||
| − | Country Name (2 letter code) [SE]: | + | * Country Name (2 letter code) [SE]: |
| − | State or Province Name (full name) [ | + | * State or Province Name (full name) [Västra Götaland]: |
| − | Locality Name (eg, city) [Göteborg]: | + | * Locality Name (eg, city) [Göteborg]: |
| − | Organization Name (eg, company) [Daxiongmao.eu]: | + | * Organization Name (eg, company) [Daxiongmao.eu]: |
| − | Organizational Unit Name (eg, section) []: | + | * Organizational Unit Name (eg, section) []: |
| − | Common Name (e.g. server FQDN or YOUR name) []: Daxiongmao CA | + | * Common Name (e.g. server FQDN or YOUR name) []: '''Daxiongmao.eu CA''' |
| − | Email Address [guillaume@qin-diaz.com]:Some explanations: | + | * Email Address [guillaume@qin-diaz.com]: |
| − | Parameter | + | |
| − | + | ||
| − | -config openssl.cnf to use the local OpenSSL configuration file | + | Some explanations: |
| − | -new to request a new certificate | + | |
| − | -x509 auto-sign this certificate | + | {| class="wikitable" |
| − | -sha256 hash algorithm to use | + | |- |
| − | -key certificate private key | + | ! Header text !! Header text |
| − | -out Target output file to create | + | |- |
| − | -days Certificate validity time (in days) | + | | Parameter || meaning |
| + | |- | ||
| + | | -config openssl.cnf || to use the local OpenSSL configuration file | ||
| + | |- | ||
| + | | -new || to request a new certificate | ||
| + | |- | ||
| + | | -x509 || auto-sign this certificate | ||
| + | |- | ||
| + | | -sha256 || hash algorithm to use | ||
| + | |- | ||
| + | | -key || certificate private key | ||
| + | |- | ||
| + | | -out || Target output file to create | ||
| + | |- | ||
| + | | -days || Certificate validity time (in days) | ||
| + | |} | ||
| + | |||
| + | |||
You can check result by: | You can check result by: | ||
| − | + | ||
| − | + | <syntaxhighlight lang="bash"> | |
| + | openssl x509 -in cacerts.pem -text -noout | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | |||
| + | ==[Alternative]] Request for a domain root certificate== | ||
| + | |||
Create a new server certificate request for target CA. | Create a new server certificate request for target CA. | ||
| − | + | * See process below to generate server’s certificate ''requestServer'' certificate | |
| − | Go to the working directory | + | |
| − | + | ||
| − | Create server private key | + | |
| − | Generate encrypt private key | + | |
| − | + | =Server certificate= | |
| − | + | ||
| + | Go to the working directory: | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | cd /srv/ssl | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | ==Create server private key== | ||
| + | |||
| + | |||
| + | ===Generate encrypt private key=== | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | openssl genrsa -aes256 -out private/serverName.key -rand ./ 4096 | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | '''ServerName must match the server FQDN'''. | ||
| + | |||
| + | |||
Ex: dev.daxiongmao.eu | Ex: dev.daxiongmao.eu | ||
| − | + | ||
| − | If your key is | + | <syntaxhighlight lang="bash"> |
| − | starts. | + | openssl genrsa -aes256 -out private/dev.daxiongmao.eu.key -rand ./ 4096 |
| − | + | </syntaxhighlight> | |
| − | So, for services like Apache2, you have to | + | |
| − | + | ||
| − | Create server’s certificate request | + | ===Decipher private key=== |
| − | + | ||
| + | If your key is encrypted, then you have to manually give the password each and every time a service starts. | ||
| + | |||
| + | |||
| + | !! If your private key is encrypt then it cannot be used at startup !! | ||
| + | |||
| + | |||
| + | |||
| + | So, for services like Apache2, you have to decipher the key: | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | openssl rsa -in private/serverName.key -out private/serverName.nopass.key | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | |||
| + | ==Create server’s certificate request== | ||
| + | |||
| + | <syntaxhighlight lang="bash"> | ||
| + | openssl req -config openssl.cnf \ | ||
-new -nodes \ | -new -nodes \ | ||
-key private/serverName.key \ | -key private/serverName.key \ | ||
-out certs/serverName.req | -out certs/serverName.req | ||
| + | </syntaxhighlight> | ||
| + | |||
Answer the questions: | Answer the questions: | ||
| − | Country Name (2 letter code) [SE]: | + | |
| − | State or Province Name (full name) [ | + | * Country Name (2 letter code) [SE]: |
| − | Locality Name (eg, city) [Göteborg]: | + | * State or Province Name (full name) [Västra Götaland]: |
| − | Organization Name (eg, company) [Daxiongmao.eu]: | + | * Locality Name (eg, city) [Göteborg]: |
| − | Organizational Unit Name (eg, section) []: | + | * Organization Name (eg, company) [Daxiongmao.eu]: |
| − | Common Name (e.g. server FQDN or YOUR name) []: dev.daxiongmao.eu | + | * Organizational Unit Name (eg, section) []: |
| − | Email Address [guillaume@qin-diaz.com]: | + | * Common Name (e.g. server FQDN or YOUR name) []: '''dev.daxiongmao.eu''' |
| − | + | * Email Address [guillaume@qin-diaz.com]: | |
| + | |||
| + | |||
| + | !! '''Do not use a challenge password''' !! | ||
| + | |||
| + | |||
1 st option: sign the request with your own CA | 1 st option: sign the request with your own CA | ||
# openssl ca -config openssl.cnf \ | # openssl ca -config openssl.cnf \ | ||
Revision as of 16:19, 25 May 2014
SSL: Cryptography & authentication
Contents
Principle and law disclaimer
Reminder An Authority of Certification is required to ensure your certificates. Theses one provides:
- Confidentiality
- Integrity
- Authentication
There's three options:
- You can create your own Authority of Certification ;
- Use a trusted Authority of Certification (commercial). Unfortunately, it's very expansive to use such ones ;
- Use an Open Source Authority of Certification: www.cacert.orgLegal aspects
You are not allowed to use any cryptography. The maximum cryptographic level is set by the law.
Installation
Install packages
apt-get install openssl
Prep folders
Create working directory
mkdir -p /srv/ssl
cd /srv/ssl
Create ssl structure
mkdir certs crl newcerts private export
<syntaxhighlight lang="bash">
===Initialize values===
<syntaxhighlight lang="bash">
echo 01 > serial
touch index.txt
cp /usr/lib/ssl/openssl.cnf .
<syntaxhighlight lang="bash">
=OpenSSL root configuration=
During the process you’ll have to enter the same data many times:
>> You should edit the default values
==Adjust default values==
Edit openssl.cnf:
<syntaxhighlight lang="bash">
vim /srv/ssl/openssl.cnfSet the working directory:
dir = /srv/ssl # Where everything is kept [line 42]
[ req_distinguished_name ]
countryName_default = SE # [line 128]
stateOrProvinceName_default = Västra Götaland # [line 134]
localityName_default = Goteborg # [line 137]
0.organizationName_default = Daxiongmao.eu # [line 140]
emailAddress_default = guillaume@qin-diaz.com # [line 154]
Authority of Certification (CA)
Difference between local AC / commercial AC
Either you create your own Authority of Certification or you can use a commercial one.
Main differences:
| Personal AC | Commercial AC | |
|---|---|---|
| Price | free | from 50$ / year (Go Daddy) |
| Validity | you choose | Usually 1 or 2 year |
| Browser alerts | Yes | No |
| Can be used for e-commerce | No | Yes |
- July 2013: "Go Daddy" seems to be the cheapest authority.
Choose an authority of certification and subscribe to a wildcard domain certification.
In either case you need to:
- Create a private key
- Generate a request (that will slightly change)
Create CA private key
Generate a RSA private key (4096 bits length) for the CA and protect it with AES256 encryption.
openssl genrsa -aes256 -out private/cakey.pem -rand ./ 4096You have to enter a password.
!! This password will be required to perform all next operations
Create a personal CA [or Domain root certificate]
Auto-sign your Certification Authority for 10 years
openssl req -config openssl.cnf \
-new -x509 -sha256 -nodes \
-key private/cakey.pem \
-out cacerts.pem \
-days 3600
Answer the questions:
- Country Name (2 letter code) [SE]:
- State or Province Name (full name) [Västra Götaland]:
- Locality Name (eg, city) [Göteborg]:
- Organization Name (eg, company) [Daxiongmao.eu]:
- Organizational Unit Name (eg, section) []:
- Common Name (e.g. server FQDN or YOUR name) []: Daxiongmao.eu CA
- Email Address [guillaume@qin-diaz.com]:
Some explanations:
| Header text | Header text |
|---|---|
| Parameter | meaning |
| -config openssl.cnf | to use the local OpenSSL configuration file |
| -new | to request a new certificate |
| -x509 | auto-sign this certificate |
| -sha256 | hash algorithm to use |
| -key | certificate private key |
| -out | Target output file to create |
| -days | Certificate validity time (in days) |
You can check result by:
openssl x509 -in cacerts.pem -text -noout
[Alternative]] Request for a domain root certificate
Create a new server certificate request for target CA.
- See process below to generate server’s certificate requestServer certificate
Server certificate
Go to the working directory:
cd /srv/ssl
Create server private key
Generate encrypt private key
openssl genrsa -aes256 -out private/serverName.key -rand ./ 4096ServerName must match the server FQDN.
Ex: dev.daxiongmao.eu
openssl genrsa -aes256 -out private/dev.daxiongmao.eu.key -rand ./ 4096
Decipher private key
If your key is encrypted, then you have to manually give the password each and every time a service starts.
!! If your private key is encrypt then it cannot be used at startup !!
So, for services like Apache2, you have to decipher the key:
openssl rsa -in private/serverName.key -out private/serverName.nopass.key
Create server’s certificate request
openssl req -config openssl.cnf \
-new -nodes \
-key private/serverName.key \
-out certs/serverName.reqAnswer the questions:
- Country Name (2 letter code) [SE]:
- State or Province Name (full name) [Västra Götaland]:
- Locality Name (eg, city) [Göteborg]:
- Organization Name (eg, company) [Daxiongmao.eu]:
- Organizational Unit Name (eg, section) []:
- Common Name (e.g. server FQDN or YOUR name) []: dev.daxiongmao.eu
- Email Address [guillaume@qin-diaz.com]:
!! Do not use a challenge password !!
1 st option: sign the request with your own CA
- openssl ca -config openssl.cnf \
-in certs/serverName.req \ -out certs/serverName.cert.pem \ -cert cacerts.pem \ -days 3600Some explanations: Parameter meaning -config openssl.cnf to use the local OpenSSL configuration file -in Incoming certificate request -out Target certificate file -cert CA certificate to use -days Certificate validity time (in days) You can check result by:
- cat /srv/ssl/certs/serverName.cert.pem
2 nd option: send the request to the CA You have to send the “.req” file to the CA. They will send you back the certificate.Export certificate – PKCS12
- cd /srv/ssl
To export a certificate, it must be in PKCS12 format. You have to perform the following for each and every certificate you’d like to export.
- openssl pkcs12 -export \
-descert -inkey private/serverName.key \ -in certs/serverName.cert.pem \ -certfile cacerts.pem \ -name "Certicate name" \ -out export/serverName.p12 Do not put an export password. You can also use the non-protected keySetup website to send local CA and server certificates This required to have a web server up and running Create dedicated folder
- mkdir -p /var/www/ssl/certs
- touch /var/www/ssl/certs/index.html
Web page <html> <head> <title>Certificates list</title> </head> <body>
Certificates list
Certification Authority
Authority of certification: <a href="https://serverURL/certs/cacerts.pem ">root certificate</a>
Servers certificates
Click on the following links to download sub-servers certificates
- <a href=" https://serverURL/certs/serverName.p12">my server</a>
</body> </html> Copy files
- cp /srv/ssl/cacerts.pem /var/www/ssl/certs/cacerts.pem
- cp /srv/ssl/ export/serverName.p12 /var/www/ssl/certs/serverName.p12
Update rights
- chown -R www-data:www-data /var/www/ssl
- chmod 755 -R /var/www/sslInstallation on client computer
Go to https://myServer/certs 1 st alert You haven’t install the certificate yet... This website is presume to be non-secured. Example of alert on Google chrome (click “proceed anyway”) Then, you will see the following alert on URL: Download file Save file Installation Go to Google Chrome > Settings > Show advanced settings > Enable “check for server certificate revocation” Click on manage certificates... Certification Authority Click on “Trusted root Certification Authorities” > Import...Choose the file to import (myCA.pem) .pem are not displayed by default, but they can be used Trust the certificates Restart Google Chrome Check result After Google Chrome restart, go back to https://myServer/certs Everything is OK now!
