Back to the sea ; the Certificate Authority (CA), episode IV

    

OpenBSD FAQ and manpages is full of “how to generate your self-signed certificate”. That’s OK.
But I you get several services, as I’m gonna get, this means you’ll have to deploy every certificate to every client so that they trust them. Creating your own CA enables you to only deploy the CA file to your client. Then, they will trust any certificate that were signed by it.
Plus, it’s fun :p

Prerequisites

Let’s have an OpenBSD 4.8/amd64 system installed.

No others services are required to build your CA. But remember that your DNS must be configured properly as each certificates contains a DN ; and that’s probably how you’re gonna reach your services.

Installation and configuration

Let’s create the directory that’ll host my CA:

# mkdir /etc/ssl/TMFCA

Let’s grab the CA.sh:

# cd /etc/ssl/TMFCA/  
# ftp -o CA.sh "http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libssl/src/apps/CA.sh?rev=1.7;content-type=text%2Fplain"  
# chmod 755 CA.sh 

The CA.sh is a wrapper to openssl commands. It’s not required to build your CA. But I found it to be very easy to use.

Configure the CA.sh script

Customize the CA.sh file to configure the directory that will host the CA and the certificate duration:

# diff /etc/ssl/TMFCA/CA.sh.orig /etc/ssl/TMFCA/CA.sh
63,64c63,64
< if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi        # 1 year
< CADAYS="-days 1095"   # 3 years
---
> if [ -z "$DAYS" ] ; then DAYS="-days 3650" ; fi       # 10 year
> CADAYS="-days 3650"   # 10 years
71c71
< if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
---
> if [ -z "$CATOP" ] ; then CATOP=/etc/ssl/TMFCA ; fi

Configure the openssl.cnf

Customize the openssl.cnf file to defined default values:

# cd /etc/ssl
# ftp -o openssl.cnf 'http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libssl/src/apps/openssl.cnf?rev=1.7'
# cp -p openssl.cnf openssl.cnf.orig
# diff /etc/ssl/openssl.cnf.orig /etc/ssl/openssl.cnf
42c42
< dir           = ./demoCA              # Where everything is kept
---
> dir           = /etc/ssl/TMFCA        # Where everything is kept
73c73
< default_days  = 365                   # how long to certify for
---
> default_days  = 3650                  # how long to certify for
75c75
< default_md    = default               # use public key default MD
---
> default_md    = sha1                  # use public key default MD
106c106
< default_bits          = 1024
---
> default_bits          = 4096
129c129
< countryName_default           = AU
---
> countryName_default           = FR
134c134
< stateOrProvinceName_default   = Some-State
---
> stateOrProvinceName_default   = Paris
136a137
> localityName_default          = Paris
139c140
< 0.organizationName_default    = Internet Widgits Pty Ltd
---
> 0.organizationName_default    = TuM'Fatig
146c147
< #organizationalUnitName_default       =
---
> organizationalUnitName_default        = TMF Secure Certificate Authority
152a154
> emailAddress_default          = jdoe@tumfatig.net
330c332
< dir           = ./demoCA              # TSA root directory
---
> dir           = /etc/ssl/TMFCA        # TSA root directory

CA certificate creation

Use the CA.sh script to create the CA certificates:

# /etc/ssl/TMFCA/CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 4096 bit RSA private key
...............++
.....................................................++
writing new private key to '/etc/ssl/TMFCA/private/./cakey.pem'
Enter PEM pass phrase:
(...)
Country Name (2 letter code) [FR]:
State or Province Name (full name) [Paris]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [TuMFatig]:
Organizational Unit Name (eg, section) [TMF Secure Certificate Authority]:
Common Name (eg, YOUR name) []:ca.tumfatig.net
Email Address [jdoe@tumfatig.net]:
(...)
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/TMFCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
(...)
        Subject:
            countryName               = FR
            stateOrProvinceName       = Paris
            organizationName          = TuMFatig
            organizationalUnitName    = TMF Secure Certificate Authority
            commonName                = ca.tumfatig.net
            emailAddress              = jdoe@tumfatig.net
(...)
Certificate is to be certified until Dec 31 15:33:29 2020 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
# chmod 750 /etc/ssl/TMFCA/private
# chmod 640 /etc/ssl/TMFCA/private/cakey.pem

The /etc/ssl/TMFCA/cacert.pem file is the file that has to be deployed and/or accessible from clients that would have to trust the certificates generated with my CA.

Server certificate creation

The server’s private key will not be protected by a passphrase. That enables the service to start without any human input.

Create the certificate request:

# /etc/ssl/TMFCA/CA.sh -newreq-nodes
Generating a 4096 bit RSA private key
(...)
writing new private key to 'newreq.pem'
(...)
Country Name (2 letter code) [FR]:
State or Province Name (full name) [Paris]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [TuMFatig]:
Organizational Unit Name (eg, section) [TMF Secure Certificate Authority]:
Common Name (eg, YOUR name) []:www.tumfatig.net
Email Address [jdoe@tumfatig.net]:
(...)
Request (and private key) is in newreq.pem

Sign the certificate:

# /etc/ssl/TMFCA/CA.sh -sign
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/TMFCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
(...)
            commonName                = www.tumfatig.net
(...)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
(...)
Signed certificate is in newcert.pem

Install certificate keys:

# install -o root -g wheel -m 0644 newcert.pem /etc/ssl/TMFCA/certs/www.tumfatig.net.crt
# rm newcert.pem
# sed -n '/BEGIN RSA PRIVATE KEY/,/END RSA PRIVATE KEY/p' newreq.pem > /etc/ssl/TMFCA/private/www.tumfatig.net.key
# chmod 0640 /etc/ssl/TMFCA/private/www.tumfatig.net.key
# rm newreq.pem

User certificate creation

A user certificate can either be a public / private key pair, stored in different files (like server’s one) or can be a single PKCS#12 file. The storage that best fits your needs will depend on how you want to use it. For example, OpenVPN prefers public / private key pair when MS Windows environment will prefer PKCS:

# /etc/ssl/TMFCA/CA.sh -newreq
Generating a 4096 bit RSA private key
(...)
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
(...)
Country Name (2 letter code) [FR]:
State or Province Name (full name) [Paris]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [TuMFatig]:
Organizational Unit Name (eg, section) [TMF Secure Certificate Authority]:
Common Name (eg, YOUR name) []:jdoe
Email Address [jdoe@tumfatig.net]:
(...)
Request is in newreq.pem, private key is in newkey.pem

# /etc/ssl/TMFCA/CA.sh -sign
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /etc/ssl/TMFCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
(...)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
(...)
Signed certificate is in newcert.pem

# mv newcert.pem /etc/ssl/TMFCA/certs/jdoe.crt
# mv newkey.pem /etc/ssl/TMFCA/private/jdoe.key
# chmod 0640 /etc/ssl/TMFCA/private/jdoe.key

# openssl pkcs12 -export -in /etc/ssl/TMFCA/certs/jdoe.crt -inkey /etc/ssl/TMFCA/private/jdoe.key -out /etc/ssl/TMFCA/private/jdoe.p12
Enter pass phrase for /etc/ssl/TMFCA/private/jdoe.key:
Enter Export Password:
Verifying - Enter Export Password:
# chmod 0640 /etc/ssl/TMFCA/private/jdoe.p12

Additional notes

You can read a certificate’s content using:

# openssl x509 -in /etc/ssl/TMFCA/certs/jdoe.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f2:8c:ce:4b:c8:97:cb:ca
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=FR, ST=Paris, O=TuMFatig, OU=TMF Secure Certificate Authority, CN=ca.tumfatig.net/emailAddress=jdoe@tumfatig.net
        Validity
            Not Before: Jan  3 18:39:01 2011 GMT
            Not After : Dec 31 18:39:01 2020 GMT
        Subject: C=FR, ST=Paris, L=Paris, O=TuMFatig, OU=TMF Secure Certificate Authority, CN=jdoe/emailAddress=jdoe@tumfatig.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
(...)

That’s All Folks!