SSL Certificates in IPBrick

Transcription

1 SSL Certificates in IPBrick iportalmais July 18, Introduction This document intends to guide you through the generation and installation procedure of an SSL certificate in an IPBrick server. 2 SSL Certificate Generation 2.1 Self Signed This is the procedure to generate a self SSL signed certificate (openssl req). NOTE: You must replace domain.com and other names by the correct and appropriate designations for your particular case. ipbrick:~# mkdir -p /home1/_ssl ; cd /home1/_ssl ipbrick:/home1/_ssl# openssl req -x509 -nodes -days subj "/O=IPBRICK/CN=*.domain.com" -newkey rsa:2048 -keyout mycert.pem -out mycert.pem Generating a 2048 bit RSA private key writing new private key to mycert.pem ipbrick:/home1/_ssl# Place this file in /home1/_ssl/mycert.pem and edit it like this: ipbrick:~# cp /home1/_ssl/mycert.pem /etc/ejabberd/ejabberd.pem ipbrick:~# cp /home1/_ssl/mycert.pem /etc/apache2/apache.pem ipbrick:~# cp /home1/_ssl/mycert.pem /etc/courier/pop3d.pem ipbrick:~# cp /home1/_ssl/mycert.pem /etc/courier/imapd.pem ipbrick:~# echo "/home1/_ssl/mycert.pem" > /etc/qmail/smtpcert ipbrick:~# /etc/init.d/ejabberd restart ipbrick:~# /etc/init.d/apache2 restart

2 2.2 Generating a certificate signed by a Certifying Entity 2 ipbrick:~# /etc/init.d/courier-imap-ssl restart ipbrick:~# /etc/init.d/courier-pop-ssl restart ipbrick:~# qmailctl restart 2.2 Generating a certificate signed by a Certifying Entity This is the procedure to generate a certificate and have it signed by a certifying entity. First you will have to generate your own private key only then may you create a Certificate Signing Request (CSR). ipbrick:~# openssl genrsa -out groupware.domain.com.key 2048 Generating RSA private key, 2048 bit long modulus e is (0x10001) ipbrick:~# openssl req -new -key groupware.domain.com.key -out groupware.domain.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter., the field will be left blank. -- Country Name (2 letter code) [AU]:PT State or Province Name (full name) [Some-State]:Porto Locality Name (eg, city) []:Porto Organization Name (eg, company) [Internet Widgits Pty Ltd]:This my Company Organizational Unit Name (eg, section) []:Company Common Name (eg, YOUR name) []:groupware.domain.com Address []:thessslmaster@domain.com Please enter the following extra attributes to be sent with your certificate request A challenge password []: An optional company name []: ipbrick:~# openssl req -noout -text -in groupware.spautores.pt.csr Certificate Request: Data: Version: 0 (0x0) Subject: C=PT, ST=Porto, L=Porto, O=This my Company, OU=Company, CN=groupware.domain.com/ Address=thesslmaster@domain.com Subject Public Key Info: Public Key Algorithm: rsaencryption Public-Key: (2048 bit) Modulus: 00:dc:c8:82:72:49:d3:4e:ec:0e:8a:4f:de:6d:4e:

3 2.2 Generating a certificate signed by a Certifying Entity 3 0a:4e:1b:b2:73:f0:21:10:2b:84:20:9a:51:fd:4a: ae:dd:da:2a:0c:c2:3c:e0:05:02:39:dc:ca:f8:94: 8f:db:f1:c6:af:e3:03:e4:40:e4:ad:fe:b9:fd:6d: 4a:06:4c:84:18:97:97:a7:a7:33:d6:fc:ff:76:27: 5b:d9:b9:06:94:8f:26:2d:9b:ea:33:56:1e:e3:09: b9:16:87:65:4d:24:61:b7:bf:57:03:94:2d:db:ea: 63:5c:46:32:d2:17:e9:ea:fb:a6:cb:3a:01:40:65: e0:9e:dd:1a:d5:0b:4b:d5:4a:ea:a2:6a:ae:c5:de: 04:ef:e6:64:29:96:8e:48:7b:2c:ff:ba:91:50:05: e0:c5:bb:45:cc:bb:55:e5:6d:cb:91:ea:43:58:a8: cb:ca:29:63:d0:15:94:42:6d:a2:60:95:cb:64:2d: 46:fa:27:12:11:20:d0:ad:11:ce:de:52:54:69:0d: a5:76:c0:ff:eb:14:32:ff:97:f7:05:95:d7:56:dd: f5:06:91:fe:99:bb:a4:24:35:d5:ce:37:15:7a:2e: 7d:76:12:b0:8b:d4:bd:a1:d2:68:00:b3:93:a2:36: 0f:27:46:36:b2:b5:4f:5c:a3:84:02:fd:69:9d:3f: 1a:a5 Exponent: (0x10001) Attributes: a0:00 Signature Algorithm: sha1withrsaencryption 1a:b3:f3:b1:89:7f:5e:a5:63:0a:6f:8c:94:c5:5d:7e:be:b6: 45:f6:3a:d1:63:9a:bc:87:b5:70:37:1d:7b:d5:37:3e:2f:39: 22:3f:fc:e8:54:83:1f:d2:35:3d:1f:63:e2:ae:3c:de:4b:fd: 30:17:87:b1:52:1a:3c:b3:c4:fb:73:36:a3:68:f5:7e:7b:f7: 73:25:b5:c3:f6:f8:1a:c8:8c:11:e8:e1:11:c5:32:5e:9a:0c: ae:50:34:34:31:9e:3c:1e:d1:45:59:45:ec:dc:91:3e:e0:66: e4:8c:b8:79:24:da:4d:ed:71:c5:29:eb:6d:04:44:9e:ef:3b: 50:a9:4e:55:e8:9e:f1:dd:76:6e:cb:9c:26:5a:17:de:1c:c5: 3d:a0:8d:22:09:d4:04:6a:1e:84:a0:61:76:29:92:fe:71:2d: 7e:2e:38:33:67:e1:2a:4e:67:cf:00:3b:d8:af:45:fe:84:02: 81:64:4b:59:28:ec:3f:e1:5e:b2:1c:b2:bf:b9:fd:7c:0b:6d: 68:14:c2:d2:bd:29:f9:c2:54:d9:9e:0e:a4:a4:24:c8:39:d9: de:a7:2d:3e:35:c0:51:f6:22:0e:1b:fe:e8:64:db:96:3c:7b: cb:af:15:c8:e5:5c:7e:ea:57:33:68:2c:1d:9d:85:ce:65:5a: 81:4c:06:6f ipbrick:~# From this moment on, it s possible to forward the.csr e.g.: groupware.domain.com.csr to a certifying entity for them to generate and return the signed public certificates, a copy of the public intermediate certificate (if there is one) and a copy of the public root certificate. With all these files/certificates and the private key you will be able to proceed to the installation (check section 3 - Installation and consult the certifying entitie s documentation.

4 3 Installing a Certificate 4 NOTE: Some certifying entities may try to contact your organization, in order to validate the information. Therefore, you should check and confirm all data provided was accurate and alway follow their instructions. When in doubt, please contact the certifying entity. 3 Installing a Certificate As an example, the files are located at: /home1/_ssl The files that compose the certificate are: mycert.key - The certificate s private key; mycert.crt - The certificate file itself (it can be self signed or by a certifying entity); mycert_intermediate.crt - When the certificate is signed by a certifying entity, an intermediate certificate can be provided (when self signed this file does not exist); mycert_root.crt - When the certificate is signed by a certifying entity, a public certificate used in the signature may be provided (when self signed this file does not exist) mycert.pem - Composite certificate file (PEM) from the files described previously, it is build in the following manner: ipbrick:/home1/_ssl# cat mycert.key > mycert.pem ipbrick:/home1/_ssl# cat mycert.crt >> mycert.pem ipbrick:/home1/_ssl# cat mycert_intermediate.key >> mycert.pem ipbrick:/home1/_ssl# cat mycert_root.crt >> mycert.pem 3.1 Base Services The basic services substituting the certificate are: imap-ssl (TCP 993) pop-ssl (TCP 995) qmail (smtp-starttls) (TCP 25) ejabberd (xmpp) (TCP 5222) ipbrick:/home1/_ssl# cp mycert.pem /etc/courier/imapd.pem ipbrick:/home1/_ssl# /etc/init.d/courier-imap-ssl restart ipbrick:/home1/_ssl# cp mycert.pem /etc/courier/pop3d.pem ipbrick:/home1/_ssl# /etc/init.d/courier-pop-ssl restart

5 3.2 APACHE Service 5 ipbrick:/home1/_ssl# cp mycert.pem /etc/ejabberd/ejabberd.pem ipbrick:/home1/_ssl# /etc/init.d/ejabberd restart ipbrick:/home1/_ssl# cp mycert.pem /etc/apache2/apache.pem ipbrick:/home1/_ssl# /etc/init.d/apache2 restart QMAIL is configured in a slightly different manner, because the certificate file can be rewritten by the web interface, we point the setting to a different location: ipbrick:/home1/_ssl# echo "/home1/_ssl/mycert.pem" > /etc/qmail/smtpcert ipbrick:/home1/_ssl# qmailctl stop ipbrick:/home1/_ssl# qmailctl start NOTE: If you are handling a self signed certificate, the configuration procedure ends here. If on the other hand we are talking about of a certificate signed by a certifying entity and composed by the intermediate and/or root certificate it is necessary to complete/alter the APACHE server configuration - See APACHE Service. 3.2 APACHE Service The installation at the APACHE service is made by identifying all CRT and KEY files. Edit the file from the first APACHE site: ipbrick:/home1/_ssl# vi /etc/apache2/sites-enabled/ #SSLCertificateFile /etc/apache2/apache.pem SSLCertificateFile /home1/_ssl/mycert.crt SSLCertificateKeyFile /home1/_ssl/mycert.key SSLCertificateChainFile /home1/_ssl/mycert_intermediate.crt... SSLCACertificateChainFile /home1/_ssl/mycert_root.crt ipbrick:/home1/_ssl# /etc/init.d/apache2 restart 4 Reading/Obtaining an SSL Certificate 4.1 Local - From a file In this example, the certificate s content can be read via a local file (openssl text). ipbrick:~# openssl x509 -noout -text -in mycert.pem Certificate: Data:

6 4.1 Local - From a file 6 Version: 3 (0x2) Serial Number: cc:8d:0d:84:0c:c7:f6:88 Signature Algorithm: sha1withrsaencryption Issuer: C=cc, ST=countryname, L=cityname, O=companyname, CN=ipbrick/ Address=administrator@iportalmais.pt Validity Not Before: Jul 15 17:43: GMT Not After : Jul 22 17:43: GMT Subject: C=cc, ST=countryname, L=cityname, O=companyname, CN=ipbrick/ Address=administrator@iportalmais.pt Subject Public Key Info: Public Key Algorithm: rsaencryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d9:c1:9f:b2:81:e1:9e:52:8b:d5:57:76:22:12: 03:48:9c:9f:b0:29:7e:18:c7:e9:9f:c1:fb:1d:fb: a1:41:09:dd:a7:1a:2e:a1:7a:59:03:a8:8e:57:f4: bd:a9:76:98:a0:d0:88:6b:7a:c7:9e:0d:84:c8:c6: 7c:11:6f:a9:1e:ec:f3:d7:56:8d:56:a3:87:94:bd: 2e:6c:b1:0e:32:e7:e7:82:de:aa:e3:86:0a:65:41: a3:e2:4d:bc:53:61:53:41:1d:81:c2:d2:a8:bb:6d: c1:7a:6d:8b:06:04:ef:b5:34:9f:f0:cd:6a:f9:85: 42:65:04:2f:90:bb:ca:df:93 Exponent: (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 55:25:CB:19:5D:66:A1:A0:AA:B5:38:DA:84:E8:CD:49:69:A5:A2:F8 X509v3 Authority Key Identifier: keyid:55:25:cb:19:5d:66:a1:a0:aa:b5:38:da:84:e8:cd:49:69:a5:a2:f8 DirName:/C=cc/ST=countryname/L=cityname/O=companyname/CN=ipbrick/ address=administrator@iportalmais.pt serial:cc:8d:0d:84:0c:c7:f6:88 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1withrsaencryption ae:14:5f:c9:db:e0:15:ac:27:1f:9c:dd:5a:44:a5:15:92:2a: 23:2b:51:90:00:65:6c:5c:f5:4a:c0:ef:63:0a:2c:4d:e8:8a: b9:ed:83:18:bc:c5:25:fe:f4:12:a7:d3:29:b0:75:29:25:38: 59:0b:7c:7c:ae:f2:4c:f1:90:34:d9:ec:c0:40:2b:1a:f5:8b: 20:64:48:d9:29:6b:df:aa:0f:07:33:ce:09:51:2c:52:1a:47: 46:75:24:4f:49:a2:58:c5:b5:3e:59:ab:18:26:ab:08:60:50: d7:0f:10:c2:81:07:db:9d:47:7a:c6:74:3c:05:df:2d:9f:ba: 8b:cd

7 4.2 Remote - From a Network Service 7 ipbrick:~# 4.2 Remote - From a Network Service Procedure to obtain/download the SSL certificate (openssl s_client). In this example, we access the HTTPS (443), nevertheless, the procedure is identical to IMAPS (993) and POP3S (995). ipbrick:~# openssl s_client -connect :443 CONNECTED( ) depth=0 /C=PT/ST=Porto/L=Porto/O=IPBrick/CN=ipbrick.domain.com verify error:num=18:self signed certificate verify return:1 depth=0 /C=PT/ST=Porto/L=Porto/O=IPBrick/CN=ipbrick.domain.com verify return:1 Certificate chain 0 s:/c=pt/st=porto/l=porto/o=ipbrick/cn=ipbrick.domain.com i:/c=pt/st=porto/l=porto/o=ipbrick/cn=ipbrick.domain.com Server certificate --BEGIN CERTIFICATE-- MIIC+DCCAmGgAwIBAgIJALKxtCSAP1LZMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV BAYTAlBUMQ4wDAYDVQQIEwVQb3J0bzEOMAwGA1UEBxMFUG9ydG8xEDAOBgNVBAoT B0lQQnJpY2sxGzAZBgNVBAMTEmlwYnJpY2suZG9tYWluLmNvbTAeFw0wOTAzMjUx NTQ4NDNaFw0xOTAzMjMxNTQ4NDNaMFwxCzAJBgNVBAYTAlBUMQ4wDAYDVQQIEwVQ b3j0bzeomawga1uebxmfug9ydg8xedaobgnvbaotb0lqqnjpy2sxgzazbgnvbamt EmlwYnJpY2suZG9tYWluLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA ulbcedjrpf30aocp10ggi41mrebaofhswglkpzfnpoqdhznakbrgoa0dpamougzf ldajqqkehhg3tg0flgjjyy06bhfxt6vlpjomva2tov+jjjbc6vwuikwst55iqkqz FnDM2ugTzXd+XnVIoWRjXnaiZkU86NP28sbQkTQpP98CAwEAAaOBwTCBvjAdBgNV HQ4EFgQURgJJiWVfBv33e5AxpxIdJMaQ43YwgY4GA1UdIwSBhjCBg4AURgJJiWVf Bv33e5AxpxIdJMaQ43ahYKReMFwxCzAJBgNVBAYTAlBUMQ4wDAYDVQQIEwVQb3J0 bzeomawga1uebxmfug9ydg8xedaobgnvbaotb0lqqnjpy2sxgzazbgnvbamtemlw YnJpY2suZG9tYWluLmNvbYIJALKxtCSAP1LZMAwGA1UdEwQFMAMBAf8wDQYJKoZI hvcnaqefbqadgyeanas/+beahn/olb0wsuhrcgiahbybanlez8cyn/4vieiiwbv5 taopr+g56srh5lazmw9/jdoz8erwtfzelparl83dpxeh9s4unr9f1kk+agfnxjn7 kjm7i5mau1tekl/f5okkefafo1jm0boudw0qt/bnnrtqsn6dnme6xnki6dg= --END CERTIFICATE-- subject=/c=pt/st=porto/l=porto/o=ipbrick/cn=ipbrick.domain.com issuer=/c=pt/st=porto/l=porto/o=ipbrick/cn=ipbrick.domain.com No client certificate CA names sent SSL handshake has read 1328 bytes and written 319 bytes

8 5 Import 8 New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 5354AC FB70F0D316E7E5F09CC01D189407B1920F0A783D4940 Session-ID-ctx: Master-Key: F665F6118A3B E89CC357C39ED15E2DF C80E5C8D86 98D929E61535E2B75D61E597ED30B9D2 Key-Arg : None Start Time: Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ^C ipbrick:~# Transcribed certificate: --BEGIN CERTIFICATE-- MIIC+DCCAmGgAwIBAgIJALKxtCSAP1LZMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV BAYTAlBUMQ4wDAYDVQQIEwVQb3J0bzEOMAwGA1UEBxMFUG9ydG8xEDAOBgNVBAoT B0lQQnJpY2sxGzAZBgNVBAMTEmlwYnJpY2suZG9tYWluLmNvbTAeFw0wOTAzMjUx NTQ4NDNaFw0xOTAzMjMxNTQ4NDNaMFwxCzAJBgNVBAYTAlBUMQ4wDAYDVQQIEwVQ b3j0bzeomawga1uebxmfug9ydg8xedaobgnvbaotb0lqqnjpy2sxgzazbgnvbamt EmlwYnJpY2suZG9tYWluLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA ulbcedjrpf30aocp10ggi41mrebaofhswglkpzfnpoqdhznakbrgoa0dpamougzf ldajqqkehhg3tg0flgjjyy06bhfxt6vlpjomva2tov+jjjbc6vwuikwst55iqkqz FnDM2ugTzXd+XnVIoWRjXnaiZkU86NP28sbQkTQpP98CAwEAAaOBwTCBvjAdBgNV HQ4EFgQURgJJiWVfBv33e5AxpxIdJMaQ43YwgY4GA1UdIwSBhjCBg4AURgJJiWVf Bv33e5AxpxIdJMaQ43ahYKReMFwxCzAJBgNVBAYTAlBUMQ4wDAYDVQQIEwVQb3J0 bzeomawga1uebxmfug9ydg8xedaobgnvbaotb0lqqnjpy2sxgzazbgnvbamtemlw YnJpY2suZG9tYWluLmNvbYIJALKxtCSAP1LZMAwGA1UdEwQFMAMBAf8wDQYJKoZI hvcnaqefbqadgyeanas/+beahn/olb0wsuhrcgiahbybanlez8cyn/4vieiiwbv5 taopr+g56srh5lazmw9/jdoz8erwtfzelparl83dpxeh9s4unr9f1kk+agfnxjn7 kjm7i5mau1tekl/f5okkefafo1jm0boudw0qt/bnnrtqsn6dnme6xnki6dg= --END CERTIFICATE-- 5 Import It will be necessary to import the certificate, but before that you should save the transcribed certificate as a <filename>.pem file (e.g.: cert_ipbrick.pem)

9 5.1 Mozilla Firefox 9 After saving it you may open a browser and import the certificate: 5.1 Mozilla Firefox At the Firefox browser Edit-Preferences-Advanced-Encryption-View Certificates At the Servers or Authorities tab click on Import. Figure 1: Firefox - Import Certificate Import the cert_ipbrick.pem file. After importing the certificate, on the Authorities tab, click on the certificate s name and select Edit Trust. At the new window tick all options.

10 5.2 Internet Explorer 10 Figure 2: Firefox - Edit trust 5.2 Internet Explorer At Internet Explorer access: Tools - Internet Options - Content - Certificates - Import Figure 3: Internet Explorer - Import Certificate Import the cert_ipbrick.pem file.