From 4e5d7aea4916c9be63fb888a2a4d4dcf27847715 Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Thu, 26 Feb 2015 11:45:14 +0200 Subject: [PATCH 1/3] Ignore ca dir --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 7f705cb07..b7ebd630e 100644 --- a/.gitignore +++ b/.gitignore @@ -14,6 +14,7 @@ config/application.yml config/secrets.yml config/database.yml /export +/ca ## Environment normalisation: /.bundle From f11af415d9f55848a252d8717061b1ce31b5e899 Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Thu, 26 Feb 2015 11:48:38 +0200 Subject: [PATCH 2/3] Merged certificate doc --- README.md | 92 +------------------ doc/certificate.md | 224 +++++++++++++++++++++++---------------------- 2 files changed, 115 insertions(+), 201 deletions(-) diff --git a/README.md b/README.md index bc2b9af13..24740e064 100644 --- a/README.md +++ b/README.md @@ -186,98 +186,10 @@ All registry demo data can be found at: Initially you can use two type of users: admin users and EPP users. -### CA +### Certificates setup -Go to registry shared folder and setup CA directory tree: -``` -mkdir ca -cd ca -mkdir certs crl newcerts private csrs -chmod 700 private -touch index.txt -echo 1000 > serial -echo 1000 > crlnumber -``` +* [Certificates setup](/doc/certificates.md) -Generate the root key (prompts for pass phrase): -``` -openssl genrsa -aes256 -out private/ca.key.pem 4096 -``` - -Configure OpenSSL: -``` -sudo su - -cd /etc/ssl/ -cp openssl.cnf openssl.cnf.bak -nano openssl.cnf -exit -``` - -Make sure the following options are in place: -``` -[ CA_default ] -# Where everything is kept -dir = /home/registry/registry/shared/ca - -[ usr_cert ] -# These extensions are added when 'ca' signs a request. -basicConstraints=CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -nsComment = "OpenSSL Generated Certificate" -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer - -[ v3_ca ] -# Extensions for a typical CA -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer -basicConstraints = CA:true -keyUsage = cRLSign, keyCertSign - -# For the CA policy -[ policy_match ] -countryName = optional -stateOrProvinceName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional -``` - -Issue the root certificate (prompts for additional data): -``` -openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem -chmod 444 certs/ca.crt.pem -``` - -Create a CSR for the webclient: -``` -openssl genrsa -out private/webclient.key.pem 4096 -chmod 400 private/webclient.key.pem -openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem -``` - -Sign the request and create certificate: -``` -openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem -``` - -Create certificate revocation list (prompts for pass phrase): -``` -openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem -``` - -Certificates for API Users are generated via the user interface. CSR must be uploaded for each API User. - -Private key and certificate must be packaged to pkcs12 and added to the browser. - -Make sure application configuration files contain correct paths to certificates. - -In test environment it's important to set unique_subject option to false. -In CA directory: -``` -echo "unique_subject = no" > index.txt.attr -``` ### EPP web client diff --git a/doc/certificate.md b/doc/certificate.md index d0a2f78cd..c1131ed61 100644 --- a/doc/certificate.md +++ b/doc/certificate.md @@ -1,149 +1,151 @@ -Setting up certificates ------------------------ +Certificates setup +------------------ -Go to registry shared folder and setup CA directory tree: -``` -mkdir ca -cd ca -mkdir certs crl newcerts private csrs -chmod 700 private -touch index.txt -echo 1000 > serial -echo 1000 > crlnumber -``` +Certificates for API Users are generated via registnry admin user interface. +CSR must be uploaded for each API User. + +Private key and certificate must be packaged to pkcs12 and added to user browser. + + +### Registry setup + +Setup CA directory tree: + + cd /home/registry/registry/shared + mkdir ca + cd ca + mkdir certs crl newcerts private csrs + chmod 700 private + touch index.txt + echo 1000 > serial + echo 1000 > crlnumber Generate the root key (prompts for pass phrase): -``` -openssl genrsa -aes256 -out private/ca.key.pem 4096 -``` + + openssl genrsa -aes256 -out private/ca.key.pem 4096 Configure OpenSSL: -``` -sudo su - -cd /etc/ssl/ -cp openssl.cnf openssl.cnf.bak -nano openssl.cnf -exit -``` + + sudo su - + cd /etc/ssl/ + cp openssl.cnf openssl.cnf.bak + nano openssl.cnf + exit Make sure the following options are in place: -``` -crl_extensions = crl_ext -[ CA_default ] -# Where everything is kept -dir = /home/registry/registry/shared/ca + crl_extensions = crl_ext -[ usr_cert ] -# These extensions are added when 'ca' signs a request. -basicConstraints=CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -nsComment = "OpenSSL Generated Certificate" -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer + [ CA_default ] + # Where everything is kept + dir = /home/registry/registry/shared/ca -[ v3_ca ] -# Extensions for a typical CA -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer -basicConstraints = CA:true -keyUsage = cRLSign, keyCertSign + [ usr_cert ] + # These extensions are added when 'ca' signs a request. + basicConstraints=CA:FALSE + keyUsage = nonRepudiation, digitalSignature, keyEncipherment + nsComment = "OpenSSL Generated Certificate" + subjectKeyIdentifier=hash + authorityKeyIdentifier=keyid,issuer -# For the CA policy -[ policy_match ] -countryName = optional -stateOrProvinceName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional -``` + [ v3_ca ] + # Extensions for a typical CA + subjectKeyIdentifier=hash + authorityKeyIdentifier=keyid:always,issuer + basicConstraints = CA:true + keyUsage = cRLSign, keyCertSign + + # For the CA policy + [ policy_match ] + countryName = optional + stateOrProvinceName = optional + organizationName = optional + organizationalUnitName = optional + commonName = supplied + emailAddress = optional Issue the root certificate (prompts for additional data): -``` -openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem -chmod 444 certs/ca.crt.pem -``` + + openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem + chmod 444 certs/ca.crt.pem Create a CSR for the webclient: -``` -openssl genrsa -out private/webclient.key.pem 4096 -chmod 400 private/webclient.key.pem -openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem -``` + + openssl genrsa -out private/webclient.key.pem 4096 + chmod 400 private/webclient.key.pem + openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem Sign the request and create certificate: -``` -openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem -chmod 444 certs/webclient.crt.pem -``` + + openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem + chmod 444 certs/webclient.crt.pem Create certificate revocation list (prompts for pass phrase): -``` -openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem -``` + + openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem Configure EPP virtual host: -``` -sudo nano /etc/apache2/sites-enabled/epp.conf -``` + + sudo nano /etc/apache2/sites-enabled/epp.conf Replace this line: -``` -SSLVerifyClient optional_no_ca -``` + + SSLVerifyClient optional_no_ca With these lines: -``` - SSLVerifyClient require - SSLVerifyDepth 1 - SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem - SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem - # Uncomment this when upgrading to apache 2.4: - # SSLCARevocationCheck chain - RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s" -``` + + SSLVerifyClient require + SSLVerifyDepth 1 + SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem + SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem + # Uncomment this when upgrading to apache 2.4: + # SSLCARevocationCheck chain + RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s" Configure webclient virtual host: -``` -sudo nano /etc/apache2/sites-enabled/webclient.conf -``` + + sudo nano /etc/apache2/sites-enabled/webclient.conf Add these lines: -``` - SSLVerifyClient none - SSLVerifyDepth 1 - SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem - SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem - # Uncomment this when upgrading to apache 2.4: - # SSLCARevocationCheck chain - RequestHeader set SSL_CLIENT_S_DN_CN "" + SSLVerifyClient none + SSLVerifyDepth 1 + SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem + SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem + # Uncomment this when upgrading to apache 2.4: + # SSLCARevocationCheck chain - - SSLVerifyClient require - RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s" - -``` + RequestHeader set SSL_CLIENT_S_DN_CN "" + + + SSLVerifyClient require + RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s" + Reload apache: -``` -sudo a2enmod headers -sudo /etc/init.d/apache2 restart -``` + + sudo a2enmod headers + sudo /etc/init.d/apache2 restart Configure registry and epp application.yml to match the CA settings: -``` -ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem' -ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem' -ca_key_password: 'registryalpha' -crl_path: '/home/registry/registry/shared/ca/crl/crl.pem' -webclient_ip: '54.154.91.240' -``` + + ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem' + ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem' + ca_key_password: 'registryalpha' + crl_path: '/home/registry/registry/shared/ca/crl/crl.pem' + webclient_ip: '54.154.91.240' Configure webclient application.yml to match the CA settings: -``` -cert_path: '/home/registry/registry/shared/ca/certs/webclient.crt.pem' -key_path: '/home/registry/registry/shared/ca/private/webclient.key.pem' -``` + cert_path: '/home/registry/registry/shared/ca/certs/webclient.crt.pem' + key_path: '/home/registry/registry/shared/ca/private/webclient.key.pem' + +Development env +--------------- + +In development environment it's convenient to set unique_subject option to false, +thus you can generate quickly as many certs as you wish. + +In CA directory: + + echo "unique_subject = no" > index.txt.attr From df57204922df91569b4d064cc0c7abedc5ede194 Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Thu, 26 Feb 2015 13:34:55 +0200 Subject: [PATCH 3/3] CA readme update --- config/application-example.yml | 13 ++- doc/certificate.md | 156 +++++++++++++++++++-------------- 2 files changed, 98 insertions(+), 71 deletions(-) diff --git a/config/application-example.yml b/config/application-example.yml index 4ac8d0ddb..f5b0bf2ac 100644 --- a/config/application-example.yml +++ b/config/application-example.yml @@ -7,10 +7,15 @@ defaults: &defaults # If you change this key, all old signed cookies will become invalid! secret_key_base: please-change-it-you-can-generate-it-with-rake-secret devise_secret: please-change-it-you-can-generate-it-with-rake-secret - ca_cert_path: ca-cert-path-here - ca_key_path: ca-key-path-here - ca_key_password: ca-key-pass-phrase-here - crl_path: crl-path-here + + # Used by registry admin server: + crl_path: '/home/registry/registry/shared/ca/crl/crl.pem' + ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem' + ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem' + ca_key_password: 'your-root-key-password' + + # Used by EPP server + webclient_ip: '54.154.91.240' development: <<: *defaults diff --git a/doc/certificate.md b/doc/certificate.md index c1131ed61..bf222a5e2 100644 --- a/doc/certificate.md +++ b/doc/certificate.md @@ -1,15 +1,59 @@ Certificates setup ------------------ -Certificates for API Users are generated via registnry admin user interface. -CSR must be uploaded for each API User. +Guide to setup all registry/epp/repp, webclient and api user certificates. + +There are three type of certificates: + +* root cert (one time action using command line) +* webclient server cert (one time action using command line) +* api user cert (multiple actions through admin interface) + +API users CSR are uploaded through registry admin interface for each API user. Private key and certificate must be packaged to pkcs12 and added to user browser. ### Registry setup -Setup CA directory tree: +Configure OpenSSL: + + sudo cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.bak + sudo vi /etc/ssl/openssl.cnf + +Make sure the following options are in place: + + [ CA_default ] + # Where everything is kept + dir = /home/registry/registry/shared/ca # around line nr 42 + + crl_extensions = crl_ext # around line nr 71 + + # For the CA policy + [ policy_match ] + countryName = optional # around line nr 85 + stateOrProvinceName = optional # around line nr 86 + organizationName = optional # around line nr 87 + organizationalUnitName = optional # around line nr 88 + commonName = supplied # around line nr 89 + emailAddress = optional # around line nr 90 + + [ usr_cert ] + # These extensions are added when 'ca' signs a request. + basicConstraints=CA:FALSE # around line nr 170 + keyUsage = nonRepudiation, digitalSignature, keyEncipherment # around line nr 188 + nsComment = "OpenSSL Generated Certificate" # around line nr 191 + subjectKeyIdentifier=hash # around line nr 194 + authorityKeyIdentifier=keyid,issuer # around line nr 195 + + [ v3_ca ] + # Extensions for a typical CA + subjectKeyIdentifier=hash # around line nr 232 + authorityKeyIdentifier=keyid:always,issuer # around line nr 234 + basicConstraints = CA:true # around line nr 240 + keyUsage = cRLSign, keyCertSign # around line nr 245 + +Setup CA directory in shared directory: cd /home/registry/registry/shared mkdir ca @@ -20,73 +64,47 @@ Setup CA directory tree: echo 1000 > serial echo 1000 > crlnumber -Generate the root key (prompts for pass phrase): +Generate the root key and remember your password, you need it later in application.yml: openssl genrsa -aes256 -out private/ca.key.pem 4096 -Configure OpenSSL: +Create root registry certificate (prompts for additional data and review days flag): - sudo su - - cd /etc/ssl/ - cp openssl.cnf openssl.cnf.bak - nano openssl.cnf - exit - -Make sure the following options are in place: - - crl_extensions = crl_ext - - [ CA_default ] - # Where everything is kept - dir = /home/registry/registry/shared/ca - - [ usr_cert ] - # These extensions are added when 'ca' signs a request. - basicConstraints=CA:FALSE - keyUsage = nonRepudiation, digitalSignature, keyEncipherment - nsComment = "OpenSSL Generated Certificate" - subjectKeyIdentifier=hash - authorityKeyIdentifier=keyid,issuer - - [ v3_ca ] - # Extensions for a typical CA - subjectKeyIdentifier=hash - authorityKeyIdentifier=keyid:always,issuer - basicConstraints = CA:true - keyUsage = cRLSign, keyCertSign - - # For the CA policy - [ policy_match ] - countryName = optional - stateOrProvinceName = optional - organizationName = optional - organizationalUnitName = optional - commonName = supplied - emailAddress = optional - -Issue the root certificate (prompts for additional data): - - openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem + openssl req -new -x509 -days 3653 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem chmod 444 certs/ca.crt.pem -Create a CSR for the webclient: +Create a webclient key and CSR for accepting webclient request: openssl genrsa -out private/webclient.key.pem 4096 chmod 400 private/webclient.key.pem - openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem + openssl req -sha256 -new -days 3653 -key private/webclient.key.pem -out csrs/webclient.csr.pem -Sign the request and create certificate: +Sign CSR and create certificate: - openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem + openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -days 3653 -out certs/webclient.crt.pem chmod 444 certs/webclient.crt.pem Create certificate revocation list (prompts for pass phrase): openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem -Configure EPP virtual host: +Configure registry registry/shared/config/application.yml to match the CA settings: - sudo nano /etc/apache2/sites-enabled/epp.conf + ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem' + ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem' + ca_key_password: 'your-root-key-password' + crl_path: '/home/registry/registry/shared/ca/crl/crl.pem' + + +### Registry EPP setup + +Configure registry epp registry-epp/shared/config/application.yml: + + webclient_ip: '54.154.91.240' + +Configure EPP port 700 virtual host: + + sudo vi /etc/apache2/sites-enabled/epp.conf Replace this line: @@ -102,16 +120,32 @@ With these lines: # SSLCARevocationCheck chain RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s" +Reload apache: + + sudo a2enmod headers + sudo /etc/init.d/apache2 restart + + +### Webclient setup + +Copy all registry/shared/ca directory to your webclient server if webclient is in different server, +otherwise just point everything to your registry/shared/ca directory. + +Configure webclient/shared/config/application.yml to match the CA settings: + + cert_path: '/home/webclient/webclient/shared/ca/certs/webclient.crt.pem' + key_path: '/home/webclient/webclient/shared/ca/private/webclient.key.pem' + Configure webclient virtual host: - sudo nano /etc/apache2/sites-enabled/webclient.conf + sudo vi /etc/apache2/sites-enabled/webclient.conf Add these lines: SSLVerifyClient none SSLVerifyDepth 1 - SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem - SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem + SSLCACertificateFile /home/webclient/webclient/shared/ca/certs/ca.crt.pem + SSLCARevocationFile /home/webclient/webclient/shared/ca/crl/crl.pem # Uncomment this when upgrading to apache 2.4: # SSLCARevocationCheck chain @@ -127,18 +161,6 @@ Reload apache: sudo a2enmod headers sudo /etc/init.d/apache2 restart -Configure registry and epp application.yml to match the CA settings: - - ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem' - ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem' - ca_key_password: 'registryalpha' - crl_path: '/home/registry/registry/shared/ca/crl/crl.pem' - webclient_ip: '54.154.91.240' - -Configure webclient application.yml to match the CA settings: - - cert_path: '/home/registry/registry/shared/ca/certs/webclient.crt.pem' - key_path: '/home/registry/registry/shared/ca/private/webclient.key.pem' Development env ---------------