zydronium/internetee-registry
1
0
Fork 0
mirror of https://github.com/internetee/registry.git synced 2025-05-18 10:19:45 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'master' of github.com:domify/registry

Browse source
This commit is contained in:
Martin Lensment 2015-02-26 13:37:38 +02:00
commit d2d90da86e
4 changed files with 157 additions and 215 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -14,6 +14,7 @@ config/application.yml
config/secrets.yml config/secrets.yml
config/database.yml config/database.yml
/export /export
/ca
## Environment normalisation: ## Environment normalisation:
/.bundle /.bundle

92
README.md
View file

@ -186,98 +186,10 @@ All registry demo data can be found at:
Initially you can use two type of users: admin users and EPP users. Initially you can use two type of users: admin users and EPP users.
### CA ### Certificates setup
Go to registry shared folder and setup CA directory tree: * [Certificates setup](/doc/certificates.md)
```
mkdir ca
cd ca
mkdir certs crl newcerts private csrs
chmod 700 private
touch index.txt
echo 1000 > serial
echo 1000 > crlnumber
```
Generate the root key (prompts for pass phrase):
```
openssl genrsa -aes256 -out private/ca.key.pem 4096
```
Configure OpenSSL:
```
sudo su -
cd /etc/ssl/
cp openssl.cnf openssl.cnf.bak
nano openssl.cnf
exit
```
Make sure the following options are in place:
```
[ CA_default ]
# Where everything is kept
dir = /home/registry/registry/shared/ca
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_ca ]
# Extensions for a typical CA
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign
# For the CA policy
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
```
Issue the root certificate (prompts for additional data):
```
openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
chmod 444 certs/ca.crt.pem
```
Create a CSR for the webclient:
```
openssl genrsa -out private/webclient.key.pem 4096
chmod 400 private/webclient.key.pem
openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem
```
Sign the request and create certificate:
```
openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem
```
Create certificate revocation list (prompts for pass phrase):
```
openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem
```
Certificates for API Users are generated via the user interface. CSR must be uploaded for each API User.
Private key and certificate must be packaged to pkcs12 and added to the browser.
Make sure application configuration files contain correct paths to certificates.
In test environment it's important to set unique_subject option to false.
In CA directory:
```
echo "unique_subject = no" > index.txt.attr
```
### EPP web client ### EPP web client

13
config/application-example.yml
View file

@ -7,10 +7,15 @@ defaults: &defaults
# If you change this key, all old signed cookies will become invalid! # If you change this key, all old signed cookies will become invalid!
secret_key_base: please-change-it-you-can-generate-it-with-rake-secret secret_key_base: please-change-it-you-can-generate-it-with-rake-secret
devise_secret: please-change-it-you-can-generate-it-with-rake-secret devise_secret: please-change-it-you-can-generate-it-with-rake-secret
ca_cert_path: ca-cert-path-here
ca_key_path: ca-key-path-here # Used by registry admin server:
ca_key_password: ca-key-pass-phrase-here crl_path: '/home/registry/registry/shared/ca/crl/crl.pem'
crl_path: crl-path-here ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem'
ca_key_password: 'your-root-key-password'
# Used by EPP server
webclient_ip: '54.154.91.240'
development: development:
<<: *defaults <<: *defaults

228
doc/certificate.md
View file

@ -1,100 +1,117 @@
Setting up certificates Certificates setup
----------------------- ------------------
Go to registry shared folder and setup CA directory tree: Guide to setup all registry/epp/repp, webclient and api user certificates.
```
mkdir ca
cd ca
mkdir certs crl newcerts private csrs
chmod 700 private
touch index.txt
echo 1000 > serial
echo 1000 > crlnumber
```
Generate the root key (prompts for pass phrase): There are three type of certificates:
```
openssl genrsa -aes256 -out private/ca.key.pem 4096 * root cert (one time action using command line)
``` * webclient server cert (one time action using command line)
* api user cert (multiple actions through admin interface)
API users CSR are uploaded through registry admin interface for each API user.
Private key and certificate must be packaged to pkcs12 and added to user browser.
### Registry setup
Configure OpenSSL: Configure OpenSSL:
```
sudo su - sudo cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.bak
cd /etc/ssl/ sudo vi /etc/ssl/openssl.cnf
cp openssl.cnf openssl.cnf.bak
nano openssl.cnf
exit
```
Make sure the following options are in place: Make sure the following options are in place:
```
crl_extensions = crl_ext
[ CA_default ] [ CA_default ]
# Where everything is kept # Where everything is kept
dir = /home/registry/registry/shared/ca dir = /home/registry/registry/shared/ca # around line nr 42
[ usr_cert ] crl_extensions = crl_ext # around line nr 71
# These extensions are added when 'ca' signs a request.
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_ca ] # For the CA policy
# Extensions for a typical CA [ policy_match ]
subjectKeyIdentifier=hash countryName = optional # around line nr 85
authorityKeyIdentifier=keyid:always,issuer stateOrProvinceName = optional # around line nr 86
basicConstraints = CA:true organizationName = optional # around line nr 87
keyUsage = cRLSign, keyCertSign organizationalUnitName = optional # around line nr 88
commonName = supplied # around line nr 89
emailAddress = optional # around line nr 90
# For the CA policy [ usr_cert ]
[ policy_match ] # These extensions are added when 'ca' signs a request.
countryName = optional basicConstraints=CA:FALSE # around line nr 170
stateOrProvinceName = optional keyUsage = nonRepudiation, digitalSignature, keyEncipherment # around line nr 188
organizationName = optional nsComment = "OpenSSL Generated Certificate" # around line nr 191
organizationalUnitName = optional subjectKeyIdentifier=hash # around line nr 194
commonName = supplied authorityKeyIdentifier=keyid,issuer # around line nr 195
emailAddress = optional
```
Issue the root certificate (prompts for additional data): [ v3_ca ]
``` # Extensions for a typical CA
openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem subjectKeyIdentifier=hash # around line nr 232
chmod 444 certs/ca.crt.pem authorityKeyIdentifier=keyid:always,issuer # around line nr 234
``` basicConstraints = CA:true # around line nr 240
keyUsage = cRLSign, keyCertSign # around line nr 245
Create a CSR for the webclient: Setup CA directory in shared directory:
```
openssl genrsa -out private/webclient.key.pem 4096
chmod 400 private/webclient.key.pem
openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem
```
Sign the request and create certificate: cd /home/registry/registry/shared
``` mkdir ca
openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem cd ca
chmod 444 certs/webclient.crt.pem mkdir certs crl newcerts private csrs
``` chmod 700 private
touch index.txt
echo 1000 > serial
echo 1000 > crlnumber
Generate the root key and remember your password, you need it later in application.yml:
openssl genrsa -aes256 -out private/ca.key.pem 4096
Create root registry certificate (prompts for additional data and review days flag):
openssl req -new -x509 -days 3653 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
chmod 444 certs/ca.crt.pem
Create a webclient key and CSR for accepting webclient request:
openssl genrsa -out private/webclient.key.pem 4096
chmod 400 private/webclient.key.pem
openssl req -sha256 -new -days 3653 -key private/webclient.key.pem -out csrs/webclient.csr.pem
Sign CSR and create certificate:
openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -days 3653 -out certs/webclient.crt.pem
chmod 444 certs/webclient.crt.pem
Create certificate revocation list (prompts for pass phrase): Create certificate revocation list (prompts for pass phrase):
```
openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem
```
Configure EPP virtual host: openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem
```
sudo nano /etc/apache2/sites-enabled/epp.conf Configure registry registry/shared/config/application.yml to match the CA settings:
```
ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem'
ca_key_password: 'your-root-key-password'
crl_path: '/home/registry/registry/shared/ca/crl/crl.pem'
### Registry EPP setup
Configure registry epp registry-epp/shared/config/application.yml:
webclient_ip: '54.154.91.240'
Configure EPP port 700 virtual host:
sudo vi /etc/apache2/sites-enabled/epp.conf
Replace this line: Replace this line:
```
SSLVerifyClient optional_no_ca SSLVerifyClient optional_no_ca
```
With these lines: With these lines:
```
SSLVerifyClient require SSLVerifyClient require
SSLVerifyDepth 1 SSLVerifyDepth 1
SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
@ -102,19 +119,33 @@ With these lines:
# Uncomment this when upgrading to apache 2.4: # Uncomment this when upgrading to apache 2.4:
# SSLCARevocationCheck chain # SSLCARevocationCheck chain
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s" RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
```
Reload apache:
sudo a2enmod headers
sudo /etc/init.d/apache2 restart
### Webclient setup
Copy all registry/shared/ca directory to your webclient server if webclient is in different server,
otherwise just point everything to your registry/shared/ca directory.
Configure webclient/shared/config/application.yml to match the CA settings:
cert_path: '/home/webclient/webclient/shared/ca/certs/webclient.crt.pem'
key_path: '/home/webclient/webclient/shared/ca/private/webclient.key.pem'
Configure webclient virtual host: Configure webclient virtual host:
```
sudo nano /etc/apache2/sites-enabled/webclient.conf sudo vi /etc/apache2/sites-enabled/webclient.conf
```
Add these lines: Add these lines:
```
SSLVerifyClient none SSLVerifyClient none
SSLVerifyDepth 1 SSLVerifyDepth 1
SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem SSLCACertificateFile /home/webclient/webclient/shared/ca/certs/ca.crt.pem
SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem SSLCARevocationFile /home/webclient/webclient/shared/ca/crl/crl.pem
# Uncomment this when upgrading to apache 2.4: # Uncomment this when upgrading to apache 2.4:
# SSLCARevocationCheck chain # SSLCARevocationCheck chain
@ -124,26 +155,19 @@ Add these lines:
SSLVerifyClient require SSLVerifyClient require
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s" RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
</Location> </Location>
```
Reload apache: Reload apache:
```
sudo a2enmod headers
sudo /etc/init.d/apache2 restart
```
Configure registry and epp application.yml to match the CA settings: sudo a2enmod headers
``` sudo /etc/init.d/apache2 restart
ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem'
ca_key_password: 'registryalpha'
crl_path: '/home/registry/registry/shared/ca/crl/crl.pem'
webclient_ip: '54.154.91.240'
```
Configure webclient application.yml to match the CA settings:
```
cert_path: '/home/registry/registry/shared/ca/certs/webclient.crt.pem'
key_path: '/home/registry/registry/shared/ca/private/webclient.key.pem'
```
Development env
---------------
In development environment it's convenient to set unique_subject option to false,
thus you can generate quickly as many certs as you wish.
In CA directory:
echo "unique_subject = no" > index.txt.attr