Projekt PKI: Difference between revisions

From JoBaPedia
Jump to navigation Jump to search
(New page: = PKI für SSL meine Verbindungen * Openvpn Paket installiert -> easy-rsa * PKI Verzeichnis kopiert cp -av /usr/share/openvpn/easy-rsa/2.0 /usr/local/share/jba-pki-v2 * Datei vars angepa...)
 
No edit summary
 
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
= PKI für SSL meine Verbindungen
= PKI für meine SSL Verbindungen =


see also [[Project_LetsEncrypt]]
== Installation ==
* Openvpn Paket installiert -> easy-rsa
* Openvpn Paket installiert -> easy-rsa
* PKI Verzeichnis kopiert
* PKI Verzeichnis kopiert
Line 16: Line 19:
  export PKCS11_MODULE_PATH=/
  export PKCS11_MODULE_PATH=/
  export PKCS11_PIN=1234
  export PKCS11_PIN=1234
* Analog README PKI initialisiert und CA erzeugt
 
** keys/ca.crt als CA für Apache nach /etc/apache2/ssl.crt/ kopieren
== PKI CA erzeugen ==
Analog README PKI initialisiert und CA erzeugt
  . vars
  . vars
  ./clean-all
  ./clean-all
  ./build-dh
  ./build-dh
  ./pkitool --initca --pass
  ./pkitool --initca --pass
* Webserverzertifikat erzeugt
keys/ca.crt als CA für Apache nach /etc/apache2/ssl.crt/ kopieren
** keys/banzhaf.chickenkiller.com.crt für Zertifikat nach /etc/apache2/ssl.crt/ kopieren
 
** keys/banzhaf.chickenkiller.com.key für Webserver Key nach /etc/apache2/ssl.key/ kopieren
== Webserverzertifikat erzeugt ==
** ca, crt und key in /etc/apache2/vhosts.d/vhost-ssl.conf eintragen
** ca.crt im Document Root ablegen (damit Webbrowser es von da einfach als vertrauenswürdig installieren können)
  ./pkitool --server banzhaf.chickenkiller.com
  ./pkitool --server banzhaf.chickenkiller.com
* Tests für Clientauthentifizierung
* keys/banzhaf.chickenkiller.com.crt für Zertifikat nach /etc/apache2/ssl.crt/ kopieren
* keys/banzhaf.chickenkiller.com.key für Webserver Key nach /etc/apache2/ssl.key/ kopieren
* ca, crt und key in /etc/apache2/vhosts.d/vhost-ssl.conf eintragen
* ca.crt im Document Root ablegen (damit Webbrowser es von da einfach als vertrauenswürdig installieren können)
 
== Tests für Clientauthentifizierung ==
  ./pkitool joachim@banzhaf.chickenkiller.com
  ./pkitool joachim@banzhaf.chickenkiller.com
  ./pkitool julian@banzhaf.chickenkiller.com
  ./pkitool julian@banzhaf.chickenkiller.com
  ./pkitool carolin@banzhaf.chickenkiller.com
  ./pkitool carolin@banzhaf.chickenkiller.com
* Openvpn Zertifikate
 
== Openvpn Zertifikate ==
  ./pkitool --server openvpn.banzhaf.chickenkiller.com
  ./pkitool --server openvpn.banzhaf.chickenkiller.com
  ./pkitool lenovo@openvpn.banzhaf.chickenkiller.com
  ./pkitool lenovo@openvpn.banzhaf.chickenkiller.com
== Todo ==
=== How to add alternate subjects to certificates ===
==== Why ====
This is required for an ssl connection (webserver or whatever) to be valid for more than one name (e.g. localhost, job4, job4.job.de, banzhaf.chickenkiller.com)
==== background ====
Certificates can include extensions. One extension is SubjectAltName.
SubjectAltName for web- and ldap-server certifiates can hold the valid server names and ip adresses.
Whether they are honored is client specific, but current browsers and clients using the openldap libs will work (at least if you also include the cn).
A syntax example for a server:
SubjectAltName = DNS:banzhaf.chickenkiller.com, DNS:job4.job.de, DNS:job4
The SubjectAltName needs to be defined in the openssl.conf or in a file given with -extfile
==== Implementation ====
I modified easyrsa pkitool from openvpn to modify openssl.conf on the fly.
This does not work yet (the certificate did not include the alternate names). So for now use the yast ca (see below).
--- pkitool.orig      2013-11-01 12:22:05.000000000 +0100
+++ pkitool    2014-04-03 19:05:27.000000000 +0200
@@ -143,0 +144 @@
+ALT_NAMES=""
@@ -147,0 +149,2 @@
+        --altnames  ) ALT_NAMES=$2
+                  shift;;
@@ -315 +318,13 @@
-      :
+      ALT_LIST=""
+      SEP=""
+      for n in $ALT_NAMES; do
+              ALT_LIST="${ALT_LIST}${SEP}DNS:$n"
+              SEP=", "
+      done
+      if [ "$ALT_LIST" != "" ]; then
+              TMP_CONFIG="/tmp/openssl-$$.conf"
+              trap "rm -f $TMP_CONFIG" EXIT
+              echo "subjectAltName=$ALT_LIST" >"$TMP_CONFIG"
+              cat "$KEY_CONFIG" >>"$TMP_CONFIG"
+              KEY_CONFIG="$TMP_CONFIG"
+      fi
==== Troubleshooting ====
If you want to regenerate a key with the same CN, this may help if you see the following error message on signing (don't know about the implications)
failed to update database
TXT_DB error number 2
set unique_subject = no in keys/index.txt.attr
=== How to use openSUSE CA management instead ===
It is possible to import the easyrsa ca into the ca yast module.
Advantages of yast ca module
* easier to maintain because it is part of the distro
* alternate subjects already possible via gui
* easier to use for rarely used features that are implemented in the gui
Disadvantages of yast ca module
* yast gui is slower to use
* export of keys only with password, even if key is for a server
** remove passphrase like this
openssl rsa -in withpass.key -out withoutpass.key
* openssl commands are intransparent, i.e. no learning curve
* more difficult to use for features not implemented in the gui
== Heartbleed ==
Damn. Just implemented the PKI and now I can issue new certs already. Very nice! :(
http://heartbleed.com/
== Cert Checking ==
openssl cli can be used to test client/server TLS connection.
Or just use it to send data back and forth securely to a verified server.
=== Server ===
openssl s_server -crlf -cert /etc/letsencrypt/live/banzhaf.chickenkiller.com/fullchain.pem -key /etc/letsencrypt/live/banzhaf.chickenkiller.com/privkey.pem
=== Client ===
openssl s_client -crlf -connect localhost:4433 -servername banzhaf.chickenkiller.com
=== Client Certs ===
could probably work as well: -CAfile infile.pem on server and -cert on client

Latest revision as of 11:01, 13 January 2023

PKI für meine SSL Verbindungen

see also Project_LetsEncrypt

Installation

  • Openvpn Paket installiert -> easy-rsa
  • PKI Verzeichnis kopiert
cp -av /usr/share/openvpn/easy-rsa/2.0 /usr/local/share/jba-pki-v2
  • Datei vars angepasst
export EASY_RSA="/usr/local/share/jba-pki-v2"
export KEY_COUNTRY="DE"
export KEY_PROVINCE="Baden-Wuerttemberg"
export KEY_CITY="Korntal-Muenchingen"
export KEY_ORG="Joachim Banzhaf"
export KEY_EMAIL="joachim.banzhaf@googlemail.com"
export KEY_CN=
export KEY_NAME=
export KEY_OU="Software und Beratung" 
export PKCS11_MODULE_PATH=/
export PKCS11_PIN=1234

PKI CA erzeugen

Analog README PKI initialisiert und CA erzeugt

. vars
./clean-all
./build-dh
./pkitool --initca --pass

keys/ca.crt als CA für Apache nach /etc/apache2/ssl.crt/ kopieren

Webserverzertifikat erzeugt

./pkitool --server banzhaf.chickenkiller.com
  • keys/banzhaf.chickenkiller.com.crt für Zertifikat nach /etc/apache2/ssl.crt/ kopieren
  • keys/banzhaf.chickenkiller.com.key für Webserver Key nach /etc/apache2/ssl.key/ kopieren
  • ca, crt und key in /etc/apache2/vhosts.d/vhost-ssl.conf eintragen
  • ca.crt im Document Root ablegen (damit Webbrowser es von da einfach als vertrauenswürdig installieren können)

Tests für Clientauthentifizierung

./pkitool joachim@banzhaf.chickenkiller.com
./pkitool julian@banzhaf.chickenkiller.com
./pkitool carolin@banzhaf.chickenkiller.com

Openvpn Zertifikate

./pkitool --server openvpn.banzhaf.chickenkiller.com
./pkitool lenovo@openvpn.banzhaf.chickenkiller.com

Todo

How to add alternate subjects to certificates

Why

This is required for an ssl connection (webserver or whatever) to be valid for more than one name (e.g. localhost, job4, job4.job.de, banzhaf.chickenkiller.com)

background

Certificates can include extensions. One extension is SubjectAltName.

SubjectAltName for web- and ldap-server certifiates can hold the valid server names and ip adresses.

Whether they are honored is client specific, but current browsers and clients using the openldap libs will work (at least if you also include the cn).

A syntax example for a server:

SubjectAltName = DNS:banzhaf.chickenkiller.com, DNS:job4.job.de, DNS:job4

The SubjectAltName needs to be defined in the openssl.conf or in a file given with -extfile

Implementation

I modified easyrsa pkitool from openvpn to modify openssl.conf on the fly. This does not work yet (the certificate did not include the alternate names). So for now use the yast ca (see below).

--- pkitool.orig       2013-11-01 12:22:05.000000000 +0100
+++ pkitool    2014-04-03 19:05:27.000000000 +0200
@@ -143,0 +144 @@
+ALT_NAMES=""
@@ -147,0 +149,2 @@
+        --altnames  ) ALT_NAMES=$2
+                   shift;;
@@ -315 +318,13 @@
-      :
+      ALT_LIST=""
+      SEP=""
+      for n in $ALT_NAMES; do
+              ALT_LIST="${ALT_LIST}${SEP}DNS:$n"
+              SEP=", "
+      done
+      if [ "$ALT_LIST" != "" ]; then
+              TMP_CONFIG="/tmp/openssl-$$.conf"
+              trap "rm -f $TMP_CONFIG" EXIT
+              echo "subjectAltName=$ALT_LIST" >"$TMP_CONFIG"
+              cat "$KEY_CONFIG" >>"$TMP_CONFIG"
+              KEY_CONFIG="$TMP_CONFIG"
+      fi

Troubleshooting

If you want to regenerate a key with the same CN, this may help if you see the following error message on signing (don't know about the implications)

failed to update database
TXT_DB error number 2

set unique_subject = no in keys/index.txt.attr

How to use openSUSE CA management instead

It is possible to import the easyrsa ca into the ca yast module.

Advantages of yast ca module

  • easier to maintain because it is part of the distro
  • alternate subjects already possible via gui
  • easier to use for rarely used features that are implemented in the gui

Disadvantages of yast ca module

  • yast gui is slower to use
  • export of keys only with password, even if key is for a server
    • remove passphrase like this
openssl rsa -in withpass.key -out withoutpass.key
  • openssl commands are intransparent, i.e. no learning curve
  • more difficult to use for features not implemented in the gui

Heartbleed

Damn. Just implemented the PKI and now I can issue new certs already. Very nice! :(

http://heartbleed.com/

Cert Checking

openssl cli can be used to test client/server TLS connection. Or just use it to send data back and forth securely to a verified server.

Server

openssl s_server -crlf -cert /etc/letsencrypt/live/banzhaf.chickenkiller.com/fullchain.pem -key /etc/letsencrypt/live/banzhaf.chickenkiller.com/privkey.pem

Client

openssl s_client -crlf -connect localhost:4433 -servername banzhaf.chickenkiller.com

Client Certs

could probably work as well: -CAfile infile.pem on server and -cert on client