How to create test certificates for ssl enabled UNIS

ameyjah edited this page Apr 17, 2014 · 3 revisions

When we enable ssl on UNIS, only trusted client can connect to UNIS(MS) and post new updates.

For Unis, we have

  1. server SSL cert (issued by a trusted authority, e.g., verisign that the client uses to trust the service)

  2. our own CA that we use to issue client certs

  3. the client certs that our service trust because the root CA (self-signed) is in our CA bundle

In developement/test enviroment, we will need to fake trusted authority by creating fake external CA. Following terminologies have been used throughout.

  • External CA - That is real world CA (i.e. verisign) but we will create our fake external CA
  • Internal CA - This is our own CA (self signed). We use this to verify that client that connect to us have a certificate that was issued by us.
  • Server key & certificate - Server uses this to prove our client that it is genuine server.
  • Client key & certificate - Client uses this to prover our server that it is genuine client.

How to generate these certificates.

Note that you must enter "Common Name" when creating certificate. That is required field.

Part 1: Generate server certificate and get it signed by External CA.

  1. create key
amey@debian-amey:~/unis/periscope/ssl$ openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...........................+++
............................+++
e is 65537 (0x10001)
  1. generate certificate signing request
amey@debian-amey:~/unis/periscope/ssl$ openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:server
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
  1. a. Now if you are using real CA then send this csr to CA and he will give you signed certificate.

  2. b. If you do not have any CA or for testing purpose, we will use our fake external CA.

  3. b.1 create external CA key

amey@debian-amey:~/unis/periscope/ssl$ openssl genrsa -out externalCA.key 2048
Generating RSA private key, 2048 bit long modulus
...............................................+++
.......................................+++
e is 65537 (0x10001)
  1. b.2 self sign the external CA key & generate the certificate
amey@debian-amey:~/unis/periscope/ssl$ openssl req -x509 -new -nodes -key externalCA.key -days 1024 -out externalCA.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:externalCA
Email Address []:
  1. b.3 Sign your previous server.csr (certificate signing request) by this key.
amey@debian-amey:~/unis/periscope/ssl$ openssl x509 -req -in server.csr -CA externalCA.pem -CAkey externalCA.key -CAcreateserial -out server.crt -days 500
Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=localhost
Getting CA Private Key

Part 2: Generate own private(internal) CA and generate client signed certificate by this CA.

  1. create internalCA key
amey@debian-amey:~/unis/periscope/ssl$ openssl genrsa -out internalCA.key 2048
Generating RSA private key, 2048 bit long modulus
..................+++
.........................+++
e is 65537 (0x10001)
  1. self sign it
amey@debian-amey:~/unis/periscope/ssl$ openssl req -x509 -new -nodes -key internalCA.key -days 1024 -out internalCA.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:internalCA
Email Address []:
  1. create client key
amey@debian-amey:~/unis/periscope/ssl$ openssl genrsa -out client.key 2048
Generating RSA private key, 2048 bit long modulus
.........+++
....................................................................................................+++
e is 65537 (0x10001)
  1. Generate signing request
amey@debian-amey:~/unis/periscope/ssl$ openssl req -new -key client.key -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
  1. sign the csr by internalCA
amey@debian-amey:~/unis/periscope/ssl$ openssl x509 -req -in client.csr -CA internalCA.pem -CAkey internalCA.key -CAcreateserial -out client.crt -days 500
Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=localhost
Getting CA Private Key
  1. create pkcs file for browser import
amey@debian-amey:~/unis/periscope/ssl$ openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt -certfile internalCA.pem 
Enter Export Password:
Verifying - Enter Export Password:
amey@debian-amey:~/unis/periscope/ssl$ 

Deployment of keys

  1. Keep the following keys into $UNIS_HOME/periscope/ssl folder
client.crt  client.key  internalCA.pem  server.crt  server.key 
  1. Set $UNIS_HOME/periscope/setttings.py as follows
ENABLE_SSL = True
SSL_OPTIONS = {
    'certfile': os.path.join(PERISCOPE_ROOT, "ssl/server.crt"),
    'keyfile': os.path.join(PERISCOPE_ROOT, "ssl/server.key"),
    'cert_reqs': ssl.CERT_REQUIRED,
    'ca_certs': os.path.join(PERISCOPE_ROOT, "ssl/internalCA.pem")
}
MS_CLIENT_CERT = os.path.join(PERISCOPE_ROOT, "ssl/client.crt")
MS_CLIENT_KEY = os.path.join(PERISCOPE_ROOT, "ssl/client.key")
  1. Start Unis.

How to test

  1. Copy client.pfx & externalCA.pem files to client's machine.
  2. Open browser and import both. (see instructions)
  3. Now connect to https://server:port of UNIS.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.