Re: [Pi3web-users] Re: Dumber than a Rock about Openssl
Brought to you by:
zimpel
Menu
▾
▴
Re: [Pi3web-users] Re: Dumber than a Rock about Openssl
|
From: <rap...@fr...> - 2002-09-29 00:29:40
|
Certificate EnrollmentHi Holger,
I thank you for your very detailed answer.
As soon as my web site's key didn't contained any passphrase, everything =
was going OK.
Another Question : Is it possible to run more than one instance of =
Pi3web on the same computer at the same time ? for exemple I would run =
one HTTP server and one HTTPS server at the same time (because as I saw =
on the GUI I have to chose if I want SSL or not, and if yes the whole =
web server becomes to be secured through HTTPS). I can imagine 2 =
solutions : on one hand 2 computers one HTTP server and one HTTPS, on =
the other hand 2 different HTTP servers, Pi3web and one of its =
competitors, on the same computer.
Regarding client's certificate, I understand your answer and I agree on =
the fact that it seems complex to implement.
I had firstly imagined that the same mechanism as the one for web site =
certificate could apply, but I was a foul. If I think a little more =
about it, I can easily figure out that client's private key generation =
and distribution might be generated on the client's side only, for an =
abvious security reason.
Well, the next step will be a huge one for me, but I will make a try.
Regards,
Raphael
----- Original Message -----=20
From: Holger Zimmermann=20
To: Rapha=EBl Pr=E9cigout=20
Cc: pi3...@li...=20
Sent: Saturday, September 28, 2002 10:38 AM
Subject: Re: [Pi3web-users] Re: Dumber than a Rock about Openssl
Rapha=EBl Pr=E9cigout wrote:
^^
Hi Rapha=EBl,
> Hi Holger,
>=20
> ** Yes, the demo key/certificate worked.
^^
OK
> ** Regarding the key/certificate generation, here are the steps I =
followed :
> 1. generate a CA certificate :
> openssl genrsa -des3 -out CA.key 1024
> openssl req -new -key CA.key -x509 -days 1095 -out CA.crt
^^
Seems to be ok, however I use(d) the command
openssl req -config request.cnf -new -x509 -keyout cakey.pem -out =
cacert.pem -days 1095
The differences are:
- do not force 3DES key in order to encrypt the generated CA key. This =
affects only signing
operations using the CA key, so it seems to be not related to your =
issue
- use a configuration file containing some flags and defaults =
regarding key and certificate
generation (attached). Normally some Netscape extensions should be =
set in addition, in order
to determine key usage etc. correctly for a CA key of a production =
CA, e.g.
[req]
x509_extensions =3D ca_policies
[ca_policies]
basicConstraints =3D critical, CA:TRUE
keyUsage =3D cRLSign, keyCertSign
subjectKeyIdentifier =3D hash
authorityKeyIdentifier =3D keyid, issuer:always
subjectAltName =3D email:copy
issuerAltName =3D issuer:copy
> 2. generate a CSR for the Web site and sign it with the CA to get a =
certificate :
> openssl genrsa -des3 -out web.key
> openssl req -new -key web.key -out web.csr
> openssl x509 -req -days 365 -in web.csr -CA ca.crt -CAkey ca.key =
-CAcreateserial -out web.crt
^^
Seems to be ok, however I use(d) only one command in order to generate =
key and the csr
(the same differences apply as for the CA key and certificate =
generation)
openssl req -config request.cnf -newkey 1024 -keyout srvkey.pem -out =
srvcsr.pem -days 1095
For signing the CSR using the CA key/certificate I use(d) the 'ca' =
command and
a configuration file, which contains some policies regarding the csr =
etc. (attached):
openssl ca -config default.cnf -name server -in srvcsr.pem -out =
srvcrt.pem
The 'ca' command is rather to be used, if you need to handle a lot of =
certificates issued
by your CA including certificate revokation properly.
> As I understand, the root certificate was self-signed, but the web =
site's one should be signed with the root (ie the CA certificate - am I =
wrong ?)
^^
No. But basically a SSL webserver could also be operated based on a =
self signed own
certificate as a root (i.e. without any CA. This makes only sense, if =
a conversation
needs to be only confidential but not authentical)
Regarding the passphrase of the web site's key no problem, I'll =
generate a key with none and give you a feed back.
^^
Yes, try to figure this out.
> ** other parameters : SSL v2 (on), SSL v3 (on), TLS 1.0 (off), Debug =
log (on), client certification (none), depth =3D 1, cipher list =3D =
DEFAULT, MSIE bug (on), Hack (on).
^^
OK
One more question : by default the path to demo key/certificate is =
./<file>. Can we give an absolute path from root disk (eg =
C:\CA_Stuff\Private\web.key for the key and C:\CA_Stuff\Certs\web.crt =
for the Certificate)
^^
Yes.
or do we have to give a relative path from Pi3web\bin ?
^^
No. If the Pi3Web starts, the server key and certificate file have =
been found.
So this seems to be ok.
> ** I've switched on SSL Debug but when I look at the file it's =
empty. I do not see any log file for openssl in bin directory. Sorry.
^^
Mmhh, I'm sorry, my last info regarding path to the SSL debug log was =
wrong. In Pi3Web
2.0.1 I moved the SSL debug log to ./Pi3Web/Logs/SSL.txt. And it =
seems, you've found
a bug in the admin GUI in addition, since changing the SSL debug flag =
doesn't affect
the config file :-(
As a workaround enable the debug log by deletion of the comment mark =
at the begin of
the following line in file ./Pi3Web/Conf/Config.pi3:
# DebugFile "../Logs/SSL.txt"
> ** I used MS IE 5.5 SP2 and Netscape 4.77 (running on a client on =
same LAN (win ME) and on the web server itself (win 95 sr2b)
^^
OK
> ** No message, neither dialog : the browser is still openning the =
page from the web site but nothing appear on the screen, and after 5 =
minutes it finally say that the web site had some problem... try to =
reload the page
^^
Maybe this is related to the serverside private-key passphrase, i.e. =
the server startup
is incomplete and a connection will be accepted but not processed =
properly. I've to take
a closer look into this, but you should try to generate a server key =
without passphrase.
>=20
> Some more questions : I want to send certificates to users of my web =
site so that I will activate the "client certificate =
verification"=3Dmandatory with a deepth level of 2;
> Do I need to remove the passphrase from the CA key ? (I hope no)
^^
No. The CA private key is only used in order to sign other =
certificates. For certificate
verification only the public key is required, which is part of the =
certificate itself.
> What are your hints for generating Users certificates ?
^^
This is a bit tricky, at least with the M$-browsers. Some months ago, =
VeriSign and M$ kept
this as a secret and there was not much information available, how to =
to generate a client
certificate using M$IE. The difference between the 'big' browsers are =
(unfortunately I do
not know about Opera):
M$: You have to use the xenroll.dll as an Active-X control properly in =
order to generate
a client key and a certificate request.
NS: There's the KEYGEN tag in order to be used in a enrollment form. I =
attached 2 HTML
example pages.
Furthermore, it depends on the business purpose of the solution, what =
structure the
certificate tree in your PKI should have. You could use only one (your =
CA) in order to
generate both server and client certificates. You could also use 2 =
independent CA's as
well as a PKI based on a root CA, which only signs the certificates =
for the separate
server and the client CA.
The handling of certificate revokation needs also to be considered, =
since there are
Netscape extensions in the issued client certificate, which needs to =
be set accordingly,
in order to enable the browser to download a CRL (Certificate =
Revokation List) from the
CA later.
The handling of server and client certificates with openssl is pretty =
complex. It can
be simplified by wrapping the openssl commands with some scripting =
(make, shell or perl
based) as well as a CGI based web frontend for the CA.
I started to write an online CA based on openssl some months ago. The =
(platform-independant)
perl based sources of this small project are available from here:
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/pi3web/DemoCA/
It has been research on openssl for me, it's pretty undocumented and I =
cannot really
support it, nevertheless feel free to re-use it, if you like.
>=20
> Thank you for your help.
>=20
> Regards,
> Rapha=EBl
>=20
>=20
--=20
regards
Holger
-------------------------------------------------------------------------=
-----
[ default ]
default_ca =3D $ENV::DEFAULT_CA # The default CA section
TOP =3D $ENV::CATOP # The top dir of all CA's
[ ServerCA ]
dir =3D $ca::TOP/ServerCA # Root of this CA
database =3D $dir/index.txt # Database index file
new_certs_dir =3D $dir/archive # Archive directory
certificate =3D $dir/cacert.pem # CA Zertifikat
serial =3D $dir/serial # Current serial no.
private_key =3D $dir/cakey.pem # Private key of the CA
policy =3D policy_server # Which policy
x509_extensions =3D x509v3_ext_server # Extensions=20
default_days =3D 365 # Validity in days
default_crl_days=3D 30 # Days until next CRL
default_md =3D md5 # Which MD to use
preserve =3D no # Keep the order of the request fields
[ policy_server ]
countryName =3D supplied
stateOrProvinceName =3D optional
organizationName =3D supplied
organizationalUnitName =3D optional
commonName =3D supplied
emailAddress =3D optional
[ x509v3_ext_server ]
nsBaseUrl =3D $ENV::BASEURL
nsCaRevocationUrl =3D $ENV::CRLURL
nsCaPolicyUrl =3D $ENV::POLICYURL
[ ClientCA ]
dir =3D $ca::TOP/ClientCA # Root of this CA
database =3D $dir/index.txt # Database index file
new_certs_dir =3D $dir/archive # Archive directory
certificate =3D $dir/cacert.pem # CA Zertifikat
serial =3D $dir/serial # Current serial no.
private_key =3D $dir/cakey.pem # Private key of the CA
policy =3D policy_client # Which policy
x509_extensions =3D x509v3_ext_client # Extensions=20
default_days =3D 365 # Validity in days=20
default_crl_days=3D 30 # Days until next CRL
default_md =3D md5 # Which MD to use
preserve =3D no # Keep the order of the request fields
[ policy_client ]
countryName =3D optional
stateOrProvinceName =3D optional
localityName =3D optional
organizationName =3D optional
organizationalUnitName =3D optional
commonName =3D supplied
emailAddress =3D optional
[ x509v3_ext_client ]
nsBaseUrl =3D $ENV::BASEURL
nsCaRevocationUrl =3D $ENV::CRLURL
nsCaPolicyUrl =3D $ENV::POLICYURL
#nsCertType =3D yes
# CA policy for certificates within an organization
[ policy_internal ]
countryName =3D match
localityName =3D match
organizationName =3D match
organizationalUnitName =3D optional
commonName =3D supplied
emailAddress =3D supplied
[ policy_anything ]
-------------------------------------------------------------------------=
-----
RANDFILE =3D $ENV::HOME/.rand
[ req ]
default_bits =3D 1024
#default_keyfile =3D privkey.pem
distinguished_name =3D req_distinguished_name
encrypt_rsa_key =3D no
[ req_distinguished_name ]
countryName =3D Country Name (2 letters)
countryName_min =3D 2
countryName_max =3D 2
countryName_default =3D DE
stateOrProvinceName =3D State or Province
stateOrProvinceName_default =3D Sachsen
localityName =3D City Name
localityName_default =3D Wendishain
organizationName =3D Organization Name (eg, Company)
organizationName_default =3D Pi3.org
organizationalUnitName =3D Organizational Unit Name (eg, Section)
organizationalUnitName_default =3D Certificate Authority
commonName =3D Common Name
commonName_max =3D 64
commonName_default =3D www.pi3.org
emailAddress =3D Mail Address
emailAddress_max =3D 64
emailAddress_default =3D ce...@pi...
-------------------------------------------------------------------------=
-----
Certificate Enrollment
-------------------------------------------------------------------------=
-----
Country (C) =20
State or Province (SP) =20
Location (L) =20
Organization (O) =20
Organizational unit (OU) =20
Common name (CN) =20
e-Mail Address (Email) =20
=20
=20
=20
-------------------------------------------------------------------------=
-----
This form is intended to use with Netscape Navigator 3.0 or greater.
-------------------------------------------------------------------------=
-----
Certificate Enrollment
-------------------------------------------------------------------------=
-----
Country (C) =20
State or Province (SP) =20
Location (L) =20
Organization (O) =20
Organizational unit (OU) =20
Common name (CN) =20
e-Mail address (Email) =20
=20
=20
=20
-------------------------------------------------------------------------=
-----
This form is intended to use with Microsoft Internet Explorer 4.0 or =
greater.=20
|
