Labeled NFS/Demo/Manual/LDAP/CA

From SELinux Wiki
Revision as of 13:52, 11 December 2008 by CraigGrube (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Certificate Guide

The openssl package provides the necessary scripts for creating certificates.

  • This include a certificate that can be used as a Certificate Authority (CA) to then sign other created certificates

Preparation

edit /etc/pki/tls/openssl.cnf

Change the following lines to something appropriate for the certificate that is going to be created. Changing this file isn't required as the script to create certificates will ask for the following data. But it can be easier to edit the data in a file and then just run the script and accept the defaults.

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = US
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Maryland

localityName                    = Locality Name (eg, city)
localityName_default            = Columbia

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = setest

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = 

organizationalUnitName          = Organizational Unit Name (eg, section)
# organizationalUnitName_default  = 

commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64
  
emailAddress                    = Email Address
emailAddress_max                = 64
  
# SET-ex3                       = SET extension number 3

Creating the Certificate Authority (CA)

Options

By default, the CA expires in three years. The default time value can be changed by editing CA script in /etc/pki/tls/misc/CA and changing CADAYS to the desired value.

DAYS="-days 365"
CADAYS="-days 3650"

The following step creates the Certificate Authority. Once the CA is created any number of child certificates (i.e. certificates signed by the CA and used by servers and possibly clients) can be created. The CA is the critical piece in the chain of trust for all the certificates signed by it and it is difficult to replace if the password is lost or broken (all the machines using it must be re-configured). The following should be observed:

  • Create a secure password.
  • Keep track of the password and who knows it.
[root@sefos /etc/pki/tls/misc]# bash ./CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
...................................................++++++
..++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [California]:
Locality Name (eg, city) [Columbia]:
Organization Name (eg, company) [setest]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:sefos.setest.com
Email Address []:admin@setest.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok

Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Jun 16 23:17:27 2008 GMT
            Not After : Jun 14 23:17:27 2018 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = Maryland
            organizationName          = setest
            commonName                = setest.com
            emailAddress              = admin@setest.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                58:27:5B:5F:FA:53:F6:ED:BA:F1:28:F5:37:9A:F3:9B:4C:9B:61:FB
            X509v3 Authority Key Identifier:
                keyid:58:27:5B:5F:FA:53:F6:ED:BA:F1:28:F5:37:9A:F3:9B:4C:9B:61:FB

Certificate is to be certified until Jun 14 23:17:27 2018 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Create a Server Certificate

Now we move on to create a certificate for a server. Openssl is called directly in order to not require a password with the certificate. The 'CA' script can create a certificate using the '-newreq' option but it would require a password.

  • The fully qualified name of the server is required for the common name.
    • This fully qualified name should resolve properly in DNS.
[root@sefos /etc/pki/tls/misc]# openssl req -new -nodes -keyout newreq.pem -out newreq.pem
Generating a 1024 bit RSA private key
.............................++++++
................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:sefos.setest.com
Email Address []:admin@setest.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

The certificate is created and resides in /etc/pki/tls/newreq.pem.

Sign the Server Certificate

[root@sefos /etc/pki/tls/misc]# bash ./CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun 16 23:29:08 2008 GMT
            Not After : Jun 16 23:29:08 2009 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = Maryland
            localityName              = Columbia
            organizationName          = setest
            commonName                = sefos.setest.com
            emailAddress              = admin@setest.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                4E:A8:58:17:90:8D:2C:A6:C2:B4:1E:0A:0E:FD:BE:32:E8:89:12:D3
            X509v3 Authority Key Identifier:
                keyid:58:27:5B:5F:FA:53:F6:ED:BA:F1:28:F5:37:9A:F3:9B:4C:9B:61:FB

Certificate is to be certified until Jun 16 23:29:08 2009 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, O=mikesoffice, CN=sefos.setest.com/emailAddress=admin@setest.com
        Validity
            Not Before: Jun 16 23:29:08 2008 GMT
            Not After : Jun 16 23:29:08 2009 GMT
        Subject: C=US, ST=Maryland, L=Columbia, O=setest, CN=sefos.setest.com/emailAddress=admin@setest.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:c6:0b:49:11:65:52:fe:df:a8:af:fd:a3:3e:5a:
                    67:78:39:ad:e8:38:ee:05:36:64:19:ed:47:79:0b:
                    61:2a:03:04:d9:97:9f:09:bd:df:1e:49:16:d1:6a:
                    d1:5e:ea:96:a5:c7:ad:d7:ba:c2:de:5d:78:a9:10:
                    12:24:6d:04:7e:ab:a8:20:1c:a0:56:a7:a3:48:fe:
                    4d:4d:9c:d4:22:05:29:36:7c:f5:2c:ce:fb:8c:86:
                    50:77:d3:3f:c7:19:25:81:db:e4:0f:08:f7:47:a0:
                    e5:a0:4c:8e:be:61:91:82:b6:d4:36:33:11:49:a9:
                    90:f0:0f:dc:07:8d:7b:e8:99
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                4E:A8:58:17:90:8D:2C:A6:C2:B4:1E:0A:0E:FD:BE:32:E8:89:12:D3
            X509v3 Authority Key Identifier:
                keyid:58:27:5B:5F:FA:53:F6:ED:BA:F1:28:F5:37:9A:F3:9B:4C:9B:61:FB

    Signature Algorithm: sha1WithRSAEncryption
        69:65:a5:26:8e:9a:e0:1c:4f:7b:b7:57:72:89:9e:16:3d:07:
        18:95:af:c0:5d:b5:e4:56:70:b5:4c:05:80:82:3a:59:f4:82:
        9c:87:16:4a:01:3c:a1:a2:88:39:4a:55:9b:92:9e:27:d9:ac:
        51:16:8f:72:7b:14:92:37:24:3f:70:fd:28:b0:b3:28:73:b8:
        7d:ee:86:42:dd:aa:6f:12:c9:2e:20:7c:10:be:5e:f8:c0:5d:
        1e:6a:d5:4f:79:b9:2f:b6:ff:ac:45:ed:c3:a3:3c:d5:b2:c5:
        b6:21:fa:3b:8b:de:74:f4:09:a4:57:d2:2d:1a:32:06:04:38:
        63:17
-----BEGIN CERTIFICATE-----
MIIDATCCAmqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB+MQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEChMLbWlrZXNvZmZpY2UxHjAcBgNV
BAMTFXNlZm9zLm1pa2Vzb2ZmaWNlLmNvbTEkMCIGCSqGSIb3DQEJARYVYWRtaW5A
bWlrZXNvZmZpY2UuY29tMB4XDTA4MDYxNjIzMjkwOFoXDTA5MDYxNjIzMjkwOFow
gZExCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhS
aWNobW9uZDEUMBIGA1UEChMLbWlrZXNvZmZpY2UxHjAcBgNVBAMTFXNlZm9zLm1p
a2Vzb2ZmaWNlLmNvbTEkMCIGCSqGSIb3DQEJARYVYWRtaW5AbWlrZXNvZmZpY2Uu
Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGC0kRZVL+36iv/aM+Wmd4
Oa3oOO4FNmQZ7Ud5C2EqAwTZl58Jvd8eSRbRatFe6palx63XusLeXXipEBIkbQR+
q6ggHKBWp6NI/k1NnNQiBSk2fPUszvuMhlB30z/HGSWB2+QPCPdHoOWgTI6+YZGC
ttQ2MxFJqZDwD9wHjXvomQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIB
DQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUTqhY
F5CNLKbCtB4KDv2+MuiJEtMwHwYDVR0jBBgwFoAUWCdbX/pT9u268Sj1N5rzm0yb
YfswDQYJKoZIhvcNAQEFBQADgYEAaWWlJo6a4BxPe7dXcomeFj0HGJWvwF215FZw
tUwFgII6WfSCnIcWSgE8oaKIOUpVm5KeJ9msURaPcnsUkjckP3D9KLCzKHO4fe6G
Qt2qbxLJLiB8EL5e+MBdHmrVT3m5L7b/rEXtw6M81bLFtiH6O4vedPQJpFfSLRoy
BgQ4Yxc=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

Certificates

  • The CA certificate now resides in /etc/pki/CA/cacert.pem.
  • A server certificate resides in /etc/pki/tls/misc/newcert.pem