Certificates

We can consider buying a legitimate certificate, rather than home-brew ones:

You need a key and a certificate to operate your secure server — which means that you can either generate a self-signed certificate or purchase a CA-signed certificate from a CA. What are the differences between the two?

A CA-signed certificate provides two important capabilities for your server:

• Browsers (usually) automatically recognize the certificate and allow a secure connection to be made, without prompting the user.
• When a CA issues a signed certificate, they are guaranteeing the identity of the organization that is providing the webpages to the browser.

says RedHat.

The certificate used for LDAP is located at /etc/openldap/root_dn.crt. Do we use the same certificate for everything? If that's only for LDAP then there's no benefit to buying one from an authority, because we're the ones that copy it to each client.

To resign a certificate

To resign a certificate use these two commands:

openssl req -new -key www.physics.unh.edu.key -out www.physics.unh.edu.csr

openssl x509 -req -days 3652 -in www.physics.unh.edu.csr -signkey www.physics.unh.edu.key -out www.physics.unh.edu.crt

Find out what the certificate is

openssl x509 -text -in root_dn.crt

This will print the certificate in text form.

Simple steps to create a self signed certificate

Useful Info:

This is probably a total hack. WARNING NOT FINISHED WITH THIS.

Some Centos info here: http://www.tecmint.com/enable-ssl-for-apache-on-centos/ and here: http://www.server-world.info/en/note?os=CentOS_5&p=ssl

The problem with RedHat info is that it is all "magic GUI" stuff that does not tell you what is happening. Not useful.

Somewhat Useful:

• https://www.unicore.eu/documentation/manuals/unicore6/files/pki-0.2.pdf
• https://evilshit.wordpress.com/2013/06/19/how-to-create-your-own-pki-with-openssl/
• For LDAP TLS certificate (does not say how to generate): http://www.openldap.org/doc/admin24/tls.html
• For LDAP, how to create the certificate: http://www.openldap.org/faq/data/cache/185.html Note CA.sh is not part of our openssl

Create the ROOT certificate

We work in /etc/pki directory and follow the steps from https://www.unicore.eu/documentation/manuals/unicore6/files/pki-0.2.pdf

mkdir -p -m0700 CA/{csr,certs,crl,private,newcerts}

touch CA/index.txt

echo 01 > CA/serial

dd if=/dev/urandom of=CA/private/.rand bs=1k count=16

cp /etc/pki/tls/openssl.cnf /etc/pki/ca-cert.cnf # Edit this file to fix the location stuff and set the rootcert properly

cd CA/

openssl genrsa -aes256 -out private/cakey.pem -rand private/.rand 4096

export OPENSSL_CONF=/etc/pki/ca-cert.cnf

openssl req -new -x509 -sha1 -days 3650 -key private/cakey.pem -out ca.crt # Use old root password without fl$ for pass phrase.

TLS certificate for LDAP

We will work in the /etc/pki directory, even though we are not going to run the pki-ca deamon.

cd /etc/pki/tls/certs

Create a new certificate key. This key is not properly signed. For pass phrase on einstein, I used the old root password without the fl$ prefix.

/usr/bin/openssl genrsa -aes256 2048 > einstein.unh.edu.key

Create the csr:

openssl req -new -key einstein.unh.edu.key -out einsein.unh.edu.csr -subj '/DC=edu/DC=unh/DC=physics/CN=root'

Sign it with the local ROOT CA:

openssl ca -policy policy_anything -days 3650 -preserveDN -in einstein.unh.edu.csr -out einstein.unh.edu.crt

Change the name option:

openssl x509 -nameopt RFC2253 -subject -noout -in einstein.unh.edu.crt

General Certificate

Create a new certificate key. This key is not properly signed. For pass phrase on einstein, I used the old root password without the fl$ prefix.

/usr/bin/openssl genrsa -aes256 2048 > einstein.unh.edu.key

Instead of -aes256 you can also specify -des3. The 2048 is the number of bits. On RedHat 6+ you can use:

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out $cert.key

Now we can create the csr file (certificate request):

openssl req -new -key einstein.unh.edu.key -out einstein.unh.edu.csr

Provide the pass phrase specified before, and fill in the questions:

-----

Country Name (2 letter code) [GB]:US

State or Province Name (full name) [Berkshire]:New Hampshire

Locality Name (eg, city) [Newbury]:Durham

Organization Name (eg, company) [My Company Ltd]:University of New Hampshire

Organizational Unit Name (eg, section) []:Physics Department

Common Name (eg, your name or your server's hostname) []:Einstein

Email Address []:root@einstein.unh.edu

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Now, finally, you can sign that request yourself:

For the LDAP csr, you may want to specify the subj.

OBSOLETE AND WRONG: Aaron's fantastic certificate stuff

Fantastic, except, it does not work, and nothing is explained, so it really is not so fantastic at all.

Aaron stopped by for a power cable, and we made him pay for it by telling us that roentgen is our Certificate Authority.

To make a new certificate for a machine ("rood_dn" is the hostname of the server the cert is for):

1. log onto roentgen
2. cd /usr/share/ssl/certs
3. if a certificate already exists for that machine:
   1. revoke it with openssl ca -revoke root_dn.crt
   2. move it to the old folder
4. make root_dn.csr
5. openssl req -new -key root_dn.key -out root_dn.csr -subj '/DC=edu/DC=unh/DC=physics/CN=root'
6. openssl ca -policy policy_anything -days 3650 -preserveDN -in root_dn.csr -out root_dn.crt
7. openssl x509 -nameopt RFC2253 -subject -noout -in /root/.ssl/root_dn.crt
8. copy these newly generated crt, csr, and key files to /etc/openldap/cacerts/ on the machine they were generated for