Difference between revisions of "CA"

From Whitespace (Hackerspace Gent)
Jump to: navigation, search
(Created page with "== 0x20 CA == * Used for OpenVPN .")
 
 
(7 intermediate revisions by one user not shown)
Line 1: Line 1:
== 0x20 CA ==
+
{{Project
* Used for [[OpenVPN]] .
+
|Current=Yes
 +
|Participants=Jaroslov
 +
|Locations=Whitespace
 +
|Short description=0x20 Certificate Authority CA
 +
}}
 +
= 0x20 Certificate Authority =
 +
* CA with OpenSSL
 +
** all flat files in 1 directory
 +
** can easily be stored/transported on an encrypted filesystem
 +
* Used for [[OpenVPN]] authentication
 +
 
 +
== openssl.cnf ==
 +
Check the openssl.cnf file with the 0x20 specific values:
 +
* root ca is valid for 15 years
 +
* certificates are valid for 5 years
 +
* DN: C=BE, ST=Ghent, L=Whitespace, O=0x20, CN=0x20 root ca
 +
* nsCaRevocationUrl = http://www.0x20.be/ca-0x20-crl.pem
 +
* extendedKeyUsage=serverAuth (server certs)
 +
* extendedKeyUsage=clientAuth (client certs)
 +
 
 +
== Create a CA ==
 +
* based on http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php
 +
<pre>
 +
$ openssl req -new -x509 -days 5475 -newkey rsa:4096 -extensions v3_ca -keyout \
 +
private/ca-0x20-key.pem -out ca-0x20-cert.pem -config ./openssl.cnf
 +
</pre>
 +
 
 +
== Sign server cert ==
 +
* Change openssl.cnf to server settings:
 +
<pre>
 +
$ vi ./openssl.cnf
 +
nsCertType = server
 +
extendedKeyUsage=serverAuth
 +
</pre>
 +
* If needed create the key and the csr (certificate signing request):
 +
<pre>
 +
$ openssl genrsa -aes256 -out 0x20-servername.key 2048
 +
$ openssl req -new -key 0x20-servername.key -nodes -out 0x20-servername.csr
 +
</pre>
 +
* Sign the certificate:
 +
<pre>
 +
$ openssl ca -in 0x20-servername.csr -cert ca-0x20-cert.pem -keyfile \
 +
private/ca-0x20-key.pem -out 0x20-servername.cert -config ./openssl.cnf
 +
</pre>
 +
* check index.txt (= the CA db)
 +
 
 +
== Sign client cert ==
 +
* Change openssl.cnf to client settings:
 +
<pre>
 +
$ vi ./openssl.cnf
 +
nsCertType = client, email
 +
extendedKeyUsage=clientAuth
 +
</pre>
 +
* Sign the certificate:
 +
<pre>
 +
$ openssl ca -in 0x20-client.csr -cert ca-0x20-cert.pem -keyfile \
 +
private/ca-0x20-key.pem -out 0x20-client.cert -config ./openssl.cnf
 +
</pre>
 +
 
 +
== Create a pkcs12 ==
 +
<pre>
 +
$ openssl pkcs12 -export -in jaroslov.cert -inkey jaroslov.key -certfile ca.pem -name "jaroslov" -out jaroslov.p12
 +
</pre>
 +
 
 +
== Create a CRL ==
 +
<pre>
 +
$ openssl ca -gencrl -out crl/crl.pem -config ./openssl.cnf
 +
</pre>
 +
* (first time you need to populate the crlnumber file: $ echo "01" > crlnumber)
 +
 
 +
== Revoke a certificate ==
 +
* Check the certificates in newcerts/
 +
* Revoke the needed one:
 +
<pre>
 +
$ openssl ca -revoke newcerts/1000.pem -config ./openssl.cnf
 +
</pre>
 +
* distribute the crl where needed.

Latest revision as of 15:50, 11 April 2012


CA
WhitespaceLogo.gif
What:
0x20 Certificate Authority CA
Participants:
Jaroslov
Locations:
Whitespace
Cornify

0x20 Certificate Authority[edit]

  • CA with OpenSSL
    • all flat files in 1 directory
    • can easily be stored/transported on an encrypted filesystem
  • Used for OpenVPN authentication

openssl.cnf[edit]

Check the openssl.cnf file with the 0x20 specific values:

  • root ca is valid for 15 years
  • certificates are valid for 5 years
  • DN: C=BE, ST=Ghent, L=Whitespace, O=0x20, CN=0x20 root ca
  • nsCaRevocationUrl = http://www.0x20.be/ca-0x20-crl.pem
  • extendedKeyUsage=serverAuth (server certs)
  • extendedKeyUsage=clientAuth (client certs)

Create a CA[edit]

$ openssl req -new -x509 -days 5475 -newkey rsa:4096 -extensions v3_ca -keyout \ 
private/ca-0x20-key.pem -out ca-0x20-cert.pem -config ./openssl.cnf

Sign server cert[edit]

  • Change openssl.cnf to server settings:
$ vi ./openssl.cnf
nsCertType = server
extendedKeyUsage=serverAuth
  • If needed create the key and the csr (certificate signing request):
$ openssl genrsa -aes256 -out 0x20-servername.key 2048
$ openssl req -new -key 0x20-servername.key -nodes -out 0x20-servername.csr
  • Sign the certificate:
$ openssl ca -in 0x20-servername.csr -cert ca-0x20-cert.pem -keyfile \
 private/ca-0x20-key.pem -out 0x20-servername.cert -config ./openssl.cnf
  • check index.txt (= the CA db)

Sign client cert[edit]

  • Change openssl.cnf to client settings:
$ vi ./openssl.cnf
nsCertType = client, email
extendedKeyUsage=clientAuth
  • Sign the certificate:
$ openssl ca -in 0x20-client.csr -cert ca-0x20-cert.pem -keyfile \
 private/ca-0x20-key.pem -out 0x20-client.cert -config ./openssl.cnf

Create a pkcs12[edit]

$ openssl pkcs12 -export -in jaroslov.cert -inkey jaroslov.key -certfile ca.pem -name "jaroslov" -out jaroslov.p12

Create a CRL[edit]

$ openssl ca -gencrl -out crl/crl.pem -config ./openssl.cnf
  • (first time you need to populate the crlnumber file: $ echo "01" > crlnumber)

Revoke a certificate[edit]

  • Check the certificates in newcerts/
  • Revoke the needed one:
$ openssl ca -revoke newcerts/1000.pem -config ./openssl.cnf
  • distribute the crl where needed.