Creating a Certificate Authority
aka "Using X.509 Certificates" AND "IPSec with Kame ipsec-tools"

3/3/2005
Eric Low

X.509 Certificates are those same crazy certificates used in SSL, created by trusted third-party Certicate Authorities (CA's) such as Verisign and Thawte, used to sign the server's certificate, and enabling us all to establish a secure connection through our internet browser.

In some cases, however, you may wish to be your own CA, signing and/or revoking your own certificates, for instance, when setting up a VPN.

First, here's the low-level stuff for setting up IPSec:

First, download ipsec-tools from http://ipsec-tools.sourceforge.net/


Untar, then cd into that directory and run:
./configure --with-kernel-headers=/lib/modules/2.6.10/build/include

When I did this, I got the error, configure: error: C++ preprocessor "/lib/cpp" fails sanity check.

I already had cpp installed, so that wasn't it, but I googled around and it looks like cpp might be dependant on the g++ package. I downloaded and installed libstdc++ and gcc-c++ (the former is dependant on the latter), and this time the configure script ran just fine.

Next, I ran make but got the following error:

gcc -I../../src/libipsec -include ../../src/include-glibc/glibc-bugs.h -I../../src/include-glibc -I../../src/include-glibc -g -O2 -Wall -Werror -Wno-unused -o setkey setkey.o parse.o token.o ../libipsec/.libs/libipsec.a -lresolv
token.o(.text+0x98d): In function `yylex':
/programs/ipsec-tools-0.5-rc1/src/setkey/token.c:1903: undefined reference to `yywrap'
collect2: ld returned 1 exit status
make[3]: *** [setkey] Error 1
make[3]: Leaving directory `/programs/ipsec-tools-0.5-rc1/src/setkey'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/programs/ipsec-tools-0.5-rc1/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/programs/ipsec-tools-0.5-rc1'
make: *** [all] Error 2

It looked like a problem with the lexer, so I downloaded and installed flex, then ran the configure script and then make again. This time, I got the following error:

yacc -d ./cfparse.y
make[3]: yacc: Command not found
make[3]: *** [cfparse.h] Error 127
make[3]: Leaving directory `/programs/ipsec-tools-0.5-rc1/src/racoon'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/programs/ipsec-tools-0.5-rc1/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/programs/ipsec-tools-0.5-rc1'
make: *** [all] Error 2

Well, looked to me like I needed a yacc! ;) I had my choice between Berkeley Yacc and Bison, so of course I chose to install Bison. I ran the configure script followed by make, and it worked like a charm! I now ran make install to put everything in its proper spot, and voila!!! ;) I

======= Kernel configuration for IPSec:

First, I made sure that all of the following options were selected in the kernel:

CONFIG_NET_KEY=y
CONFIG_INET_AH=y
CONFIG_INET_ESP=y
CONFIG_INET_IPCOMP=y
CONFIG_INET_TUNNEL=y
CONFIG_XFRM=y
CONFIG_XFRM_USER=y

CONFIG_CRYPTO=y
CONFIG_CRYPTO_HMAC=y
CONFIG_CRYPTO_NULL=y
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_DES=y
CONFIG_CRYPTO_BLOWFISH=y

Sure, not all of these are required, but leaving any out would just ruin all the fun. Also, CONFIG_CRYPTO_AES can't even be shut off anymore these days. So don't worry about that one!

And of course, then I recompiled and installed the kernel. Figure that one out yourselves!

The typical way of setting up an IPSec tunnel is to first set up a security association and policy in /etc/setkey.conf and then implement it by running setkey -f /etc/setkey.conf. Then, an IKE daemon called racoon, part of the KAME tools suite, sets up IPSec connections as needed, which are defined in /etc/racoon/racoon.conf. The problem is, setkey and, in turn, racoon require the IP address of the client and server to be known ahead of time. Therefore, neither of these are easily used when the client is on a dynamic IP, which is what I need.

There is a perl script called racoon-tool which uses its own configuration file, /etc/racoon/racoon-tool.conf to dynamically create a /etc/racoon/racoon.conf file.

Unfortunately, this tool is not easy to find. I knew it was written by the Debian maintainer of ipsec-tools, so I downloaded the Debian version from http://packages.qa.debian.org/i/ipsec-tools.html. I downloaded the 0.5 version, then patched it with the 0.5-4.diff from that site. I installed it just like the normal version of ipsec-tools that I had installed first, as shown up above

./configure --prefix=/usr --with-kernel-headers=/lib/modules/2.6.10/build/include
make
make install

I then got rid of the old version by typing rm /usr/local/sbin/racoon* and rm /usr/local/sbin/setkey. There was also an old version of setkey on the system, which I removed by typing rm /sbin/setkey. The install also didn't put all files in their proper places, such as the man files for racoon-tool and racoon-tool.conf, so I had to copy them manually:

cp *.8 /usr/local/man/man8
cp *.5 /usr/local/man/man5
cp racoon-tool.conf /etc/racoon
cp racoon-tool.pl /usr/sbin
chmod 755 /usr/sbin/racoon-tool.pl

The man page for racoon-tool can be found here, while the man page for racoon-tool.conf can be found here.

The man page for racoon can be found here, while the man page for racoon.conf can be found here.

The man page for setkey can be found here.

**** Note that racoon-tool does not really help you to set up your IPSec client on a dynamic IP.

 

Now, here is the certificate setup for creating a CA, as well as for a server and client.

All you will need to do all this is a copy of OpenSSL on your CA, your server, and your client. First off, create the CA. I did not want to use the default directory of ./demoCA, so I first edited /usr/share/ssl/openssl.cnf and changed the dir = ./demoCA line to dir = ./PRLinkCA ...unfortunately, CA still used the default directory of demoCA. Instead, after I first created the certificate, I simply renamed the directory and it seemed to work. This line must still be in place, however, if you want it to find the certificate signing requests as shown down below. I also wanted the key to be 2048 bits rather than 1024, so again I edited /usr/share/ssl/openssl.cnf and change the default_bits = 1024 line to default_bits = 2048. Next, I created the CA by typing the following commands:

cd /usr/share/ssl/certs
/usr/share/ssl/misc/CA -newca
(an alternate command may be openssl req -new -keyout demoCA/private/cakey.pem -out newreq.pem -days 365)

*** Note that on some systems, the script may actually be named /usr/share/ssl/misc/CA.pl

# /usr/share/ssl/misc/CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Using configuration from /usr/share/ssl/openssl.cnf
Generating a 2048 bit RSA private key
................++++++
..............++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Michigan
Locality Name (eg, city) []:Ann Arbor
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DataStat Inc.
Organizational Unit Name (eg, section) []:PR Link
Common Name (eg, YOUR name) []:PRLink.ca.datastat.com
Email Address []:elow@datastat.com

mv demoCA PRLinkCA
openssl x509 -in ./PRLinkCA/cacert.pem -days 1825 -out ./PRLinkCA/cacert.pem -signkey ./PRLinkCA/private/cakey.pem

Getting Private key
Enter PEM pass phrase:

That last line simply changes the expiration date of the key from 1 year, which is the default, to 5 years.

Your new certificate authority's public key will now be named /usr/share/ssl/certs/PRLinkCA/cacert.pem.
Your new certificate authority's private key will now be named /usr/share/ssl/certs/PRLinkCA/private/cakey.pem.

That is all it takes to create a Certificate Authority.
There is, of course, a lot more to the management aspect, such as revocation lists and such, that I'm not going to talk about here.

 

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

Now, let's do the certificate setup for a client that will be communicating securely with the CA that we just created. Since we want to do two-way communication, we need to create a public private keypair on both the client and the CA. We will sign the client's certificate as well as the CA's own certificate with the CA itself.

Next, I created a certificate signing request on both the client AND the server. First, on the client, I once again edited /usr/share/ssl/openssl.cnf and change the default_bits = 1024 line to default_bits = 2048. I then created the actual request by typing the following commands:

cd /usr/share/ssl/certs
/usr/share/ssl/misc/CA -newreq
(an alternate command may be openssl req -new -keyout newkey.pem -out newreq.pem -days 360 -config /usr/share/ssl/openssl.cnf. This method also will not put your private key in with the request, which makes things easier)
Generating a 2048 bit RSA private key
.....+++
...............................................+++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Puerto Rico
Locality Name (eg, city) []:San Juan
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DataStat Inc.
Organizational Unit Name (eg, section) []:PR Gateway
Common Name (eg, YOUR name) []:PRgateway.datastat.com
Email Address []:prgateway@datastat.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request (and private key) is in newreq.pem


This created a file, newreq.pem, that contains not only a certificate request, but ALSO YOUR PRIVATE KEY. We're signing this key with our own CA, so we don't much care that our private key is in the request. However, if you were sending this request to a third party, take out the "-PRIVATE KEY-" section! They don't need it to sign your key, and damnit, you don't want them to have it! In fact, the only section they actually need in order to sign your key is "-CERTIFICATE REQUEST-".

Next, copy the created file, newreq.pem, to the /usr/share/ssl/certs directory on the CA that was created up above. If you put it in the wrong directory, such as the /usr/share/ssl/certs/PRLinkCA directory, you may receive an error similar to the following:

Using configuration from /usr/share/ssl/openssl.cnf
Enter PEM pass phrase:
newreq.pem: No such file or directory
24587:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('newreq.pem','r')
24587:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247:
Signed certificate is in newcert.pem

Make sure once again that you have changed the dir = ./demoCA line to dir = ./PRLinkCA in /usr/share/ssl/openssl.cnf. Now run the following command:

cd /usr/share/ssl/certs
/usr/share/ssl/misc/CA -sign
(an alternate command may be openssl ca -policy policy_anything -out newcert.pem -infiles newreq.pem)

Using configuration from /usr/share/ssl/openssl.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'Puerto Rico'
localityName :PRINTABLE:'San Juan'
organizationName :PRINTABLE:'DataStat Inc.'
organizationalUnitName:PRINTABLE:'Puerto Rico Gateway'
commonName :PRINTABLE:'prgateway.datastat.com'
emailAddress :IA5STRING:'prgateway@datastat.com'
Certificate is to be certified until Mar 3 21:58:29 2006 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=Michigan, L=Ann Arbor, O=DataStat Inc., OU=Puerto Rico Link, CN=puertoricolink.ca.datastat.com/Email=elow@datastat.com
Validity
Not Before: Mar 3 21:58:29 2005 GMT
Not After : Mar 3 21:58:29 2006 GMT
Subject: C=US, ST=Puerto Rico, L=San Juan, O=DataStat Inc., OU=PR Gateway, CN=prgateway.datastat.com/Email=prdirector@datastat.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):

00:c5:3b:9c:36:3a:19:6c:a9:f2:ba:e9:d2:ed:84:
33:36:48:07:b2:a3:2d:59:92:b0:86:4c:81:2c:ea:
5c:ed:f3:ba:eb:17:4e:b3:3a:cc:b7:5b:5d:ca:b3:
04:ed:fb:59:3c:c5:25:3e:f3:ff:b0:22:10:fb:de:
72:0a:ee:42:4b:9a:d3:27:d3:b6:fb:e9:88:10:c8:
47:b7:26:4f:71:40:e4:75:c4:c0:ee:6b:87:b8:6f:
c9:5e:66:cf:bb:e7:ad:72:68:b8:6d:fd:8f:4c:1f:
3a:a2:0d:43:25:06:b9:92:e7:20:6c:86:15:a0:eb:
7f:f7:0b:9a:99:5d:14:88:9b:a9:f2:ba:e9:d2:ed:84:
33:36:48:07:b2:a3:2d:59:92:b0:86:4c:81:2c:ea:
5c:ed:f3:ba:eb:17:4e:b3:3a:cc:b7:5b:5d:ca:b3:
04:ed:fb:59:3c:c5:25:3e:f3:ff:b0:22:10:fb:de:
72:0a:ee:42:4b:9a:d3:27:d3:b6:fb:e9:88:10:c8:
47:b7:26:4f:71:40:e4:75:c4:c0:ee:6b:87:b8:6f:
c9:5e:66:cf:bb:e7:ad:72:68:b8:6d:fd:8f:4c:1f:
3a:a2:0d:43:25:06:b9:92:e7:20:6c:86:15:a0:eb:
:f7:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
CB:5C:19:9B:E6:8A:8A:FE:0E:C4:FD:5E:DF:F7:BF:3D:A8:7C:08
X509v3 Authority Key Identifier:
keyid:01:BB:C6:33:BE:F5:9A:5E:B0:0C:5D:BD:41:E9:78:6C:54:AD:66:8E
DirName:/C=US/ST=Michigan/L=Ann Arbor/O=DataStat Inc./OU=Puerto Rico Link/CN=prlink.ca.datastat.com/Email=elow@datastat.com
serial:00

Signature Algorithm: md5WithRSAEncryption
6f:89:2b:95:af:f1:8d:4d:b7:df:e8:6d:f7:92:fb:48:8c:c4:
1a:43:68:65:97:01:87:a6:84:b5:a1:38:bd:62:74:70:db:9e:
78:19:d9:0c:af:18:ad:13:77:56:7d:3f:19:61:da:ba:74:30:
8e:c5:50:0e:e3:eb:ff:95:cd:8d:d6:7e:c3:0e:ab:5b:34:94:
bc:16:0f:ef:dc:de:40:bb:7d:ba:a2:b8:5d:f9:74:e7:28:58:
75:a0:66:d2:8d:85:ba:38:82:08:10:33:ef:be:29:c9:31:9d:
63:a9:f7:e0:99:ea:a7:ed:b6:b5:33:1b:1c:4a:a4:05:40:6e:
40:6f:89:2b:95:af:f1:8d:4d:b7:df:e8:6d:f7:92:fb:48:8c:c4:
1a:43:68:65:97:01:87:a6:84:b5:a1:38:bd:62:74:70:db:9e:
78:19:d9:0c:af:18:ad:13:77:56:7d:3f:19:61:da:ba:74:30:
8e:c5:50:0e:e3:eb:ff:95:cd:8d:d6:7e:c3:0e:ab:5b:34:94:
bc:16:0f:ef:dc:de:40:bb:7d:ba:a2:b8:5d:f9:74:e7:28:58:
75:a0:66:d2:8d:85:ba:38:82:08:10:33:ef:be:29:c9:31:9d:
63:a9:f7:e0:99:ea:a7:ed:b6:b5:33:1b:1c:4a:a4:05:40:6e:
40:7b:3a:dd
-----BEGIN CERTIFICATE-----
DDAKBgNVBAgTA05SVzESMBAGA1UEBxMJU3RlaW5mdXJ0MRcwFQYDVQQKEw5TcGVu
bmViZXJnLmNvbTEUMBIGA1UEAxMLUm9vdENBIDIwMDMxIjAgBgkqhkiG9w0BCQEW
E3JhbGZAc3Blbm5lYmVyZy5uZXQwHhcNMDMwNDMwMDYwODU2WhcNMDQwNDI5MDYw
ODU2WjCBgjELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzESMBAGA1UEBxMJU3Rl
aW5mdXJ0MRcwFQYDVQQKEw5TcGVubmViZXJnLmNvbTEUMBIGA1UEAxMLVlBOLUdh
dGV3YXkxIjAgBgkqhkiG9w0BCQEWE3JhbGZAc3Blbm5lYmVyZy5uZXQwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAMU7nDY6GWyp8rrp0u2EMzZIB7KjLVmSsIZM
gSzqXO3zuusXTrM6zLdbXcqzBO37WTzFJT7z/7AiEPvecgruQkua0yfTtvvpiBDI
mpldFIibAgMBAAGjggEOMIIBCjAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1P
cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUy1wZm+aKiv4O
xP1e3/e/PagYfAgwga8GA1UdIwSBpzCBpIAUAbvGM771ml6wDF29Qel4bFStZo6h
gYikgYUwgYIxCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOUlcxEjAQBgNVBAcTCVN0
ZWluZnVydDEXMBUGA1UEChMOU3Blbm5lYmVyZy5jb20xFDASBgNVBAMTC1Jvb3RD
QSAyMDAzMSIwIAYJKoZIhvcNAQkBFhNyYWxmQHNwZW5uZWJlcmcubmV0ggEAMA0G
CSqGSIb3DQEBBAUAA4GBAG+JK5Wv8Y1Nt9/obfeS+0iMxBpDaGWXAYemhLWhOL1i
DDAKBgNVBAgTA05SVzESMBAGA1UEBxMJU3RlaW5mdXJ0MRcwFQYDVQQKEw5TcGVu
bmViZXJnLmNvbTEUMBIGA1UEAxMLUm9vdENBIDIwMDMxIjAgBgkqhkiG9w0BCQEW
E3JhbGZAc3Blbm5lYmVyZy5uZXQwHhcNMDMwNDMwMDYwODU2WhcNMDQwNDI5MDYw
ODU2WjCBgjELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzESMBAGA1UEBxMJU3Rl
aW5mdXJ0MRcwFQYDVQQKEw5TcGVubmViZXJnLmNvbTEUMBIGA1UEAxMLVlBOLUdh
dGV3YXkxIjAgBgkqhkiG9w0BCQEWE3JhbGZAc3Blbm5lYmVyZy5uZXQwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAMU7nDY6GWyp8rrp0u2EMzZIB7KjLVmSsIZM
gSzqXO3zuusXTrM6zLdbXcqzBO37WTzFJT7z/7AiEPvecgruQkua0yfTtvvpiBDI
gYikgYUwgYIxCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOUlcxEjAQBgNVBAcTCVN0
ZWluZnVydDEXMBUGA1UEChMOU3Blbm5lYmVyZy5jb20xFDASBgNVBAMTC1Jvb3RD
QSAyMDAzMSIwIAYJKoZIhvcNAQkBFhNyYWxmQHNwZW5uZWJlcmcubmV0ggEAMA0G
CSqGSIb3DQEBBAUAA4GBAG+JK5Wv8Y1Nt9/obfeS+0iMxBpDaGWXAYemhLWhOL1i
dHDbnngZ2QyvGK0Td1Z9Pxlh2rp0MI7FUA7j6/+VzY3WfsMOq1s0lLwWD+/c3kC7
fbqiuF35dOcoWHWgZtKNhbo4gggQMga
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

Don't worry about capturing the text that it outputs to the screen. The certificate will also be saved to the file /usr/share/ssl/certs/newcert.pem.

The CA saves all the signed certificates in the /usr/share/ssl/certs/demoCA/newcerts directory, with demoCA of course being whatever you had changed the CA's directory to.
Descriptive information about the signed/stored certificates is stored in /usr/share/ssl/certs/demoCA/index.txt.

If, when you try to sign the certificate, you receive the error TXT_DB error number 2, it is because you have already signed this certificate (or one with the same common name). Go into your index.txt file, then try to sign it again. The error should be gone.

Copy this file, newcert.pem, to the computer on which you originally generated the request.

Now, you need two files to be present on the client to use IPSec. The first is newreq.pem, which contains the both the Certificate Signing Request (CSR) and the encrypted private key. The second is newcert.pem, which is the request that has been signed by the CA. Rename these, for example, mv newreq.pem PRLinkKey.pem and mv newcert.pem PRLinkCert.pem. Be sure to chmod 644 them as well. Then, put these in the /usr/share/ssl/certs/ directory on the client, and ensure that the following line in /etc/racoon/racoon.conf points to the right directory:

path certificate "/usr/share/ssl/certs";

Then, change to the /usr/share/ssl/certs/ directory and type the following command:

ln -s PRLinkCert.pem `openssl x509 -noout -hash < PRLinkCert.pem`.0

This will take a hash of the filename and create a symbolic link with the name of that hash, adding an extension of .0. OpenSSL needs this, and I have no idea why. Just do it. :P

 

Once all of that is present on the client, you may delete the CSR, newreq.pem, from the CA computer.

 

 

***Public key file required on server? how to export from newreq/newcert on client?

There is a perl module, csp, that can be used to help simplify all your work with keys. Worth taking a look anyhow!

PKCS12 Certificates are a combination of the public certificate, the private certificate, and the root certificate. Typically distributed to people with whom you wish to exchange encrypted emails or encrypted files. ***Is this for browsers to? Is used in Apache.

openssl x509 -noout -text -in newcert.pem will let you view the details of a trusted key. Will not work on newreq.pem because it is not yet signed.

To remove the password from your private key, try openssl rsa -in newreq.pem -out keyunsecure.pem. Don't do this unless you absolutely have to for whatever reason.
You may type openssl x509 -in newcert.pem -out newcertx509.pem to remove everything but the actual certificate section from your signed key. This may also remove the password and keep it in x509 format, but I'm fuzzy on this. This can also be done with a text editor by taking out the unneeded lines.

Rename keys on the client for better organization:

# mv newcert.pem fc3cServerCert.pem
# mv newreq.pem fc3cServerPrivateKeyCR.pem
# cp fc3cServerPrivateKeyCR.pem fc3cServerPrivateKey.pem
# Edit fc3cServerPrivateKey.pem and remove the lower part of the certificate request in the file. Only leave the encrypted private key content.

Good article about what all these damned key concepts actually mean: http://www.pseudonym.org/ssl/wwwj-index.html

openssl req -new -x509 -keyout demoCA/private/CAkey.pem -out demoCA/private/CAcert.pem -config /usr/share/ssl/openssl.cnf should create a new self-signed certificate in one fell swoop?

openssl ca -gencrl -config /usr/share/ssl/openssl.cnf -out $SSLDIR/crl/crl.pem will create a certificate revocation list.

openssl ca -revoke compromised_cert.pem will revoke a particular certificate. If you need the name of the cert, look in your index.txt file. After this command is issued, run openssl ca -gencrl -out crl.pem once again to recreate the list. In addition, you must create a linked hashname for the crl file by typing ln -s crl.pem `openssl crl -noout -hash < crl.pem`.r0 ***Notice that the extension is .r0 rather than just .0!

(from http://www.sqlexpress.net/xb2net/SSL_FAQ.htm):

Here are some additional examples of using the OpenSSL command line utility:

Display OpenSSL version information:
openssl version

Remove the password phrase on an RSA private key:
openssl rsa -in key.pem -out keyout.pem

Encrypt a private key using triple DES:
openssl rsa -in key.pem -des3 -out keyout.pem

Print out the components of a private key:
openssl rsa -in key.pem -text -noout

To just output the public part of a private key:
openssl rsa -in key.pem -pubout -out pubkey.pem

Convert a private key from PEM to DER format:
openssl rsa -in key.pem -outform DER -out keyout.der

Convert a certificate from PEM to DER format:
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

Verify a certificate:
openssl verify -purpose any cert.pem

 

(from http://64.233.167.104/search?q=cache:klfPJhb6FNEJ:www.xs4all.nl/~dorus/linux/openssl.html+distribute+public+key+x509&hl=en&client=firefox-a)

Step 3. Create a public/private key pair and a certificate


Generate a public/private key pair for a host called Zaphod

>openssl genrsa -des3 -out zaphod-key.pem 2048


Create CSR for the public key of Zaphod

>openssl req -new -key zaphod-key.pem -out zaphod-csr.pem
country name: NL
state or province: ZH
locality: Voorschoten
organization: ACME Inc.
organizational unit:
common name: zaphod
email address: admin@zaphod.acme.com
challenge password:
optional company name:


Use your CA to sign the CSR of Zaphod

Use policy "policy_anything" for the signing of the request.

>openssl ca -in zaphod-csr.pem -out zaphod-crt.pem -days 1825 -policy policy_anything

Note: Make sure that the validity of the signed certificate doesn't exceed the validity time of the CA certificate.

* The CSR file is not important anymore after these steps.
* Freely distribute the certificate file zpahod-crt.pem.
* Keep the public/private key file zaphod-key.pem in a very secure place !!!

So, in a nutshell:

[newCA]# vi /usr/share/ssl/openssl.cnf

(Change the line that reads dir = ./demoCA to dir = ./PRLinkCA)

[newCA]# cd /usr/share/ssl/certs
[newCA]# /usr/share/ssl/misc/CA -newca
[newCA]# mv demoCA PRLinkCA
[newCA]# openssl x509 -in ./PRLinkCA/cacert.pem -days 1825 -out ./PRLinkCA/cacert.pem -signkey ./PRLinkCA/private/cakey.pem
[newCA]# ln -s ./PRLinkCA/cacert.pem `openssl x509 -noout -hash <./PRLinkCA/cacert.pem`.0
[newCA]# cp ./PRLinkCA/cacert.pem /media/floppy

(carry floppy from CA computer to client computer)

[client]# cp /media/floppy/cacert.pem PRLinkCA.pem
[client]# ln -s PRLinkCA.pem `openssl x509 -noout -hash < PRLinkCA.pem`.0
[client]# openssl req -new -keyout newkey.pem -out newreq.pem -days 360 -config /usr/share/ssl/openssl.cnf
[client]# cp newreq.pem /media/floppy

(carry floppy from client computer to CA computer)

[newCA]# cp /media/floppy/newreq.pem /usr/share/ssl/certs
[newCA]# /usr/share/ssl/misc/CA -sign
[newCA]# rm newreq.pem
[newCA]# mv newcert.pem PRGatewayCert.pem
[newCA]# chmod 644 PRGatewayCert.pem
[newCA]# cp PRGatewayCert.pem /media/floppy

(carry floppy from CA computer to client computer)

[client]# cp /media/floppy/PRGatewayCert.pem /usr/share/ssl/certs
[client]# mv newkey.pem PRGatewayKey.pem
[client]# chmod 644 *.pem
[client]# ln -s PRGatewayCert.pem `openssl x509 -noout -hash < PRGatewayCert.pem`.0

(Now switch back to the CA to create a public/private pair so that it can be the client (you need this for two-way communication!))

[newCA]# openssl req -new -keyout newkey.pem -out newreq.pem -days 360 -config /usr/share/ssl/openssl.cnf
[newCA]# /usr/share/ssl/misc/CA -sign
[newCA]# mv newkey.pem PRLinkKey.pem
[newCA]# rm newreq.pem
[newCA]# mv newcert.pem PRLinkCert.pem
[newCA]# chmod 644 PRLink*.pem
[newCA]# cp PRLinkCert.pem /media/floppy
[newCA]# ln -s PRLinkCert.pem `openssl x509 -noout -hash < PRLinkCert.pem`.0

(carry floppy from CA computer to client computer)

[client]# cp /media/floppy/PRLinkCert.pem /usr/share/ssl/certs
[client]# chmod 644 PRLinkCert.pem

 

 

 

 

 

**** chmod 600 private key?

 

     Downloads:

 

sshd SSHD startup script, goes in /etc/rc.d/init.d/ directory.
sshd_config   My SSHD configuration file, /usr/etc/sshd_config
putkeys   my /logins/keys/putkeys script to put users' RSA keys in the appropriate places.
keyconfig   /logins/keys/keyconfig configuration file for my putkeys script.