CA
From Whitespace (Hackerspace Gent)
(Difference between revisions)
(→Create a CA) |
|||
| Line 1: | Line 1: | ||
| + | {{Project | ||
| + | |Current=Yes | ||
| + | |Participants=Jaroslov | ||
| + | |Locations=Whitespace | ||
| + | |Short description=0x20 Certificate Authority CA | ||
| + | }} | ||
| + | |||
= 0x20 CA = | = 0x20 CA = | ||
* CA with OpenSSL | * CA with OpenSSL | ||
| Line 20: | Line 27: | ||
private/ca-0x20-key.pem -out ca-0x20-cert.pem -config ./openssl.cnf | private/ca-0x20-key.pem -out ca-0x20-cert.pem -config ./openssl.cnf | ||
</pre> | </pre> | ||
| + | |||
| + | == Sign server cert == | ||
| + | * Change openssl.cnf to server settings: | ||
| + | <pre> | ||
| + | $ vi ./openssl.cnf | ||
| + | nsCertType = server | ||
| + | extendedKeyUsage=serverAuth | ||
| + | </pre> | ||
| + | * If needed create the key and the csr (certificate signing request): | ||
| + | <pre> | ||
| + | $ openssl genrsa -aes256 -out 0x20-servername.key 2048 | ||
| + | $ openssl req -new -key 0x20-servername.key -nodes -out 0x20-members-vpn.csr | ||
| + | </pre> | ||
| + | * Sign the certificate: | ||
| + | <pre> | ||
| + | $ openssl ca -in 0x20-members-vpn-req.pem -cert ca-0x20-cert.pem -keyfile \ | ||
| + | private/ca-0x20-key.pem -out 0x20-members-vpn.cert -config ./openssl.cnf | ||
| + | </pre> | ||
| + | * check index.txt (= the CA db) | ||
| + | |||
| + | == Create a CRL == | ||
| + | <pre> | ||
| + | $ openssl ca -gencrl -out crl/crl.pem -config ./openssl.cnf | ||
| + | </pre> | ||
| + | * (first time you need to populate the crlnumber file: $ echo "01" > crlnumber) | ||
| + | |||
| + | == Revoke a certificate == | ||
| + | * Check the certificates in newcerts/ | ||
| + | * Revoke the needed one: | ||
| + | <pre> | ||
| + | $ openssl ca -revoke newcerts/1000.pem -config ./openssl.cnf | ||
| + | </pre> | ||
| + | * distribute the crl where needed. | ||
Revision as of 03:14, 6 November 2011
| CA |
|---|
|
| What: |
| 0x20 Certificate Authority CA |
| Participants: |
| Jaroslov |
| Locations: |
| Whitespace |
|
Contents |
0x20 CA
- CA with OpenSSL
- all flat files in 1 directory
- can easily be transported on an encrypted filesystem
- Used for OpenVPN authentication
openssl.cnf
Check the openssl.cnf file with the 0x20 specific values:
- root ca is valid for 15 years
- certificates are valid for 5 years
- DN: C=BE, ST=Ghent, L=Whitespace, O=0x20, CN=0x20 root ca
- nsCaRevocationUrl = http://www.0x20.be/ca-0x20-crl.pem
- extendedKeyUsage=serverAuth (server certs)
- extendedKeyUsage=clientAuth (client certs)
Create a CA
$ openssl req -new -x509 -days 5475 -newkey rsa:4096 -extensions v3_ca -keyout \ private/ca-0x20-key.pem -out ca-0x20-cert.pem -config ./openssl.cnf
Sign server cert
- Change openssl.cnf to server settings:
$ vi ./openssl.cnf nsCertType = server extendedKeyUsage=serverAuth
- If needed create the key and the csr (certificate signing request):
$ openssl genrsa -aes256 -out 0x20-servername.key 2048 $ openssl req -new -key 0x20-servername.key -nodes -out 0x20-members-vpn.csr
- Sign the certificate:
$ openssl ca -in 0x20-members-vpn-req.pem -cert ca-0x20-cert.pem -keyfile \ private/ca-0x20-key.pem -out 0x20-members-vpn.cert -config ./openssl.cnf
- check index.txt (= the CA db)
Create a CRL
$ openssl ca -gencrl -out crl/crl.pem -config ./openssl.cnf
- (first time you need to populate the crlnumber file: $ echo "01" > crlnumber)
Revoke a certificate
- Check the certificates in newcerts/
- Revoke the needed one:
$ openssl ca -revoke newcerts/1000.pem -config ./openssl.cnf
- distribute the crl where needed.
