Difference between revisions of "SSL server"
 
(13 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
[[Category:Linux]]
 +
 
SSL: Cryptography & authentication
 
SSL: Cryptography & authentication
  
Line 116: Line 118:
  
  
==Difference between local AC / commercial AC==
+
==Difference between local / commercial Authority of Certification [CA]==
  
 
Either you create your own Authority of Certification or you can use a commercial one.
 
Either you create your own Authority of Certification or you can use a commercial one.
Line 124: Line 126:
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
!  !! Personal AC !! Commercial AC
+
!  !! Personal !! Commercial
 
|-
 
|-
 
| Price || free || from 50$ / year (Go Daddy)
 
| Price || free || from 50$ / year (Go Daddy)
Line 151: Line 153:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
openssl genrsa -aes256 -out private/cakey.pem -rand ./ 4096
+
openssl genrsa -aes256 -out private/cakey.key -rand ./ 4096
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 166: Line 168:
 
openssl req -config openssl.cnf \
 
openssl req -config openssl.cnf \
 
-new -x509 -sha256 -nodes \
 
-new -x509 -sha256 -nodes \
-key private/cakey.pem \
+
-key private/cakey.key \
 
-out cacerts.pem \
 
-out cacerts.pem \
 
-days 3600
 
-days 3600
Line 214: Line 216:
  
  
==[Alternative]] Request for a domain root certificate==
+
==[Alternative] Request for a domain root certificate==
  
 
Create a new server certificate request for target CA.
 
Create a new server certificate request for target CA.
Line 290: Line 292:
  
  
1 st option: sign the request with your own CA
+
 
# openssl ca -config openssl.cnf \
+
==Sign the server request==
 +
 
 +
 
 +
===Auto-sign - using your personal CA===
 +
 
 +
 
 +
<syntaxhighlight lang="bash">
 +
openssl ca -config openssl.cnf \
 
-in certs/serverName.req \
 
-in certs/serverName.req \
 
-out certs/serverName.cert.pem \
 
-out certs/serverName.cert.pem \
 
-cert cacerts.pem \
 
-cert cacerts.pem \
-days 3600Some explanations:
+
-days 3600
Parameter
+
</syntaxhighlight>
meaning
+
 
-config openssl.cnf to use the local OpenSSL configuration file
+
 
-in Incoming certificate request
+
Some explanations:
-out
+
{| class="wikitable"
Target certificate file
+
|-
-cert CA certificate to use
+
! Parameter !! meaning
-days Certificate validity time (in days)
+
|-
 +
| -config || the local OpenSSL configuration file
 +
|-
 +
| -in || Incoming certificate request. = previous '''.req file'''
 +
|-
 +
| -out || Target certificate file
 +
|-
 +
| -cert || CA certificate to use
 +
|-
 +
| -days || Certificate validity time (in days)
 +
|}
 +
 
 +
 
 +
 
 
You can check result by:
 
You can check result by:
# cat /srv/ssl/certs/serverName.cert.pem
+
 
2 nd option: send the request to the CA
+
<syntaxhighlight lang="bash">
You have to send the “.req” file to the CA. They will send you back the certificate.Export certificate – PKCS12
+
cat /srv/ssl/certs/serverName.cert.pem
# cd /srv/ssl
+
</syntaxhighlight>
 +
 
 +
 
 +
===[Alternate] Send the request to the CA===
 +
 
 +
You have to send the “.req” file to the CA. They will send you back the certificate.
 +
 
 +
 
 +
 
 +
==Export certificate==
 +
 
 
To export a certificate, it must be in PKCS12 format.
 
To export a certificate, it must be in PKCS12 format.
You have to perform the following for each and every certificate you’d like to export.
+
 
# openssl pkcs12 -export \
+
You have to perform the following for each and every certificate you’d like to export.
 +
 
 +
<syntaxhighlight lang="bash">
 +
cd /srv/ssl
 +
</syntaxhighlight>
 +
 
 +
 
 +
<syntaxhighlight lang="bash">
 +
openssl pkcs12 -export \
 
-descert -inkey private/serverName.key \
 
-descert -inkey private/serverName.key \
 
-in certs/serverName.cert.pem \
 
-in certs/serverName.cert.pem \
Line 317: Line 357:
 
-name "Certicate name" \
 
-name "Certicate name" \
 
-out export/serverName.p12
 
-out export/serverName.p12
Do not put an export password.
+
</syntaxhighlight>
You can also use the non-protected keySetup website to send local CA and server certificates
+
 
This required to have a web server up and running
+
* Do not put an export password.
Create dedicated folder
+
* You should use the non-protected key if you want to use that export with some Linux services.
# mkdir -p /var/www/ssl/certs
+
 
# touch /var/www/ssl/certs/index.html
+
 
Web page
+
Example:
<html>
+
 
<head>
+
<syntaxhighlight lang="bash">
<title>Certificates list</title>
+
openssl pkcs12 -export \
</head>
+
-descert -inkey private/dev.daxiongmao.eu.nopass.key \
<body>
+
-in certs/dev.daxiongmao.eu.cert.pem \
<h1>Certificates list</h1>
+
-certfile cacerts.pem \
<hr/>
+
-name "Certicate dev.daxiongmao.eu development server" \
<h2>Certification Authority</h2>
+
-out export/dev.daxiongmao.eu.p12
<p>
+
</syntaxhighlight>
Authority of certification:
+
 
<a href="https://serverURL/certs/cacerts.pem ">root certificate</a>
+
 
</p>
+
 
<h2>Servers certificates</h2>
+
=Distribute the certificate with Apache2=
<p>Click on the following links to download sub-servers certificates</p>
+
 
<ul>
+
see [[Apache 2 - SSL certificates page]]
<li>
 
<a href=" https://serverURL/certs/serverName.p12">my server</a>
 
</li>
 
</ul>
 
</body>
 
</html>
 
Copy files
 
# cp /srv/ssl/cacerts.pem /var/www/ssl/certs/cacerts.pem
 
# cp /srv/ssl/ export/serverName.p12 /var/www/ssl/certs/serverName.p12
 
Update rights
 
# chown -R www-data:www-data /var/www/ssl
 
# chmod 755 -R /var/www/sslInstallation on client computer
 
Go to https://myServer/certs
 
1 st alert
 
You haven’t install the certificate yet... This website is presume to be non-secured.
 
Example of alert on Google chrome (click “proceed anyway”)
 
Then, you will see the following alert on URL:
 
Download file
 
Save file
 
Installation
 
Go to Google Chrome > Settings > Show advanced settings >
 
 
 
Enable “check for server certificate revocation”
 
Click on manage certificates...
 
Certification Authority
 
Click on “Trusted root Certification Authorities” > Import...Choose the file to import (myCA.pem)
 
 .pem are not displayed by default, but they can be used
 
 Trust the certificates
 
Restart Google Chrome
 
Check result
 
After Google Chrome restart, go back to https://myServer/certs
 
Everything is OK now!
 

Latest revision as of 16:10, 29 January 2015


SSL: Cryptography & authentication



Principle and law disclaimer

Reminder

An Authority of Certification is required to ensure your certificates.

Theses one provides:

  • Confidentiality
  • Integrity
  • Authentication


Usages


There's three options:

  • You can create your own Authority of Certification ;
  • Use a trusted Authority of Certification (commercial). Unfortunately, it's very expansive to use such ones ;
  • Use an Open Source Authority of Certification: www.cacert.org


Legal aspects


You are not allowed to use any cryptography. The maximum cryptographic level is set by the law.

Region Law
France http://www.ssi.gouv.fr/fr/reglementation-ssi/cryptologie/tableau-de-synthese-de-reglementation-en-matiere-de-cryptologie.html
Sweden to be done
European Union to be done



Installation

Install packages

apt-get install openssl


Prep folders

Create working directory

mkdir -p /srv/ssl
cd /srv/ssl


Create ssl structure

mkdir certs crl newcerts private export


Initialize values

echo 01 > serial
touch index.txt
cp /usr/lib/ssl/openssl.cnf .



OpenSSL root configuration

During the process you’ll have to enter the same data many times:

>> You should edit the default values


Adjust default values

Edit openssl.cnf: 

vim /srv/ssl/openssl.cnf

Set the working directory: 

dir = /srv/ssl                            # Where everything is kept  [line 42]

[ req_distinguished_name ]
countryName_default             = SE                        # [line 128]   
stateOrProvinceName_default     = Västra Götaland           # [line 134]
localityName_default            = Goteborg                  # [line 137]
0.organizationName_default      = Daxiongmao.eu             # [line 140]
emailAddress_default            = guillaume@qin-diaz.com    # [line 154]



Authority of Certification (CA)

Difference between local / commercial Authority of Certification [CA]

Either you create your own Authority of Certification or you can use a commercial one.

Main differences:

Personal Commercial
Price free from 50$ / year (Go Daddy)
Validity you choose Usually 1 or 2 year
Browser alerts Yes No
Can be used for e-commerce No Yes
  • July 2013: "Go Daddy" seems to be the cheapest authority.


Choose an authority of certification and subscribe to a wildcard domain certification.


In either case you need to:

  • Create a private key
  • Generate a request (that will slightly change)


Create CA private key

Generate a RSA private key (4096 bits length) for the CA and protect it with AES256 encryption. 

openssl genrsa -aes256 -out private/cakey.key -rand ./ 4096

You have to enter a password.

!! This password will be required to perform all next operations


Create a personal CA [or Domain root certificate]

Auto-sign your Certification Authority for 10 years 

openssl req -config openssl.cnf \
-new -x509 -sha256 -nodes \
-key private/cakey.key \
-out cacerts.pem \
-days 3600


Answer the questions:

  • Country Name (2 letter code) [SE]:
  • State or Province Name (full name) [Västra Götaland]:
  • Locality Name (eg, city) [Göteborg]:
  • Organization Name (eg, company) [Daxiongmao.eu]:
  • Organizational Unit Name (eg, section) []:
  • Common Name (e.g. server FQDN or YOUR name) []: Daxiongmao.eu CA
  • Email Address [guillaume@qin-diaz.com]:


Some explanations:

Header text Header text
Parameter meaning
-config openssl.cnf to use the local OpenSSL configuration file
-new to request a new certificate
-x509 auto-sign this certificate
-sha256 hash algorithm to use
-key certificate private key
-out Target output file to create
-days Certificate validity time (in days)


You can check result by: 

openssl x509 -in cacerts.pem -text -noout


[Alternative] Request for a domain root certificate

Create a new server certificate request for target CA.

  • See process below to generate server’s certificate requestServer certificate



Server certificate

Go to the working directory: 

cd /srv/ssl


Create server private key

Generate encrypt private key

openssl genrsa -aes256 -out private/serverName.key -rand ./ 4096

ServerName must match the server FQDN.


Ex: dev.daxiongmao.eu 

openssl genrsa -aes256 -out private/dev.daxiongmao.eu.key -rand ./ 4096


Decipher private key

If your key is encrypted, then you have to manually give the password each and every time a service starts.


!! If your private key is encrypt then it cannot be used at startup !!


So, for services like Apache2, you have to decipher the key: 

openssl rsa -in private/serverName.key -out private/serverName.nopass.key


Create server’s certificate request

openssl req -config openssl.cnf \
-new -nodes \
-key private/serverName.key \
-out certs/serverName.req

Answer the questions:

  • Country Name (2 letter code) [SE]:
  • State or Province Name (full name) [Västra Götaland]:
  • Locality Name (eg, city) [Göteborg]:
  • Organization Name (eg, company) [Daxiongmao.eu]:
  • Organizational Unit Name (eg, section) []:
  • Common Name (e.g. server FQDN or YOUR name) []: dev.daxiongmao.eu
  • Email Address [guillaume@qin-diaz.com]:


!! Do not use a challenge password !!


Sign the server request

Auto-sign - using your personal CA

openssl ca -config openssl.cnf \
-in certs/serverName.req \
-out certs/serverName.cert.pem \
-cert cacerts.pem \
-days 3600


Some explanations:

Parameter meaning
-config the local OpenSSL configuration file
-in Incoming certificate request. = previous .req file
-out Target certificate file
-cert CA certificate to use
-days Certificate validity time (in days)


You can check result by: 

cat /srv/ssl/certs/serverName.cert.pem


[Alternate] Send the request to the CA

You have to send the “.req” file to the CA. They will send you back the certificate.


Export certificate

To export a certificate, it must be in PKCS12 format.

You have to perform the following for each and every certificate you’d like to export. 

cd /srv/ssl


openssl pkcs12 -export \
-descert -inkey private/serverName.key \
-in certs/serverName.cert.pem \
-certfile cacerts.pem \
-name "Certicate name" \
-out export/serverName.p12
  • Do not put an export password.
  • You should use the non-protected key if you want to use that export with some Linux services.


Example: 

openssl pkcs12 -export \
-descert -inkey private/dev.daxiongmao.eu.nopass.key \
-in certs/dev.daxiongmao.eu.cert.pem \
-certfile cacerts.pem \
-name "Certicate dev.daxiongmao.eu development server" \
-out export/dev.daxiongmao.eu.p12


Distribute the certificate with Apache2

see Apache 2 - SSL certificates page

Retrieved from "http://www.daxiongmao.eu/wiki/index.php?title=SSL_server&oldid=2049"