From f11af415d9f55848a252d8717061b1ce31b5e899 Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Thu, 26 Feb 2015 11:48:38 +0200 Subject: [PATCH] Merged certificate doc --- README.md | 92 +------------------ doc/certificate.md | 224 +++++++++++++++++++++++---------------------- 2 files changed, 115 insertions(+), 201 deletions(-) diff --git a/README.md b/README.md index bc2b9af13..24740e064 100644 --- a/README.md +++ b/README.md @@ -186,98 +186,10 @@ All registry demo data can be found at: Initially you can use two type of users: admin users and EPP users. -### CA +### Certificates setup -Go to registry shared folder and setup CA directory tree: -``` -mkdir ca -cd ca -mkdir certs crl newcerts private csrs -chmod 700 private -touch index.txt -echo 1000 > serial -echo 1000 > crlnumber -``` +* [Certificates setup](/doc/certificates.md) -Generate the root key (prompts for pass phrase): -``` -openssl genrsa -aes256 -out private/ca.key.pem 4096 -``` - -Configure OpenSSL: -``` -sudo su - -cd /etc/ssl/ -cp openssl.cnf openssl.cnf.bak -nano openssl.cnf -exit -``` - -Make sure the following options are in place: -``` -[ CA_default ] -# Where everything is kept -dir = /home/registry/registry/shared/ca - -[ usr_cert ] -# These extensions are added when 'ca' signs a request. -basicConstraints=CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -nsComment = "OpenSSL Generated Certificate" -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer - -[ v3_ca ] -# Extensions for a typical CA -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer -basicConstraints = CA:true -keyUsage = cRLSign, keyCertSign - -# For the CA policy -[ policy_match ] -countryName = optional -stateOrProvinceName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional -``` - -Issue the root certificate (prompts for additional data): -``` -openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem -chmod 444 certs/ca.crt.pem -``` - -Create a CSR for the webclient: -``` -openssl genrsa -out private/webclient.key.pem 4096 -chmod 400 private/webclient.key.pem -openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem -``` - -Sign the request and create certificate: -``` -openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem -``` - -Create certificate revocation list (prompts for pass phrase): -``` -openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem -``` - -Certificates for API Users are generated via the user interface. CSR must be uploaded for each API User. - -Private key and certificate must be packaged to pkcs12 and added to the browser. - -Make sure application configuration files contain correct paths to certificates. - -In test environment it's important to set unique_subject option to false. -In CA directory: -``` -echo "unique_subject = no" > index.txt.attr -``` ### EPP web client diff --git a/doc/certificate.md b/doc/certificate.md index d0a2f78cd..c1131ed61 100644 --- a/doc/certificate.md +++ b/doc/certificate.md @@ -1,149 +1,151 @@ -Setting up certificates ------------------------ +Certificates setup +------------------ -Go to registry shared folder and setup CA directory tree: -``` -mkdir ca -cd ca -mkdir certs crl newcerts private csrs -chmod 700 private -touch index.txt -echo 1000 > serial -echo 1000 > crlnumber -``` +Certificates for API Users are generated via registnry admin user interface. +CSR must be uploaded for each API User. + +Private key and certificate must be packaged to pkcs12 and added to user browser. + + +### Registry setup + +Setup CA directory tree: + + cd /home/registry/registry/shared + mkdir ca + cd ca + mkdir certs crl newcerts private csrs + chmod 700 private + touch index.txt + echo 1000 > serial + echo 1000 > crlnumber Generate the root key (prompts for pass phrase): -``` -openssl genrsa -aes256 -out private/ca.key.pem 4096 -``` + + openssl genrsa -aes256 -out private/ca.key.pem 4096 Configure OpenSSL: -``` -sudo su - -cd /etc/ssl/ -cp openssl.cnf openssl.cnf.bak -nano openssl.cnf -exit -``` + + sudo su - + cd /etc/ssl/ + cp openssl.cnf openssl.cnf.bak + nano openssl.cnf + exit Make sure the following options are in place: -``` -crl_extensions = crl_ext -[ CA_default ] -# Where everything is kept -dir = /home/registry/registry/shared/ca + crl_extensions = crl_ext -[ usr_cert ] -# These extensions are added when 'ca' signs a request. -basicConstraints=CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -nsComment = "OpenSSL Generated Certificate" -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer + [ CA_default ] + # Where everything is kept + dir = /home/registry/registry/shared/ca -[ v3_ca ] -# Extensions for a typical CA -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer -basicConstraints = CA:true -keyUsage = cRLSign, keyCertSign + [ usr_cert ] + # These extensions are added when 'ca' signs a request. + basicConstraints=CA:FALSE + keyUsage = nonRepudiation, digitalSignature, keyEncipherment + nsComment = "OpenSSL Generated Certificate" + subjectKeyIdentifier=hash + authorityKeyIdentifier=keyid,issuer -# For the CA policy -[ policy_match ] -countryName = optional -stateOrProvinceName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional -``` + [ v3_ca ] + # Extensions for a typical CA + subjectKeyIdentifier=hash + authorityKeyIdentifier=keyid:always,issuer + basicConstraints = CA:true + keyUsage = cRLSign, keyCertSign + + # For the CA policy + [ policy_match ] + countryName = optional + stateOrProvinceName = optional + organizationName = optional + organizationalUnitName = optional + commonName = supplied + emailAddress = optional Issue the root certificate (prompts for additional data): -``` -openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem -chmod 444 certs/ca.crt.pem -``` + + openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem + chmod 444 certs/ca.crt.pem Create a CSR for the webclient: -``` -openssl genrsa -out private/webclient.key.pem 4096 -chmod 400 private/webclient.key.pem -openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem -``` + + openssl genrsa -out private/webclient.key.pem 4096 + chmod 400 private/webclient.key.pem + openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem Sign the request and create certificate: -``` -openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem -chmod 444 certs/webclient.crt.pem -``` + + openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem + chmod 444 certs/webclient.crt.pem Create certificate revocation list (prompts for pass phrase): -``` -openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem -``` + + openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem Configure EPP virtual host: -``` -sudo nano /etc/apache2/sites-enabled/epp.conf -``` + + sudo nano /etc/apache2/sites-enabled/epp.conf Replace this line: -``` -SSLVerifyClient optional_no_ca -``` + + SSLVerifyClient optional_no_ca With these lines: -``` - SSLVerifyClient require - SSLVerifyDepth 1 - SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem - SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem - # Uncomment this when upgrading to apache 2.4: - # SSLCARevocationCheck chain - RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s" -``` + + SSLVerifyClient require + SSLVerifyDepth 1 + SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem + SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem + # Uncomment this when upgrading to apache 2.4: + # SSLCARevocationCheck chain + RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s" Configure webclient virtual host: -``` -sudo nano /etc/apache2/sites-enabled/webclient.conf -``` + + sudo nano /etc/apache2/sites-enabled/webclient.conf Add these lines: -``` - SSLVerifyClient none - SSLVerifyDepth 1 - SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem - SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem - # Uncomment this when upgrading to apache 2.4: - # SSLCARevocationCheck chain - RequestHeader set SSL_CLIENT_S_DN_CN "" + SSLVerifyClient none + SSLVerifyDepth 1 + SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem + SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem + # Uncomment this when upgrading to apache 2.4: + # SSLCARevocationCheck chain - - SSLVerifyClient require - RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s" - -``` + RequestHeader set SSL_CLIENT_S_DN_CN "" + + + SSLVerifyClient require + RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s" + Reload apache: -``` -sudo a2enmod headers -sudo /etc/init.d/apache2 restart -``` + + sudo a2enmod headers + sudo /etc/init.d/apache2 restart Configure registry and epp application.yml to match the CA settings: -``` -ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem' -ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem' -ca_key_password: 'registryalpha' -crl_path: '/home/registry/registry/shared/ca/crl/crl.pem' -webclient_ip: '54.154.91.240' -``` + + ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem' + ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem' + ca_key_password: 'registryalpha' + crl_path: '/home/registry/registry/shared/ca/crl/crl.pem' + webclient_ip: '54.154.91.240' Configure webclient application.yml to match the CA settings: -``` -cert_path: '/home/registry/registry/shared/ca/certs/webclient.crt.pem' -key_path: '/home/registry/registry/shared/ca/private/webclient.key.pem' -``` + cert_path: '/home/registry/registry/shared/ca/certs/webclient.crt.pem' + key_path: '/home/registry/registry/shared/ca/private/webclient.key.pem' + +Development env +--------------- + +In development environment it's convenient to set unique_subject option to false, +thus you can generate quickly as many certs as you wish. + +In CA directory: + + echo "unique_subject = no" > index.txt.attr