Chapter 5
Create this openssl.cnf file by copying the installed openssl.cnf. The exact location varies depending on the distribution, but it tends to live somewhere in /usr/lib/ssl/. You should change the dir option to point to the directory where you will store your X.509 Certificates, otherwise it will use the ./demoCA directory. You can also fill in the various RDNs you want by
changing the *_default options, for example countryName_default=CA.
Be Consistent with All Certificates
Do not to edit the openssl.cnf file once you have started to generate certificates, because all certificates must be created with the same set of options. Adding or removing any RDN will result in all connections being refused because the number of RDNs has to match.
Do not use . to fill in RDNs that you have filled in for other certificates such as for the CA. Using a . means that this RDN will not be included in the certificate. This is not want you want, since the number and type of RDNs in the CA and any certificate signed by it should be the same. If you use . anyway, your connection will never be allowed by Openswan, since it will not be able to find a matching DN, and you will see the much dreaded error message: no connection is authorized for <client DN>.
It is important that the CA never expires before any of the certificates' signatures it signs. It is recommended that you give your CA a very long lifetime, of the order of 10 years. You can then hand out certificates signed by that CA that are valid for a year for the next 9 years. You can use a shorter time period and re-sign the CA, but be aware that the validity of the CA should be longer than the lifetime of the signatures you make with it.
OpenSSL Commands for Common Certificate Actions
The table below lists the most common commands for generating and revoking certificates. Some of the options, such as -days, take their defaults from openssl.cnf.
X.509 Certificate operation |
OpenSSL command line |
|
|
Show certificate properties |
openssl x509 -in file.pem -noout |
Show certificate DN for use in |
openssl x509 -in file.pem -noout -subject |
left/rightid= |
|
Create CA |
openssl req -x509 -days 3650 -newkey rsa:1024 -keyout |
|
caKey.pem -out caCert.pem [ -passout |
|
pass:NewPassphrase ] |
Renew CA |
openssl x509 -in caCert.pem -out caCert2.pem -signkey |
|
caKey.pem |
Create host/user KEY and CSR |
openssl req -newkey rsa:1024 -keyout file.key -out |
|
fileReq.pem |
|
(This can be done by a user who then gives fileReq.pem to the |
|
sysadmin.) |
|
|
|
115 |
X.509 Certificates
X.509 Certificate operation |
OpenSSL command line |
|
|
Create host/user KEY without CSR |
openssl genrsa -out file.key 1024 |
Create host certificate from KEY |
openssl req -new -key file.key -x509 -out file.crt |
Sign host/CSR certificate |
openssl ca -in fileReq.pem -days 365 -out |
|
fileCert.pem -notext -cert caCert.pem -keyfile |
|
caKey.pem |
Package host cert for Windows (.p12)
openssl pkcs12 -export -inkey fileKey.pem -in Filecert.pem -name YourName -certfile caCert.pem - caname "YourOrg CA" -out fileCert.p12 [ -passout pass:NewPassphrase ]
Remove passphrase from a certificate
Change passphrase for a certificate
Create empty CRL
openssl rsa -passin pass:CurrentPassphrase -in file.key -out file.key.unlocked
openssl rsa -passin pass:CurrentPassphrase -passout pass:NewPassphrase -in file.key -out file.key.unlocked
openssl ca -gencrl -crldays 30 -out /etc/ipsec.d/crls/crl.pem -keyfile caKey.pem -cert caCert.pem
Revoke host certificate
Update CRL (required after revoke)
List CRL contents
Unwrap pkcs12
openssl ca -revoke fileCert.pem -keyfile caKey.pem - cert caCert.pem
openssl ca -gencrl -crldays 30 -out crl.pem -keyfile caKey.pem -cert caCert.pem
openssl crl -in crl.pem -noout -text
openssl pkcs12 -nocerts -in file.p12 -out file.key
Use -nodes for no passphrase.
Configuring Apache for IPsec X.509 Files
You might want to re-use an IPsec X.509 host certificate within SSL for Apache too, so that your host only needs one X.509 Certificate to identify itself for both IPsec and HTTPS. The following entries should be added to your Apache's SSL configuration (sometimes called ssl.conf):
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .cert AddType application/x-pkcs7-crl .crl
# use the same cert as IPsec for SSL/https SSLCertificateFile /etc/ipsec.d/certs/gateway.cert SSLCertificateKeyFile /etc/ipsec.d/private/gateway.key
If the private key is protected, starting the web server will cause a prompt, asking you for the passphrase. This is probably not what you want. See the above command list for how to remove a passphrase from a private key.
116