Difference between revisions of "SSL server"

(Preparation)
 
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
[[Category:Linux]]
 +
 
SSL: Cryptography & authentication
 
SSL: Cryptography & authentication
  
Line 151: Line 153:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
openssl genrsa -aes256 -out private/cakey.pem -rand ./ 4096
+
openssl genrsa -aes256 -out private/cakey.key -rand ./ 4096
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 166: Line 168:
 
openssl req -config openssl.cnf \
 
openssl req -config openssl.cnf \
 
-new -x509 -sha256 -nodes \
 
-new -x509 -sha256 -nodes \
-key private/cakey.pem \
+
-key private/cakey.key \
 
-out cacerts.pem \
 
-out cacerts.pem \
 
-days 3600
 
-days 3600
Line 361: Line 363:
  
  
 
+
Example:
 
 
=Setup website to send local CA and server certificates=
 
 
 
This required to have a web server up and running
 
 
 
 
 
==Preparation==
 
 
 
'''Create dedicated folder'''
 
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
mkdir -p /var/www/ssl/certs
+
openssl pkcs12 -export \
touch /var/www/ssl/certs/index.html
+
-descert -inkey private/dev.daxiongmao.eu.nopass.key \
</syntaxhighlight>
+
-in certs/dev.daxiongmao.eu.cert.pem \
 
+
-certfile cacerts.pem \
 
+
-name "Certicate dev.daxiongmao.eu development server" \
 
+
-out export/dev.daxiongmao.eu.p12
'''Create Web page'''
 
 
 
<syntaxhighlight lang="html4strict">
 
<html>
 
<head>
 
<title>Certificates list</title>
 
</head>
 
<body>
 
<h1>Certificates list</h1>
 
<hr/>
 
<h2>Certification Authority</h2>
 
<p>
 
Authority of certification:
 
<a href="https://serverURL/certs/cacerts.pem ">root certificate</a>
 
</p>
 
<h2>Servers certificates</h2>
 
<p>Click on the following links to download sub-servers certificates</p>
 
<ul>
 
<li>
 
<a href=" https://serverURL/certs/serverName.p12">my server</a>
 
</li>
 
</ul>
 
</body>
 
</html>
 
</syntaxhighlight>
 
 
 
==Copy files==
 
 
 
<syntaxhighlight lang="bash">
 
cp /srv/ssl/cacerts.pem /var/www/ssl/certs/cacerts.pem
 
cp /srv/ssl/ export/serverName.p12 /var/www/ssl/certs/serverName.p12
 
</syntaxhighlight>
 
 
 
 
 
Update rights
 
 
 
<syntaxhighlight lang="bash">
 
chown -R www-data:www-data /var/www/ssl
 
chmod 755 -R /var/www/ssl
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
  
=Installation on client computer=
+
=Distribute the certificate with Apache2=
  
Go to https://myServer/certs
+
see [[Apache 2 - SSL certificates page]]
1 st alert
 
You haven’t install the certificate yet... This website is presume to be non-secured.
 
Example of alert on Google chrome (click “proceed anyway”)
 
Then, you will see the following alert on URL:
 
Download file
 
Save file
 
Installation
 
Go to Google Chrome > Settings > Show advanced settings >
 
 
 
Enable “check for server certificate revocation”
 
Click on manage certificates...
 
Certification Authority
 
Click on “Trusted root Certification Authorities” > Import...Choose the file to import (myCA.pem)
 
 .pem are not displayed by default, but they can be used
 
 Trust the certificates
 
Restart Google Chrome
 
Check result
 
After Google Chrome restart, go back to https://myServer/certs
 
Everything is OK now!
 

Latest revision as of 15:10, 29 January 2015


SSL: Cryptography & authentication



Principle and law disclaimer

Reminder

An Authority of Certification is required to ensure your certificates.

Theses one provides:

  • Confidentiality
  • Integrity
  • Authentication


Usages


There's three options:

  • You can create your own Authority of Certification ;
  • Use a trusted Authority of Certification (commercial). Unfortunately, it's very expansive to use such ones ;
  • Use an Open Source Authority of Certification: www.cacert.org


Legal aspects


You are not allowed to use any cryptography. The maximum cryptographic level is set by the law.

Region Law
France http://www.ssi.gouv.fr/fr/reglementation-ssi/cryptologie/tableau-de-synthese-de-reglementation-en-matiere-de-cryptologie.html
Sweden to be done
European Union to be done



Installation

Install packages

apt-get install openssl


Prep folders

Create working directory

mkdir -p /srv/ssl
cd /srv/ssl


Create ssl structure

mkdir certs crl newcerts private export


Initialize values

echo 01 > serial
touch index.txt
cp /usr/lib/ssl/openssl.cnf .



OpenSSL root configuration

During the process you’ll have to enter the same data many times:

>> You should edit the default values


Adjust default values

Edit openssl.cnf:

vim /srv/ssl/openssl.cnf

Set the working directory:

dir = /srv/ssl                            # Where everything is kept  [line 42]

[ req_distinguished_name ]
countryName_default             = SE                        # [line 128]   
stateOrProvinceName_default     = Västra Götaland           # [line 134]
localityName_default            = Goteborg                  # [line 137]
0.organizationName_default      = Daxiongmao.eu             # [line 140]
emailAddress_default            = guillaume@qin-diaz.com    # [line 154]



Authority of Certification (CA)

Difference between local / commercial Authority of Certification [CA]

Either you create your own Authority of Certification or you can use a commercial one.

Main differences:

Personal Commercial
Price free from 50$ / year (Go Daddy)
Validity you choose Usually 1 or 2 year
Browser alerts Yes No
Can be used for e-commerce No Yes
  • July 2013: "Go Daddy" seems to be the cheapest authority.


Choose an authority of certification and subscribe to a wildcard domain certification.


In either case you need to:

  • Create a private key
  • Generate a request (that will slightly change)


Create CA private key

Generate a RSA private key (4096 bits length) for the CA and protect it with AES256 encryption.

openssl genrsa -aes256 -out private/cakey.key -rand ./ 4096

You have to enter a password.

!! This password will be required to perform all next operations


Create a personal CA [or Domain root certificate]

Auto-sign your Certification Authority for 10 years

openssl req -config openssl.cnf \
-new -x509 -sha256 -nodes \
-key private/cakey.key \
-out cacerts.pem \
-days 3600


Answer the questions:

  • Country Name (2 letter code) [SE]:
  • State or Province Name (full name) [Västra Götaland]:
  • Locality Name (eg, city) [Göteborg]:
  • Organization Name (eg, company) [Daxiongmao.eu]:
  • Organizational Unit Name (eg, section) []:
  • Common Name (e.g. server FQDN or YOUR name) []: Daxiongmao.eu CA
  • Email Address [guillaume@qin-diaz.com]:


Some explanations:

Header text Header text
Parameter meaning
-config openssl.cnf to use the local OpenSSL configuration file
-new to request a new certificate
-x509 auto-sign this certificate
-sha256 hash algorithm to use
-key certificate private key
-out Target output file to create
-days Certificate validity time (in days)


You can check result by:

openssl x509 -in cacerts.pem -text -noout


[Alternative] Request for a domain root certificate

Create a new server certificate request for target CA.

  • See process below to generate server’s certificate requestServer certificate



Server certificate

Go to the working directory:

cd /srv/ssl


Create server private key

Generate encrypt private key

openssl genrsa -aes256 -out private/serverName.key -rand ./ 4096

ServerName must match the server FQDN.


Ex: dev.daxiongmao.eu

openssl genrsa -aes256 -out private/dev.daxiongmao.eu.key -rand ./ 4096


Decipher private key

If your key is encrypted, then you have to manually give the password each and every time a service starts.


!! If your private key is encrypt then it cannot be used at startup !!


So, for services like Apache2, you have to decipher the key:

openssl rsa -in private/serverName.key -out private/serverName.nopass.key


Create server’s certificate request

openssl req -config openssl.cnf \
-new -nodes \
-key private/serverName.key \
-out certs/serverName.req

Answer the questions:

  • Country Name (2 letter code) [SE]:
  • State or Province Name (full name) [Västra Götaland]:
  • Locality Name (eg, city) [Göteborg]:
  • Organization Name (eg, company) [Daxiongmao.eu]:
  • Organizational Unit Name (eg, section) []:
  • Common Name (e.g. server FQDN or YOUR name) []: dev.daxiongmao.eu
  • Email Address [guillaume@qin-diaz.com]:


!! Do not use a challenge password !!


Sign the server request

Auto-sign - using your personal CA

openssl ca -config openssl.cnf \
-in certs/serverName.req \
-out certs/serverName.cert.pem \
-cert cacerts.pem \
-days 3600


Some explanations:

Parameter meaning
-config the local OpenSSL configuration file
-in Incoming certificate request. = previous .req file
-out Target certificate file
-cert CA certificate to use
-days Certificate validity time (in days)


You can check result by:

cat /srv/ssl/certs/serverName.cert.pem


[Alternate] Send the request to the CA

You have to send the “.req” file to the CA. They will send you back the certificate.


Export certificate

To export a certificate, it must be in PKCS12 format.

You have to perform the following for each and every certificate you’d like to export.

cd /srv/ssl


openssl pkcs12 -export \
-descert -inkey private/serverName.key \
-in certs/serverName.cert.pem \
-certfile cacerts.pem \
-name "Certicate name" \
-out export/serverName.p12
  • Do not put an export password.
  • You should use the non-protected key if you want to use that export with some Linux services.


Example:

openssl pkcs12 -export \
-descert -inkey private/dev.daxiongmao.eu.nopass.key \
-in certs/dev.daxiongmao.eu.cert.pem \
-certfile cacerts.pem \
-name "Certicate dev.daxiongmao.eu development server" \
-out export/dev.daxiongmao.eu.p12


Distribute the certificate with Apache2

see Apache 2 - SSL certificates page