Root-CA

Aus Neobiker\\\'s Wiki
Zur Navigation springen Zur Suche springen

Für meine Zertifikate erstelle ich mir eine eigene Certificate Authority. Server-Zertifikate und User-Zertifikate werden jeweils von einer eigenen CA erstellt.

Es ergibt sich folgende Struktur:

        Root-CA
        /     \
Server-CA     User-CA
   |            |
 SCert 1      UCert 1
 SCert 2      UCert 2
  ...          ...
 SCert n      UCert m

Es wird das Paket openssl benötigt:

apt-get install openssl

Folgendes Script mk_ca_struct legt in einem beliebigen Verzeichnis obige CA-Struktur im Filesystem an. Es benötigt eine angepasste openssl.cnf.tpl Datei, welche im gleichen Verzeichnis wie das Script selbst liegen muss: ./scripts

scx:~# tar tvjf ca-scripts.tgz
drwxr-xr-x root/root         0 2008-06-27 19:00 ca/
drwxr-sr-x root/root         0 2008-06-27 19:57 ca/scripts/
-rw-r--r-- root/root      6500 2008-06-27 19:11 ca/scripts/openssl.cnf.tpl
-rwxr-xr-x root/root      1559 2008-06-26 22:35 ca/scripts/mk_cert_server
-rwxr-xr-x root/root      1564 2008-06-26 22:35 ca/scripts/mk_cert_user
-rwxr--r-- root/root      2892 2008-06-26 22:49 ca/scripts/mk_ca_struct

Zuerst lege ich die CA Struktur mit den entsprechenden Zertifikaten an:

scx:~/ca# ./scripts/mk_ca_struct
Where to install the CA directories [/root/ca] /root/ca
mkdir: cannot create directory `/root/ca': File exists
cp: `./scripts' and `/root/ca/scripts' are the same file
~/ca ~/ca

----------------------
Erstelle eine Root CA:

Generating a 2048 bit RSA private key
..................................................................+++
...........+++
unable to write 'random state'
writing new private key to 'RootCA/private/RCAkey.pem'
Enter PEM pass phrase: >>rootCA-Password<<
Verifying - Enter PEM pass phrase: >>rootCA-Password<<
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Bayern]:
Locality Name (eg, city) [Nuernberg]:
Organization Name (eg, company) [OrganisationName]:
Organizational Unit Name (eg, section or website) [OrganisationUnit]:
Common Name (SERVER / USER name) []:rootCA
Email Address (eg, YOUR email) [webmaster@company.de]:
Doing .
00.pem => 9c05fe89.0


----------------------------------------------
Erstelle eine Server CA (signiert von Root CA):

Generating a 2048 bit RSA private key
.+++
....................................................................+++
unable to write 'random state'
writing new private key to 'ServerCA/private/SCAkey.pem'
Enter PEM pass phrase: >>ServerCA-Password<<
Verifying - Enter PEM pass phrase: >>ServerCA-Password<<
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Bayern]:
Locality Name (eg, city) [Nuernberg]:
Organization Name (eg, company) [OrganisationName]:
Organizational Unit Name (eg, section or website) [OrganisationUnit]:
Common Name (SERVER / USER name) []:serverCA
Email Address (eg, YOUR email) [webmaster@company.de]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
company.de []:
Using configuration from openssl.cnf
Enter pass phrase for /root/ca/RootCA/private/RCAkey.pem: >>rootCA-Password<<
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'Bayern'
localityName          :PRINTABLE:'Nuernberg'
organizationName      :PRINTABLE:'OrganisationName'
organizationalUnitName:PRINTABLE:'OrganisationUnit'
commonName            :PRINTABLE:'serverCA'
emailAddress          :IA5STRING:'webmaster@company.de'
Certificate is to be certified until Jun 26 18:04:15 2013 GMT (1825 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
Doing .
00.pem => 9c05fe89.0
01.pem => b99e5d4b.0


---------------------------------------------
Erstelle eine User CA (signiert von Root CA):

Generating a 2048 bit RSA private key
.................................................................+++
..........................................................................................+++
unable to write 'random state'
writing new private key to 'UserCA/private/UCAkey.pem'
Enter PEM pass phrase: >>UserCA-Password<<
Verifying - Enter PEM pass phrase: >>UserCA-Password<<
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Bayern]:
Locality Name (eg, city) [Nuernberg]:
Organization Name (eg, company) [OrganisationName]:
Organizational Unit Name (eg, section or website) [OrganisationUnit]:
Common Name (SERVER / USER name) []:userCA
Email Address (eg, YOUR email) [webmaster@company.de]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
company.de []:
Using configuration from openssl.cnf
Enter pass phrase for /root/ca/RootCA/private/RCAkey.pem: >>rootCA-Password<<
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'Bayern'
localityName          :PRINTABLE:'Nuernberg'
organizationName      :PRINTABLE:'OrganisationName'
organizationalUnitName:PRINTABLE:'OrganisationUnit'
commonName            :PRINTABLE:'userCA'
emailAddress          :IA5STRING:'webmaster@company.de'
Certificate is to be certified until Jun 26 18:04:42 2013 GMT (1825 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
Doing .
00.pem => 9c05fe89.0
01.pem => b99e5d4b.0
02.pem => 47efd334.0
~/ca

scx:~/ca# l
total 32
drwxr-xr-x 2 root root 4096 2008-06-27 20:04 certs/
-rw-r--r-- 1 root root 6657 2008-06-27 20:03 openssl.cnf
drwxr-xr-x 2 root root 4096 2008-06-27 20:03 private/
drwxr-xr-x 5 root root 4096 2008-06-27 20:04 RootCA/
drwxr-sr-x 2 root root 4096 2008-06-27 19:57 scripts/
drwxr-xr-x 5 root root 4096 2008-06-27 20:03 ServerCA/
drwxr-xr-x 5 root root 4096 2008-06-27 20:04 UserCA/

Im Anschluss erzeuge mein Server Zertifikat mit mk_cert_server z.B. für einen Imap-Server (analog mit mk_cert_user für User):

scx:~/ca# ./scripts/mk_cert_server
~/ca ~/ca

Server-Cert Name: apache
--------
apacheKey.pem & apacheReq.pem ...

Generating a 1024 bit RSA private key
...............................++++++
.....................++++++
unable to write 'random state'
writing new private key to 'apacheKey.pem'
Enter PEM pass phrase: >>apache Passwort<<
Verifying - Enter PEM pass phrase: >>apache Passwort<<
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Bayern]:
Locality Name (eg, city) [Nuernberg]:
Organization Name (eg, company) [OrganisationName]:
Organizational Unit Name (eg, section or website) [OrganisationUnit]:
Common Name (SERVER / USER name) []:apache
Email Address (eg, YOUR email) [webmaster@company.de]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
company.de []:

Passwort aus apacheKey.pem entfernen [y] ?
Enter pass phrase: >>apache Passwort<<
writing RSA key
====================
apacheCert.pem  ...
====================
Using configuration from openssl.cnf
Enter pass phrase for /root/ca/ServerCA/private/SCAkey.pem: >>ServerCA Passwort<<
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'Bayern'
localityName          :PRINTABLE:'Nuernberg'
organizationName      :PRINTABLE:'OrganisationName'
organizationalUnitName:PRINTABLE:'OrganisationUnit'
commonName            :PRINTABLE:'apache'
emailAddress          :IA5STRING:'webmaster@company.de'
Certificate is to be certified until Jun 27 16:58:02 2013 GMT (1825 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
----------------------------------------------

certs:
total 36
-rw-r--r-- 1 root root 1911 2008-06-27 20:03 00.pem
-rw-r--r-- 1 root root 5643 2008-06-27 20:04 01.pem
-rw-r--r-- 1 root root 5641 2008-06-27 20:04 02.pem
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 47efd334.0 -> 02.pem
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 9c05fe89.0 -> 00.pem
-rw------- 1 root root 4888 2008-06-28 18:58 apacheCert.pem
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 b99e5d4b.0 -> 01.pem

private:
total 24
-rw------- 1 root root 887 2008-06-28 18:57 apache-Key.pem
-rw------- 1 root root 963 2008-06-28 18:57 apacheKey.pem

~/ca

Das Zertifikat verwende ich für den Apache Webserver und teste es anschliessend. Es gibt zwei Key-Files für das Zertifikat apacheCert.pem, eins mit Passwort (apacheKey.req), das andere (apache-Key.req) ohne Passwort, damit der Server automatisch starten kann, ohne das ein Passwort erfragt wird.

scx:~/ca# cat /etc/apache2/sites-enabled/default-ssl
NameVirtualHost *:443

<VirtualHost *:443>
        ServerName apache.company.de
        ServerAdmin webmaster@company.de

        SSLEngine On
        SSLCipherSuite HIGH:MEDIUM
        SSLCertificateFile /root/ca/certs/apacheCert.pem
        SSLCertificateKeyFile /root/ca/ServerCA/private/apache-Key.pem

        # SSLProxyEngine On

        CustomLog /var/log/apache2/access_https.log combined
        ErrorLog  /var/log/apache2/error_https.log

        # debug, info, notice, warn, error, crit, alert, emerg
        LogLevel warn

        ServerSignature Off

        DocumentRoot /var/www/

        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>

        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride AuthConfig
                Order allow,deny
                allow from all
                RedirectMatch ^/$ /apache2-default/
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        Alias /debian-doc/ /usr/share/doc/
        <Directory /usr/share/doc/>
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Allow from all
        </Directory>

</VirtualHost>
scx:~/ca# /etc/init.d/apache2 restart

Ein Test (nach der Installation des Zertifikates auf dem lokalem Webserver) sieht dann so aus, man sieht die mehrstufige Hierarchie der Zertifikate bzw. CA inkl. ServerCA und rootCA.

scx:~/ca# openssl s_client -CApath /root/ca/certs -port 443 -host localhost > /tmp/foo
depth=2 /C=DE/ST=Bayern/L=Nuernberg/O=OrganisationName/OU=OrganisationUnit/CN=rootCA/emailAddress=webmaster@company.de
verify return:1
depth=1 /C=DE/ST=Bayern/L=Nuernberg/O=OrganisationName/OU=OrganisationUnit/CN=serverCA/emailAddress=webmaster@company.de
verify return:1
depth=0 /C=DE/ST=Bayern/L=Nuernberg/O=OrganisationName/OU=OrganisationUnit/CN=apache/emailAddress=webmaster@company.de
verify return:1

>>CTRL-C<<

Im Anschluss habe ich folgende Verzeichnisstruktur:

scx:~/ca# ls -lR
.:
total 32
drwxr-xr-x 2 root root 4096 2008-06-27 20:20 certs/
-rw-r--r-- 1 root root 6657 2008-06-27 20:03 openssl.cnf
drwxr-xr-x 2 root root 4096 2008-06-27 20:20 private/
drwxr-xr-x 5 root root 4096 2008-06-27 20:04 RootCA/
drwxr-sr-x 2 root root 4096 2008-06-27 19:57 scripts/
drwxr-xr-x 5 root root 4096 2008-06-27 20:20 ServerCA/
drwxr-xr-x 5 root root 4096 2008-06-27 20:04 UserCA/

./certs:
total 28
-rw-r--r-- 1 root root 1911 2008-06-27 20:03 00.pem
-rw-r--r-- 1 root root 5643 2008-06-27 20:04 01.pem
-rw-r--r-- 1 root root 5641 2008-06-27 20:04 02.pem
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 47efd334.0 -> 02.pem
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 9c05fe89.0 -> 00.pem
lrwxrwxrwx 1 root root    6 2008-06-27 20:04 b99e5d4b.0 -> 01.pem
-rw------- 1 root root 4909 2008-06-27 20:20 apacheCert.pem

./private:
total 8
-rw------- 1 root root 887 2008-06-27 20:20 apache-Key.pem
-rw------- 1 root root 963 2008-06-27 20:20 apacheKey.pem

./RootCA:
total 36
drwxr-xr-x 2 root root 4096 2008-06-27 20:03 certs/
-rw-r--r-- 1 root root  280 2008-06-27 20:04 index.txt
-rw-r--r-- 1 root root   20 2008-06-27 20:04 index.txt.attr
-rw-r--r-- 1 root root   21 2008-06-27 20:04 index.txt.attr.old
-rw-r--r-- 1 root root  141 2008-06-27 20:04 index.txt.old
drwxr-xr-x 2 root root 4096 2008-06-27 20:04 newcerts/
drwx------ 2 root root 4096 2008-06-27 20:03 private/
-rw-r--r-- 1 root root    3 2008-06-27 20:04 serial
-rw-r--r-- 1 root root    3 2008-06-27 20:04 serial.old

./RootCA/certs:
total 0

./RootCA/newcerts:
total 16
-rw-r--r-- 1 root root 5643 2008-06-27 20:04 01.pem
-rw-r--r-- 1 root root 5641 2008-06-27 20:04 02.pem

./RootCA/private:
total 8
-rw-r--r-- 1 root root 1911 2008-06-27 20:03 RCAcert.pem
-rw-r--r-- 1 root root 1751 2008-06-27 20:03 RCAkey.pem

./scripts:
total 20
-rwxr--r-- 1 root root 2892 2008-06-26 22:49 mk_ca_struct*
-rwxr-xr-x 1 root root 1550 2008-06-27 20:19 mk_cert_server*
-rwxr-xr-x 1 root root 1555 2008-06-27 20:31 mk_cert_user*
-rw-r--r-- 1 root root 6500 2008-06-27 19:11 openssl.cnf.tpl

./ServerCA:
total 28
drwxr-xr-x 2 root root 4096 2008-06-27 20:20 certs/
-rw-r--r-- 1 root root  148 2008-06-27 20:20 index.txt
-rw-r--r-- 1 root root   21 2008-06-27 20:20 index.txt.attr
-rw-r--r-- 1 root root    0 2008-06-27 20:03 index.txt.old
drwxr-xr-x 2 root root 4096 2008-06-27 20:20 newcerts/
drwx------ 2 root root 4096 2008-06-27 20:20 private/
-rw-r--r-- 1 root root    3 2008-06-27 20:20 serial
-rw-r--r-- 1 root root    3 2008-06-27 20:03 serial.old

./ServerCA/certs:
total 8
-rw------- 1 root root 4909 2008-06-27 20:20 apacheCert.pem

./ServerCA/newcerts:
total 8
-rw-r--r-- 1 root root 4909 2008-06-27 20:20 01.pem

./ServerCA/private:
total 28
-rw------- 1 root root  887 2008-06-27 20:20 apache-Key.pem
-rw------- 1 root root  963 2008-06-27 20:20 apacheKey.pem
-rw-r--r-- 1 root root  737 2008-06-27 20:20 apacheReq.pem
-rw-r--r-- 1 root root 5643 2008-06-27 20:04 SCAcert.pem
-rw-r--r-- 1 root root 1751 2008-06-27 20:04 SCAkey.pem
-rw-r--r-- 1 root root 1082 2008-06-27 20:04 SCAreq.pem

./UserCA:
total 16
drwxr-xr-x 2 root root 4096 2008-06-27 20:04 certs/
-rw-r--r-- 1 root root    0 2008-06-27 20:04 index.txt
drwxr-xr-x 2 root root 4096 2008-06-27 20:04 newcerts/
drwx------ 2 root root 4096 2008-06-27 20:04 private/
-rw-r--r-- 1 root root    3 2008-06-27 20:04 serial

./UserCA/certs:
total 0

./UserCA/newcerts:
total 0

./UserCA/private:
total 16
-rw-r--r-- 1 root root 5641 2008-06-27 20:04 UCAcert.pem
-rw-r--r-- 1 root root 1751 2008-06-27 20:04 UCAkey.pem
-rw-r--r-- 1 root root 1078 2008-06-27 20:04 UCAreq.pem