Root-CA
Für meine Zertifikate erstelle ich mir eine eigene Certificate Authority. Server-Zertifikate und User-Zertifikate werden jeweils von einer eigenen CA erstellt.
Es ergibt sich folgende Struktur:
Root-CA / \ Server-CA User-CA | | SCert 1 UCert 1 SCert 2 UCert 2 ... ... SCert n UCert m
Es wird das Paket openssl benötigt:
apt-get install openssl
Folgendes Script mk_ca_struct legt in einem beliebigen Verzeichnis obige CA-Struktur im Filesystem an. Es benötigt eine angepasste openssl.cnf.tpl Datei, welche im gleichen Verzeichnis wie das Script selbst liegen muss: ./scripts
scx:~# tar tvjf ca-scripts.tgz drwxr-xr-x root/root 0 2008-06-27 19:00 ca/ drwxr-sr-x root/root 0 2008-06-27 19:57 ca/scripts/ -rw-r--r-- root/root 6500 2008-06-27 19:11 ca/scripts/openssl.cnf.tpl -rwxr-xr-x root/root 1559 2008-06-26 22:35 ca/scripts/mk_cert_server -rwxr-xr-x root/root 1564 2008-06-26 22:35 ca/scripts/mk_cert_user -rwxr--r-- root/root 2892 2008-06-26 22:49 ca/scripts/mk_ca_struct
Zuerst lege ich die CA Struktur mit den entsprechenden Zertifikaten an:
scx:~/ca# ./scripts/mk_ca_struct Where to install the CA directories [/root/ca] /root/ca mkdir: cannot create directory `/root/ca': File exists cp: `./scripts' and `/root/ca/scripts' are the same file ~/ca ~/ca ---------------------- Erstelle eine Root CA: Generating a 2048 bit RSA private key ..................................................................+++ ...........+++ unable to write 'random state' writing new private key to 'RootCA/private/RCAkey.pem' Enter PEM pass phrase: >>rootCA-Password<< Verifying - Enter PEM pass phrase: >>rootCA-Password<< ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Bayern]: Locality Name (eg, city) [Nuernberg]: Organization Name (eg, company) [OrganisationName]: Organizational Unit Name (eg, section or website) [OrganisationUnit]: Common Name (SERVER / USER name) []:rootCA Email Address (eg, YOUR email) [webmaster@company.de]: Doing . 00.pem => 9c05fe89.0 ---------------------------------------------- Erstelle eine Server CA (signiert von Root CA): Generating a 2048 bit RSA private key .+++ ....................................................................+++ unable to write 'random state' writing new private key to 'ServerCA/private/SCAkey.pem' Enter PEM pass phrase: >>ServerCA-Password<< Verifying - Enter PEM pass phrase: >>ServerCA-Password<< ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Bayern]: Locality Name (eg, city) [Nuernberg]: Organization Name (eg, company) [OrganisationName]: Organizational Unit Name (eg, section or website) [OrganisationUnit]: Common Name (SERVER / USER name) []:serverCA Email Address (eg, YOUR email) [webmaster@company.de]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: company.de []: Using configuration from openssl.cnf Enter pass phrase for /root/ca/RootCA/private/RCAkey.pem: >>rootCA-Password<< Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'Bayern' localityName :PRINTABLE:'Nuernberg' organizationName :PRINTABLE:'OrganisationName' organizationalUnitName:PRINTABLE:'OrganisationUnit' commonName :PRINTABLE:'serverCA' emailAddress :IA5STRING:'webmaster@company.de' Certificate is to be certified until Jun 26 18:04:15 2013 GMT (1825 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated unable to write 'random state' Doing . 00.pem => 9c05fe89.0 01.pem => b99e5d4b.0 --------------------------------------------- Erstelle eine User CA (signiert von Root CA): Generating a 2048 bit RSA private key .................................................................+++ ..........................................................................................+++ unable to write 'random state' writing new private key to 'UserCA/private/UCAkey.pem' Enter PEM pass phrase: >>UserCA-Password<< Verifying - Enter PEM pass phrase: >>UserCA-Password<< ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Bayern]: Locality Name (eg, city) [Nuernberg]: Organization Name (eg, company) [OrganisationName]: Organizational Unit Name (eg, section or website) [OrganisationUnit]: Common Name (SERVER / USER name) []:userCA Email Address (eg, YOUR email) [webmaster@company.de]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: company.de []: Using configuration from openssl.cnf Enter pass phrase for /root/ca/RootCA/private/RCAkey.pem: >>rootCA-Password<< Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'Bayern' localityName :PRINTABLE:'Nuernberg' organizationName :PRINTABLE:'OrganisationName' organizationalUnitName:PRINTABLE:'OrganisationUnit' commonName :PRINTABLE:'userCA' emailAddress :IA5STRING:'webmaster@company.de' Certificate is to be certified until Jun 26 18:04:42 2013 GMT (1825 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated unable to write 'random state' Doing . 00.pem => 9c05fe89.0 01.pem => b99e5d4b.0 02.pem => 47efd334.0 ~/ca scx:~/ca# l total 32 drwxr-xr-x 2 root root 4096 2008-06-27 20:04 certs/ -rw-r--r-- 1 root root 6657 2008-06-27 20:03 openssl.cnf drwxr-xr-x 2 root root 4096 2008-06-27 20:03 private/ drwxr-xr-x 5 root root 4096 2008-06-27 20:04 RootCA/ drwxr-sr-x 2 root root 4096 2008-06-27 19:57 scripts/ drwxr-xr-x 5 root root 4096 2008-06-27 20:03 ServerCA/ drwxr-xr-x 5 root root 4096 2008-06-27 20:04 UserCA/
Im Anschluss erzeuge mein Server Zertifikat mit mk_cert_server z.B. für einen Imap-Server (analog mit mk_cert_user für User):
scx:~/ca# ./scripts/mk_cert_server ~/ca ~/ca Server-Cert Name: apache -------- apacheKey.pem & apacheReq.pem ... Generating a 1024 bit RSA private key ...............................++++++ .....................++++++ unable to write 'random state' writing new private key to 'apacheKey.pem' Enter PEM pass phrase: >>apache Passwort<< Verifying - Enter PEM pass phrase: >>apache Passwort<< ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Bayern]: Locality Name (eg, city) [Nuernberg]: Organization Name (eg, company) [OrganisationName]: Organizational Unit Name (eg, section or website) [OrganisationUnit]: Common Name (SERVER / USER name) []:apache Email Address (eg, YOUR email) [webmaster@company.de]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: company.de []: Passwort aus apacheKey.pem entfernen [y] ? Enter pass phrase: >>apache Passwort<< writing RSA key ==================== apacheCert.pem ... ==================== Using configuration from openssl.cnf Enter pass phrase for /root/ca/ServerCA/private/SCAkey.pem: >>ServerCA Passwort<< Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'Bayern' localityName :PRINTABLE:'Nuernberg' organizationName :PRINTABLE:'OrganisationName' organizationalUnitName:PRINTABLE:'OrganisationUnit' commonName :PRINTABLE:'apache' emailAddress :IA5STRING:'webmaster@company.de' Certificate is to be certified until Jun 27 16:58:02 2013 GMT (1825 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated unable to write 'random state' ---------------------------------------------- certs: total 36 -rw-r--r-- 1 root root 1911 2008-06-27 20:03 00.pem -rw-r--r-- 1 root root 5643 2008-06-27 20:04 01.pem -rw-r--r-- 1 root root 5641 2008-06-27 20:04 02.pem lrwxrwxrwx 1 root root 6 2008-06-27 20:04 47efd334.0 -> 02.pem lrwxrwxrwx 1 root root 6 2008-06-27 20:04 9c05fe89.0 -> 00.pem -rw------- 1 root root 4888 2008-06-28 18:58 apacheCert.pem lrwxrwxrwx 1 root root 6 2008-06-27 20:04 b99e5d4b.0 -> 01.pem private: total 24 -rw------- 1 root root 887 2008-06-28 18:57 apache-Key.pem -rw------- 1 root root 963 2008-06-28 18:57 apacheKey.pem ~/ca
Das Zertifikat verwende ich für den Apache Webserver und teste es anschliessend. Es gibt zwei Key-Files für das Zertifikat apacheCert.pem, eins mit Passwort (apacheKey.req), das andere (apache-Key.req) ohne Passwort, damit der Server automatisch starten kann, ohne das ein Passwort erfragt wird.
scx:~/ca# cat /etc/apache2/sites-enabled/default-ssl NameVirtualHost *:443 <VirtualHost *:443> ServerName apache.company.de ServerAdmin webmaster@company.de SSLEngine On SSLCipherSuite HIGH:MEDIUM SSLCertificateFile /root/ca/certs/apacheCert.pem SSLCertificateKeyFile /root/ca/ServerCA/private/apache-Key.pem # SSLProxyEngine On CustomLog /var/log/apache2/access_https.log combined ErrorLog /var/log/apache2/error_https.log # debug, info, notice, warn, error, crit, alert, emerg LogLevel warn ServerSignature Off DocumentRoot /var/www/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride AuthConfig Order allow,deny allow from all RedirectMatch ^/$ /apache2-default/ </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> Alias /debian-doc/ /usr/share/doc/ <Directory /usr/share/doc/> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Allow from all </Directory> </VirtualHost>
scx:~/ca# /etc/init.d/apache2 restart
Ein Test (nach der Installation des Zertifikates auf dem lokalem Webserver) sieht dann so aus, man sieht die mehrstufige Hierarchie der Zertifikate bzw. CA inkl. ServerCA und rootCA.
scx:~/ca# openssl s_client -CApath /root/ca/certs -port 443 -host localhost > /tmp/foo depth=2 /C=DE/ST=Bayern/L=Nuernberg/O=OrganisationName/OU=OrganisationUnit/CN=rootCA/emailAddress=webmaster@company.de verify return:1 depth=1 /C=DE/ST=Bayern/L=Nuernberg/O=OrganisationName/OU=OrganisationUnit/CN=serverCA/emailAddress=webmaster@company.de verify return:1 depth=0 /C=DE/ST=Bayern/L=Nuernberg/O=OrganisationName/OU=OrganisationUnit/CN=apache/emailAddress=webmaster@company.de verify return:1 >>CTRL-C<<
Im Anschluss habe ich folgende Verzeichnisstruktur:
scx:~/ca# ls -lR .: total 32 drwxr-xr-x 2 root root 4096 2008-06-27 20:20 certs/ -rw-r--r-- 1 root root 6657 2008-06-27 20:03 openssl.cnf drwxr-xr-x 2 root root 4096 2008-06-27 20:20 private/ drwxr-xr-x 5 root root 4096 2008-06-27 20:04 RootCA/ drwxr-sr-x 2 root root 4096 2008-06-27 19:57 scripts/ drwxr-xr-x 5 root root 4096 2008-06-27 20:20 ServerCA/ drwxr-xr-x 5 root root 4096 2008-06-27 20:04 UserCA/ ./certs: total 28 -rw-r--r-- 1 root root 1911 2008-06-27 20:03 00.pem -rw-r--r-- 1 root root 5643 2008-06-27 20:04 01.pem -rw-r--r-- 1 root root 5641 2008-06-27 20:04 02.pem lrwxrwxrwx 1 root root 6 2008-06-27 20:04 47efd334.0 -> 02.pem lrwxrwxrwx 1 root root 6 2008-06-27 20:04 9c05fe89.0 -> 00.pem lrwxrwxrwx 1 root root 6 2008-06-27 20:04 b99e5d4b.0 -> 01.pem -rw------- 1 root root 4909 2008-06-27 20:20 apacheCert.pem ./private: total 8 -rw------- 1 root root 887 2008-06-27 20:20 apache-Key.pem -rw------- 1 root root 963 2008-06-27 20:20 apacheKey.pem ./RootCA: total 36 drwxr-xr-x 2 root root 4096 2008-06-27 20:03 certs/ -rw-r--r-- 1 root root 280 2008-06-27 20:04 index.txt -rw-r--r-- 1 root root 20 2008-06-27 20:04 index.txt.attr -rw-r--r-- 1 root root 21 2008-06-27 20:04 index.txt.attr.old -rw-r--r-- 1 root root 141 2008-06-27 20:04 index.txt.old drwxr-xr-x 2 root root 4096 2008-06-27 20:04 newcerts/ drwx------ 2 root root 4096 2008-06-27 20:03 private/ -rw-r--r-- 1 root root 3 2008-06-27 20:04 serial -rw-r--r-- 1 root root 3 2008-06-27 20:04 serial.old ./RootCA/certs: total 0 ./RootCA/newcerts: total 16 -rw-r--r-- 1 root root 5643 2008-06-27 20:04 01.pem -rw-r--r-- 1 root root 5641 2008-06-27 20:04 02.pem ./RootCA/private: total 8 -rw-r--r-- 1 root root 1911 2008-06-27 20:03 RCAcert.pem -rw-r--r-- 1 root root 1751 2008-06-27 20:03 RCAkey.pem ./scripts: total 20 -rwxr--r-- 1 root root 2892 2008-06-26 22:49 mk_ca_struct* -rwxr-xr-x 1 root root 1550 2008-06-27 20:19 mk_cert_server* -rwxr-xr-x 1 root root 1555 2008-06-27 20:31 mk_cert_user* -rw-r--r-- 1 root root 6500 2008-06-27 19:11 openssl.cnf.tpl ./ServerCA: total 28 drwxr-xr-x 2 root root 4096 2008-06-27 20:20 certs/ -rw-r--r-- 1 root root 148 2008-06-27 20:20 index.txt -rw-r--r-- 1 root root 21 2008-06-27 20:20 index.txt.attr -rw-r--r-- 1 root root 0 2008-06-27 20:03 index.txt.old drwxr-xr-x 2 root root 4096 2008-06-27 20:20 newcerts/ drwx------ 2 root root 4096 2008-06-27 20:20 private/ -rw-r--r-- 1 root root 3 2008-06-27 20:20 serial -rw-r--r-- 1 root root 3 2008-06-27 20:03 serial.old ./ServerCA/certs: total 8 -rw------- 1 root root 4909 2008-06-27 20:20 apacheCert.pem ./ServerCA/newcerts: total 8 -rw-r--r-- 1 root root 4909 2008-06-27 20:20 01.pem ./ServerCA/private: total 28 -rw------- 1 root root 887 2008-06-27 20:20 apache-Key.pem -rw------- 1 root root 963 2008-06-27 20:20 apacheKey.pem -rw-r--r-- 1 root root 737 2008-06-27 20:20 apacheReq.pem -rw-r--r-- 1 root root 5643 2008-06-27 20:04 SCAcert.pem -rw-r--r-- 1 root root 1751 2008-06-27 20:04 SCAkey.pem -rw-r--r-- 1 root root 1082 2008-06-27 20:04 SCAreq.pem ./UserCA: total 16 drwxr-xr-x 2 root root 4096 2008-06-27 20:04 certs/ -rw-r--r-- 1 root root 0 2008-06-27 20:04 index.txt drwxr-xr-x 2 root root 4096 2008-06-27 20:04 newcerts/ drwx------ 2 root root 4096 2008-06-27 20:04 private/ -rw-r--r-- 1 root root 3 2008-06-27 20:04 serial ./UserCA/certs: total 0 ./UserCA/newcerts: total 0 ./UserCA/private: total 16 -rw-r--r-- 1 root root 5641 2008-06-27 20:04 UCAcert.pem -rw-r--r-- 1 root root 1751 2008-06-27 20:04 UCAkey.pem -rw-r--r-- 1 root root 1078 2008-06-27 20:04 UCAreq.pem