Certificate Authority - FWD - Golden Code Redmine

Certificate Authority¶

Certificate Authority

Secured network connections based on the SSL/TLS protocol requires that the servers and, optionally, the clients, obtain private keys and related public certificates.

It is possible to buy the keys and certificates from a well known authority, like VeriSign. Such purchased certificates are highly useful since all major browsers trust such well known certificate authorities (CAs). This trust means that clients (including browsers) that connect to servers with certificates that are signed by a trusted CA will silently accept that server's identity as valid.

It is also possible to use software to self-issue and self-sign cryptographic keys and certificates. This has the advantage of being inexpensive (the only cost is the time of the administrator that creates and manages the keys and certificates). The disadvantage is that the source is not trusted so connections will fail from clients (like browsers) which enforce checks on the validity of the server's certificate. In the case of the browser, such failures can be avoided by adding exceptions to the security preferences of the browser, such that the server certificate is allowed for the specific URL used.

This chapter documents the steps needed to create a certificate authority for use in the self-signing approach using the OpenSSL tools.

As an alternative, FWD includes a tool which automatically generates the root CA and the peer certificates using a Java cryptography library. For details on this tool see the FWD Cryptography Tool chapter of this book.

OpenSSL¶

OpenSSL is free software that has many applications. It has the ability to create the files needed for SSL/TLS. These files are the private keys and related public certificates.

OpenSSL comes with many distributions of Linux/UNIX. If it is not distributed with a particular OS distribution, it can be downloaded directly from the OpenSSL project web site: Directory_Configuration">http://www.openssl.org. Please refer to the OpenSSL documentation for installation instructions.

Use of the OpenSSL tools is assumed for the rest of the chapter.

Create a Certificate Authority¶

In all following commands, examples are provided that assume the usage of a Linux operating system.

Step 1 - Create a Target Directory in the File System¶

Create a directory in the file system, where the CA will be stored. This location must be highly secure, since access to these files must only be available to authorized personnel. Unauthorized access would allow a malicious user to impersonate any server or client in the organization which is protected using SSL certificates.

This example will use /var/ssl as the target directory.

sudo mkdir /var/ssl

Step 2 - Customize the CA.pl Script¶

Locate the file CA.pl. This file is part of OpenSSL. A typical location is /usr/local/ssl/misc/CA.pl.

Copy the resulting file to /usr/local/bin/CA.pl:

sudo cp /usr/local/ssl/misc/CA.pl /usr/local/bin/CA.pl

Edit /usr/local/bin/CA.pl and change the value of the following two keywords: $SSLEAY_CONFIG and $CATOP. The first keyword specifies the configuration file to use. Set it as follows:

$SSLEAY_CONFIG="-config /etc/openssl.cnf"

The second keyword specifies a writable location in the file-system where the CA infrastructure will reside. This should be set to the target directory previously created:

$CATOP="/var/ssl".

Make the edited script executable:

sudo chmod +x /usr/local/bin/CA.pl

Step 3 - Create OpenSSL Configuration¶

Create the configuration file /etc/openssl.cnf using the default configuration (normally found in /usr/lib/ssl/openssl.cnf) as a base.

sudo cp /usr/lib/ssl/openssl.cnf /etc/openssl.cnf

Edit /etc/openssl.cnf. The following values should be edited in place in the sections which the values exist. Replace every occurrence of date for the example Acme Inc with the correct organization name, file name, country, state and city.

certificate                 = $dir/acme-root-ca-cert.pem          # The CA certificate
serial                      = $dir/acme-root-ca-cert.srl          # serial number
private_key                 = $dir/private/acme-root-ca-key.pem   # The private key

countryName_default         = US

stateOrProvinceName         = State
stateOrProvinceName_default = Georgia

localityName_default        = Atlanta

0.organizationName          = Acme Inc
0.organizationName_default  = Acme Inc

Optionally you can modify the directory in which you want to output the certificate authority instead of the /*var/ssl* location.

Example:

dir             = /work/p2j/ca  # Where everything is kept

In any case the chosen directory must be built to contain the necessary structure and files set in the openssl.cnf file.

certs      = $dir/certs        # Where the issued certs are kept
crl_dir     = $dir/crl  # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
new_certs_dir   = $dir/newcerts # default place for new certs.
certificate = $dir/acme-root-ca-cert.pem    # The CA certificate
serial  = $dir/acme-root-ca-cert.srl     # serial number
crl     = $dir/crl.pem      # The current CRL
private_key = $dir/private/acme-root-ca-key.pem # The private key

The following steps are done considering $dir property from openssl.cnf points to /*var/ssl* location:

Modify default configuration values as needed. For example, default_days sets the certificate validity period. See the OpenSSL documentation for details.

Step 4 - Create the CA Using the Edited Script¶

Run the CA creation command. It also tries to create a CA certificate, but fails. Just ignore it.

/usr/local/bin/CA.pl -newca

Step 5 - Create the Self-Signed Root CA Certificate¶

Switch to the /var/ssl directory.

cd /var/ssl

Delete these files:

rm cacert.pem private/cakey.pem

Create a self-signed root CA certificate, valid for roughly 10 years, using this command (substitute the proper file names in as needed):

openssl req -config /etc/openssl.cnf -new -x509 -keyout private/acme-root-ca-key.pem -out acme-root-ca-cert.pem -days 3650

The command will require you to create a passphrase. The dialog:

Generating a 1024 bit RSA private key
.................++++++
...............................++++++
writing new private key to 'private/acme-root-ca-key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name [US]:
State [Georgia]:
Locality (city etc) [Atlanta]:
Organization [Acme Inc]:
Organizational Unit []:
Subject Name []:Certificate Authority
email []:

Step 6 - Verify the CA Certificate¶

Verify the CA certificate with this command:

openssl x509 -text -in acme-root-ca-cert.pem

Review the output. It should show correct Issuer, Subject, Serial Number (0), Validity dates and so on.

Step 7 - Setup Serial Numbering¶

Using your favorite editor, create the serial number file /var/ssl/acme-root-ca-cert.srl and put the characters 01 inside.

Step 8 - Secure Access¶

Access to /var/ssl must be secured. In particular, no access whatsoever (including read access) should be allowed to anyone except the authorized security administrators who must use the certificate. Something like this may work:

sudo chmod 0700 -R /var/ssl

The Certificate Authority is now ready. The certificate acme-root-ca-cert.pem is the so called root CA certificate. It has to be made known to the applications as a trusted authority certificate. All other certificates produced by this CA will refer to this root certificate.

Importing the Root CA Certificate into the Directory¶

The root CA certificate must be known to the FWD server. By importing this certificate into the directory of the server, all certificates signed by this CA can be known to be trusted. Otherwise, it is not possible to use any such certificates for authentication or privacy (SSL socket communications).

There are two ways to import (i.e. load) the certificate. With a running server, the administration client can be used to edit the directory of that running server. For details, please see the chapter in Part 3 of this book entitled Loading Known Certificates.

The other way to import the certificate is to use a command line utility while the server is not running. The following commands will do the work:

Change the “working directory” to the location from which the server is normally run. In this file system location, it is expected to find the directory file (the server's XML configuration file) and the server's bootstrap configuration file. For the purposes of this example, the working directory where the server's files exist will be /server/p2j/, the directory file will be directory.xml and the bootstrap configuration file will be server.xml.

cd /server/p2j

Run the utility, to load the root CA certificate as a known root certificate:

java -Xmx256m com.goldencode.p2j.util.LoadCert - server.xml /security/certificates/cas/acme-root /var/ssl/acme-root-ca-cert.pem

The bootstrap configuration file has a reference to the directory.xml (which is how the FWD server knows which file to use as its directory when the server starts). This command opens that directory file (./directory.xml) and imports the acme-root-ca-cert.pem certificate into the path /security/certificates/cas/acme-root. The acme-root name can be anything unique in that parent element (/security/certificates/cas/). The server will recognize that this is a CA based on the location in the directory and it will add it into a dynamically created in-memory trust-store at server startup. A trust-store is a list of trusted CAs. The name specified will be the alias of the CA in the trust-store.

Project

General

Profile

FWD

Wiki