Personal tools

Tutorials:CreateCertAuth: Difference between revisions

From Adapt

Jump to: navigation, search
No edit summary
 
No edit summary
 
Line 1: Line 1:
__NOTOC__
==Setting up CA and certificates==
==Setting up CA and certificates==



Latest revision as of 23:15, 11 September 2008

Setting up CA and certificates

Create CA Directories

This example assumes ~/ssl will contain all certificates and private keys. You should probably delete client keys after creation and distribution of the pkcs12 keystore. If you want to create new clients, just go to the creating client section down below. If you need a keystore w/ additional certificates in it. You should create your own pem files w/ all required certs.

The CA below has been copied into naraapp:~naraapp/ssl , w/ the cacart using the same password as the account. Client and producer keystores are also in the directory w/ passwords client and producer respectively.


[toaster@loach ~/ssl]$ mkdir ssl
[toaster@loach ~/ssl]$ cd ssl
[toaster@loach ~/ssl]$ touch index.txt
[toaster@loach ~/ssl]$ echo 100001 > serial

Download the openssl.cnf listed below and put it in this directory

Create CA Certificate

[toaster@loach ~/ssl]$  openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf 
Generating a 1024 bit RSA private key
....................................++++++
...........++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Maryland]:
Locality Name (eg, city) [College Park]:
Organization Name (eg, company) [UMIACS]:
Organizational Unit Name (eg, section) []:ADAPT CA
Common Name (eg, your name or your server's hostname) []:Adapt Project CA
Email Address []:toaster@umiacs.umd.edu

Create Producer keystore

Generate producer pub/priv key

[toaster@loach ~/ssl]$ openssl req -new -nodes -out producer-req.pem -keyout private/producer-key.pem -days 365 -config ./openssl.cnf
Generating a 1024 bit RSA private key
.....................................++++++
.........................++++++
writing new private key to 'private/producer-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Maryland]:
Locality Name (eg, city) [College Park]:
Organization Name (eg, company) [UMIACS]:
Organizational Unit Name (eg, section) []:PAWN Producer
Common Name (eg, your name or your server's hostname) []:Pawn Producer
Email Address []:toaster@umiacs.umd.edu

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Now it's time to sign the certificate

[toaster@loach ~/ssl]$ openssl ca -out producer-cert.pem -days 365 -config ./openssl.cnf -infiles producer-req.pem
Using configuration from ./openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1048577 (0x100001)
        Validity
            Not Before: Jul 21 21:19:32 2005 GMT
            Not After : Jul 21 21:19:32 2006 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = Maryland
            organizationName          = UMIACS
            organizationalUnitName    = PAWN Producer
            commonName                = Pawn Producer
            emailAddress              = toaster@umiacs.umd.edu
        X509v3 extensions:
            X509v3 Basic Constraints: 
            CA:FALSE
            Netscape Comment: 
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
            7A:20:C4:91:8A:67:F4:21:A5:8F:8D:B8:92:BE:02:61:34:4F:02:02
            X509v3 Authority Key Identifier: 
            keyid:1B:99:B9:92:09:0E:37:68:36:1B:67:7C:4D:27:3F:39:2B:79:84:95
            DirName:/C=US/ST=Maryland/L=College Park/O=UMIACS/OU=ADAPT CA/CN=Ada
pt Project CA/emailAddress=toaster@umiacs.umd.edu
            serial:00

Certificate is to be certified until Jul 21 21:19:32 2006 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Create the producer's keystore. Due to java's requirements that all items in a keystore have names (trusted certs...) We label the CA certificate cacert, and the producer's certificate producer. You can change this on the server if you want to use other alias names.

[toaster@loach ~/ssl]$ openssl pkcs12 -export -in producer-cert.pem -inkey private/producer-key.pem \ 
-certfile cacert.pem -caname cacert -name "producer" -out producer.p12

Enter Export Password:
Verifying - Enter Export Password:

Next, we create a cert file that has both the ca and producer certificates. This is used when generating client keystores

[toaster@loach ~/ssl]$ cp cacert.pem ca-producer.pem
[toaster@loach ~/ssl]$ cat newcerts/producer.pem >> ca-producer.pem

Create Client keystores

Client keystore's are almost identical, except they contain an extra certificate for the producer they are connected to. This allows the client to verify the authenticity of generated SAML certificated to prevent man-in-the-middle attacks.

[toaster@loach ~/ssl]$ openssl req -new -nodes -out client-req.pem -keyout private/client-key.pem -days 365 -config ./openssl.cnf
Generating a 1024 bit RSA private key
......................++++++
..................++++++
writing new private key to 'private/client-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Maryland]:
Locality Name (eg, city) [College Park]:
Organization Name (eg, company) [UMIACS]:
Organizational Unit Name (eg, section) []:PAWN Client
Common Name (eg, your name or your server's hostname) []:Pawn Client
Email Address []:toaster@umiacs.umd.edu

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Now sign it.

[toaster@loach ~/ssl]$ openssl ca -out client-cert.pem -days 365 -config ./openssl.cnf -infiles client-req.pem
Using configuration from ./openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1048578 (0x100002)
        Validity
            Not Before: Jul 21 21:25:50 2005 GMT
            Not After : Jul 21 21:25:50 2006 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = Maryland
            organizationName          = UMIACS
            organizationalUnitName    = PAWN Client
            commonName                = Pawn Client
            emailAddress              = toaster@umiacs.umd.edu
        X509v3 extensions:
            X509v3 Basic Constraints: 
            CA:FALSE
            Netscape Comment: 
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
            6C:10:B8:0D:08:72:63:15:29:69:B9:2F:9C:CB:C2:50:DF:C4:F7:D0
            X509v3 Authority Key Identifier: 
            keyid:1B:99:B9:92:09:0E:37:68:36:1B:67:7C:4D:27:3F:39:2B:79:84:95
            DirName:/C=US/ST=Maryland/L=College Park/O=UMIACS/OU=ADAPT CA/CN=Adapt Project CA/emailAddress=toaster@umiacs.umd.edu
            serial:00

Certificate is to be certified until Jul 21 21:25:50 2006 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Build the keystore w/ ca and producer's certs in addition to local keys

[toaster@loach ~/ssl]$ openssl pkcs12 -export -in client-cert.pem -inkey private/client-key.pem -certfile ca-producer.pem \
-caname cacert -caname producer -name "client" -out client.p12

Enter Export Password:
Verifying - Enter Export Password:

-- Main.MikeSmorul - 21 Jul 2005