internetee-registry/doc/certificate.md

Setting up certificates

Go to registry shared folder and setup CA directory tree:

mkdir ca
cd ca
mkdir certs crl newcerts private csrs
chmod 700 private
touch index.txt
echo 1000 > serial
echo 1000 > crlnumber

Generate the root key (prompts for pass phrase):

openssl genrsa -aes256 -out private/ca.key.pem 4096

Configure OpenSSL:

sudo su -
cd /etc/ssl/
cp openssl.cnf openssl.cnf.bak
nano openssl.cnf
exit

Make sure the following options are in place:

crl_extensions = crl_ext

[ CA_default ]
# Where everything is kept
dir = /home/registry/registry/shared/ca

[ usr_cert ]
# These extensions are added when 'ca' signs a request.
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

[ v3_ca ]
# Extensions for a typical CA
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign

# For the CA policy
[ policy_match ]
countryName             = optional
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

Issue the root certificate (prompts for additional data):

openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
chmod 444 certs/ca.crt.pem

Create a CSR for the webclient:

openssl genrsa -out private/webclient.key.pem 4096
chmod 400 private/webclient.key.pem
openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem

Sign the request and create certificate:

openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem
chmod 444 certs/webclient.crt.pem

Create certificate revocation list (prompts for pass phrase):

openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem

Configure EPP virtual host:

sudo nano /etc/apache2/sites-enabled/epp.conf

Replace this line:

SSLVerifyClient optional_no_ca

With these lines:

  SSLVerifyClient require
  SSLVerifyDepth 1
  SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
  SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem
  # Uncomment this when upgrading to apache 2.4:
  # SSLCARevocationCheck chain
  RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"

Configure webclient virtual host:

sudo nano /etc/apache2/sites-enabled/webclient.conf

Add these lines:

  SSLVerifyClient none
  SSLVerifyDepth 1
  SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
  SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem
  # Uncomment this when upgrading to apache 2.4:
  # SSLCARevocationCheck chain

  RequestHeader set SSL_CLIENT_S_DN_CN ""

  <Location /login/pki>
    SSLVerifyClient require
  </Location>

  <Location /sessions/pki>
    SSLVerifyClient require
    RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
  </Location> 

Reload apache:

sudo a2enmod headers
sudo /etc/init.d/apache2 restart

Configure registry and epp application.yml to match the CA settings:

ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem'
ca_key_password: 'registryalpha'
crl_path: '/home/registry/registry/shared/ca/crl/crl.pem'
webclient_ip: '54.154.91.240'

Configure webclient application.yml to match the CA settings:

cert_path: '/home/registry/registry/shared/ca/certs/webclient.crt.pem'
key_path: '/home/registry/registry/shared/ca/private/webclient.key.pem'