Re: [Pi3web-users] Re: Dumber than a Rock about Openssl

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Raphaël Précigout wrote:
^^
Hi Raphaël,

> Hi Holger,
> 
> ** Yes, the demo key/certificate worked.

^^
OK

> ** Regarding the key/certificate generation, here are the steps I followed :
> 1. generate a CA certificate :
> openssl genrsa -des3 -out CA.key 1024
> openssl req -new -key CA.key -x509 -days 1095 -out CA.crt

^^
Seems to be ok, however I use(d) the command

openssl req -config request.cnf -new -x509 -keyout cakey.pem -out cacert.pem -days 1095

The differences are:
- do not force 3DES key in order to encrypt the generated CA key. This affects only signing
   operations using the CA key, so it seems to be not related to your issue
- use a configuration file containing some flags and defaults regarding key and certificate
   generation (attached). Normally some Netscape extensions should be set in addition, in order
   to determine key usage etc. correctly for a CA key of a production CA, e.g.

[req]
x509_extensions = ca_policies

[ca_policies]
basicConstraints       = critical, CA:TRUE
keyUsage               = cRLSign, keyCertSign
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid, issuer:always
subjectAltName         = email:copy
issuerAltName          = issuer:copy

> 2. generate a CSR for the Web site and sign it with the CA to get a certificate :
> openssl genrsa -des3 -out web.key
> openssl req -new -key web.key -out web.csr
> openssl x509 -req -days 365 -in web.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out web.crt

^^
Seems to be ok, however I use(d) only one command in order to generate key and the csr
(the same differences apply as for the CA key and certificate generation)

openssl req -config request.cnf -newkey 1024 -keyout srvkey.pem -out srvcsr.pem -days 1095

For signing the CSR using the CA key/certificate I use(d) the 'ca' command and
a configuration file, which contains some policies regarding the csr etc. (attached):

openssl ca -config default.cnf -name server -in srvcsr.pem -out srvcrt.pem

The 'ca' command is rather to be used, if you need to handle a lot of certificates issued
by your CA including certificate revokation properly.

> As I understand, the root certificate was self-signed, but the web site's one should be signed with the root (ie the CA certificate - am I wrong ?)

^^
No. But basically a SSL webserver could also be operated based on a self signed own
certificate as a root (i.e. without any CA. This makes only sense, if a conversation
needs to be only confidential but not authentical)

 Regarding the passphrase of the web site's key no problem, I'll generate a key with none and give you a feed back.

^^
Yes, try to figure this out.

> ** other parameters : SSL v2 (on), SSL v3 (on), TLS 1.0 (off), Debug log (on), client certification (none), depth = 1, cipher list = DEFAULT, MSIE bug (on), Hack (on).

^^
OK

One more question : by default the path to demo key/certificate is ./<file>. Can we give an absolute path from root disk (eg C:\CA_Stuff\Private\web.key for the key and C:\CA_Stuff\Certs\web.crt for the Certificate)

^^
Yes.

or do we have to give a relative path from Pi3web\bin ?

^^
No. If the Pi3Web starts, the server key and certificate file have been found.
So this seems to be ok.

> ** I've switched on SSL Debug but when I look at the file it's empty. I do not see any log file for openssl in bin directory. Sorry.

^^
Mmhh, I'm sorry, my last info regarding path to the SSL debug log was wrong. In Pi3Web
2.0.1 I moved the SSL debug log to ./Pi3Web/Logs/SSL.txt. And it seems, you've found
a bug in the admin GUI in addition, since changing the SSL debug flag doesn't affect
the config file :-(
As a workaround enable the debug log by deletion of the comment mark at the begin of
the following line in file ./Pi3Web/Conf/Config.pi3:

# DebugFile "../Logs/SSL.txt"

> ** I used MS IE 5.5 SP2 and Netscape 4.77 (running on a client on same LAN (win ME) and on the web server itself (win 95 sr2b)

^^
OK

> ** No message, neither dialog : the browser is still openning the page from the web site but nothing appear on the screen, and after 5 minutes it finally say that the web site had some problem... try to reload the page

^^
Maybe this is related to the serverside private-key passphrase, i.e. the server startup
is incomplete and a connection will be accepted but not processed properly. I've to take
a closer look into this, but you should try to generate a server key without passphrase.

> 
> Some more questions : I want to send certificates to users of my web site so that I will activate the "client certificate verification"=mandatory with a deepth level of 2;
> Do I need to remove the passphrase from the CA key ? (I hope no)

^^
No. The CA private key is only used in order to sign other certificates. For certificate
verification only the public key is required, which is part of the certificate itself.

> What are your hints for generating Users certificates ?

^^
This is a bit tricky, at least with the M$-browsers. Some months ago, VeriSign and M$ kept
this as a secret and there was not much information available, how to to generate a client
certificate using M$IE. The difference between the 'big' browsers are (unfortunately I do
not know about Opera):

M$: You have to use the xenroll.dll as an Active-X control properly in order to generate
a client key and a certificate request.
NS: There's the KEYGEN tag in order to be used in a enrollment form. I attached 2 HTML
example pages.

Furthermore, it depends on the business purpose of the solution, what structure the
certificate tree in your PKI should have. You could use only one (your CA) in order to
generate both server and client certificates. You could also use 2 independent CA's as
well as a PKI based on a root CA, which only signs the certificates for the separate
server and the client CA.

The handling of certificate revokation needs also to be considered, since there are
Netscape extensions in the issued client certificate, which needs to be set accordingly,
in order to enable the browser to download a CRL (Certificate Revokation List) from the
CA later.

The handling of server and client certificates with openssl is pretty complex. It can
be simplified by wrapping the openssl commands with some scripting (make, shell or perl
based) as well as a CGI based web frontend for the CA.
I started to write an online CA based on openssl some months ago. The (platform-independant)
perl based sources of this small project are available from here:
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/pi3web/DemoCA/
It has been research on openssl for me, it's pretty undocumented and I cannot really
support it, nevertheless feel free to re-use it, if you like.

> 
> Thank you for your help.
> 
> Regards,
> Raphaël
> 
> 

-- 
regards
Holger