From SpectLog
Jump to: navigation, search

: openssl, CA, certificate, self-signed

Introduction

Some clients may reject self-signed certificates used by a service. For example, on RHEL6/Fedora sssd acts as a client to LDAP service and does not accept self-signed certificates from LDAP.

The steps below use two hypothetical machines:

  • Certificate Authority (CA) machine where private CA key and related files are kept - ca.example.com;
  • Server machine where private server key file is kept - server.example.com.

All operations are assumed to be done by root user.

Example of self-signed server certificate creation and its verification:

openssl req -new -x509 -nodes -out /tmp/certificate.pem -keyout /tmp/key.pem
openssl verify /tmp/certificate.pem

Note that by default the only field which matters for certificate validation is Common Name (cn) which is set to the FQDN. All the other fields can be set to default by hitting Enter.

Therefore, in order to avoid rejection by clients, CA-signed certificates should be used. It requires few more steps to make such client and server work:

  1. Create your own (private) Certificate Authority (CA) with CA certificate.
  2. Create certificate request for a server.
  3. Create certificate for a server by CA. Creation of server CA-signed server certificate is done by signing its certificate request.

Note that CA certificate in this example is self-signed because it is root one. Root CA certificates are always self-signed.

RHEL6/Fedora has the following default configuration:

  • File /etc/pki/tls/openssl.cnf is default for OpenSSL configuration which also specifies location of all other files.
  • Directory /etc/pki/CA is default for Certificate Authority files.

As soon as the private key and public CA-signed certificate files are generated, their location is generally service-specific (depends on service configuration).

OpenSSL has its own framework for installation of CA certificates with /etc/pki/tls/certs/ directory as a default location. This default location is referenced by, for example, openssl verify command. However, other services may require this CA certificate to be copied in server-specific (configurable) location.

Setting up Certificate Authority (CA)

Install OpenSSL:

yum install openssl

Clean up any previously created files (when starting everything all over again):

rm /etc/pki/CA/{cacert.pem,serial,crlnumber,cakey.pem,index.txt}
rm /etc/pki/tls/{server.example.com.csr}

Initialize CA-related files:

cat /dev/null > /etc/pki/CA/index.txt
echo "01" > /etc/pki/CA/serial
echo "01" > /etc/pki/CA/crlnumber

Configuration file /etc/pki/tls/openssl.cnf describes all the files and directories. All the paths in this example follow this default configuration.

Create the CA Certificate and the Key

Login to CA machine:

ssh ca.example.com

Generate self-signed CA certificate:

openssl req -new -x509 -extensions v3_ca -keyout /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem

This will generate:

  • /etc/pki/CA/cacert.pem - self-signed CA certificate file
  • /etc/pki/CA/private/cakey.pem - CA private key file

Create certificate request

Login to server machine:

ssh server.example.com

Generate server certificate request:

openssl req -new -nodes -keyout /etc/pki/tls/private/server.example.com.key -out /etc/pki/tls/server.example.com.csr

Only field "Common Name" is used which should be set to server.example.com. For all other fields hit Enter key to accept defaults.

This will generate:

  • /etc/pki/tls/server.example.com.csr server certificate request file;
  • /etc/pki/tls/private/server.example.com.key - server private key file.

Sign certificate request by CA to create server certificate

Login to CA machine:

ssh ca.example.com

Copy certificate request file from the server:

scp server.example.com:/etc/pki/tls/server.example.com.csr /etc/pki/tls/server.example.com.csr

Create server certificate:

openssl ca -policy policy_anything -out /etc/pki/CA/certs/server.example.com.crt -infiles /etc/pki/tls/server.example.com.csr

This will generate:

  • /etc/pki/CA/certs/server.example.com.crt - server certificate signed by CA.

The certificate request file is not used for anything else except decoupling two operations: (A) filling in server information by requester and (B) signing it by CA. Therefore, ,code>/etc/pki/tls/server.example.com.csr</code> file can be removed on both server and CA machines.

Install CA certificate on server machine

Login to server machine:

ssh server.example.com

Download CA certificate from CA machine:

scp server.example.com:/etc/pki/CA/cacert.pem /etc/pki/tls/certs

CA certificate file should only contain one certificate. To test it, use this command:

cat /etc/pki/tls/certs/cacert.pem | grep 'BEGIN.*CERTIFICATE' | wc -l

OpenSSL looks up certificates by their hash. Generate hash for the CA certificate.

openssl x509 -noout -hash -in /etc/pki/tls/certs/cacert.pem

To reduce typing assign result to shell variable:

HASH=$( openssl x509 -noout -hash -in /etc/pki/tls/certs/cacert.pem )

The symlink should be placed in /etc/pki/tls/certs/ directory with the following format:

${HASH}.0

Create the symlink:

ln -s /etc/pki/tls/certs/cacert.pem /etc/pki/tls/certs/${HASH}.0

Review:

ls -l /etc/pki/tls/certs/

Test installation. Get server certificate. Verify server certificate signed by CA.

scp server.example.com:/etc/pki/CA/certs/server.example.com.crt /tmp
openssl verify /tmp/server.example.com.crt

References

  • OpenSSL CA creation [1]
  • OpenSSL CA certificate installation [2]