forked from Katello/katello
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ssl-howto.txt
188 lines (151 loc) · 6.05 KB
/
ssl-howto.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
More expansive description of how we create CA keys/certs and httpd-server
keys/cert-reqs/certs:
------------------------------------------------------------------------------
$Id$
XXX Needs to be updated XXX
Create two files from the template below (rhn-ca-openssl.cnf and
rhn-server-openssl.cnf). We do this so that we can have differing
C/ST/L/O/OU/CN/emailAddress in the "[ req_distinguished_name ]" sections
and slightly different "[ usr_cert ]" sections:
"""
# rhn-*-openssl.cnf
#---------------------------------------------------------------------------
# RHN Management {Satellite,Proxy} autogenerated openSSL configuration file.
#---------------------------------------------------------------------------
[ ca ]
default_ca = CA_default
[ CA_default ]
default_bits = 2048
x509_extensions = usr_cert
database = index.txt
serial = serial
# how closely we follow policy
policy = policy_optional
# for the CA policy
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[ policy_optional ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
#---------------------------------------------------------------------------
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
x509_extensions = usr_cert
[ req_distinguished_name ]
C = %s
ST = %s
L = %s
O = %s
OU = %s
CN = %s
emailAddress = %s
[ usr_cert ]
basicConstraints = %s
keyUsage = digitalSignature, keyEncipherment, keyCertSign
extendedKeyUsage = serverAuth, clientAuth
#nsCertType = server
# PKIX recommendations harmless if included in all certificates.
nsComment = "RHN SSL Tool Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer:always
#===========================================================================
"""
<config file string substitution notes>
NOTE on "[ req_distinguished_name ]" section (all except C are optional):
C = country code
ST = province name (or state)
L = locality (or city)
O = org name
OU = org unit
CN = common name (hostname usually)
emailAddress = email address
NOTE on "[ usr_cert ]" section for rhn-ca-openssl.cnf:
basicConstraints = CA:true
keyUsage = digitalSignature, keyEncipherment, keyCertSign
NOTE on "[ usr_cert ]" section for rhn-server-openssl.cnf:
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment
</config file string substitution notes>
Notes on key and cert names:
----------------------------
CA certificate = RHN-ORG-TRUSTED-SSL-CERT
CA private key = RHN-ORG-PRIVATE-SSL-KEY
httpd Server Key = server.key
httpd Server Cert Request = server.csr
httpd Server Cert = server.crt
Generate CA:
------------
openssl genrsa -passout pass:PASSWORD -des3 -out RHN-ORG-PRIVATE-SSL-KEY 2048
Generate Public CA Certificate (a self-signed CA certificate):
---------------------------------------------------------------
DAYS = 3650 (10 years)
openssl req -passin pass:<PASSWORD> -text -config rhn-ca-openssl.cnf -new \
-x509 -days <DAYS> -sha1 -key RHN-ORG-PRIVATE-SSL-KEY \
-out RHN-ORG-TRUSTED-SSL-CERT
Generate Server Key:
--------------------
openssl genrsa -out server.key 2048
Generate Server Certificate Request:
------------------------------------
openssl req -sha1 -text -config rhn-server-openssl.cnf -new -key server.key \
-out server.csr
Generate the Server Certificate (signed by CA):
-----------------------------------------------
if serial file does not exist:
echo "01" > serial
NOTE: the serial number & signature combination of the CA cert and the
server.crt should not match (we make every attempt to ensure this).
We are not so concerned with serial number/signature matches for multiple
server certs (managed by the index.txt file):
echo -n > index.txt
STARTDATE = 1 week ago (format: YYMMDDHHMMSSZ)
DAYS = 365 (1 year)
openssl ca -config rhn-ca-openssl.cnf -in server.csr -out server.crt \
-outdir ./ -batch -cert RHN-ORG-TRUSTED-SSL-CERT \
-keyfile RHN-ORG-PRIVATE-SSL-KEY -startdate <STARTDATE> \
-days <DAYS> -md sha1 -policy policy_optional -passin pass:PASSWORD
Build the RPMs:
---------------
This one is installed on the RHN server (satellite/proxy):
rhn-org-httpd-ssl-key-pair<-MACHINENAME>-VERSION-RELEASE:
/etc/httpd/conf/ssl.crt/server.crt
/etc/httpd/conf/ssl.key/server.key
This one is used by XMLRPC clients to talk to RHN servers (satellite/proxy):
rhn-org-trusted-ssl-cert-VERSION-RELEASE:
/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
How to test an SSL connection with a CA cert:
---------------------------------------------
For AS 2.1 (or stunnel <v4.0):
/usr/sbin/stunnel -r SERVER_HOSTNAME:443 -cf -v 2 -A THE_CA_CERTIFICATEE
For RHEL 3 (or stunnel >=v4.0):
(1) create rhn-stunnel.cfg:
CAfile = CA_CERTIFICATE
client = yes
connect = SERVER_HOSTNAME:443
foreground = yes
verify = 2
(2) use stunnel using configuration file:
/usr/sbin/stunnel rhn-stunnel.cfg
OpenSSL test client (though hard to decypher):
openssl s_client -connect SERVER_HOSTNAME:443 -CAfile THE_CA_CERTIFICATE
And to see the remote server's validity window:
openssl s_client -connect SERVER_HOSTNAME:443 -showcerts | openssl x509 \
-dates -noout
Alternative Server key and cert generation (with a password):
-------------------------------------------------------------
(Don't actually do this. This is for reference only)
Key: openssl genrsa -passout pass:PASSWORD -des3 -out server.key 2048
Cert req: openssl req -sha1 -passin pass:PASSWORD \
-config rhn-server-openssl.cnf \
-new -key server.key -out server.csr