wiki:certAuth

Creation d'une autorite de Certification ENIB

Je me suis aidé des pages suivantes :

Pour simplifier la gestion des certificat, on peut créer une autorité de certification qui va signer tous les autres certificats.

Creation de l'autorite de confiance

On utilise CA.pl (/usr/lib/ssl/misc/CA.pl) :

CA.pl -newca

Cela nous génère une autorité de certification valide 365 jours (on peut pas changer la durée en utilisant CA.pl)
On régénère l'autorité avec une durée plus importante :

>cd demoCa
>openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650

Il suffit ensuite de propager le fichier cacert.pem dans tous les navigateurs ou sur tous les serveurs.

Génération d'un certificat pour un serveur

CA.pl -newreq

Signature du certificat par l'autorité de confiance

CA.pl -signreq

How can I get rid of the pass-phrase dialog at Apache startup time?

The reason this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed decrypt this file, so it can be read and parsed. Removing the pass-phrase removes a layer of security from your server - proceed with caution!

  1. Remove the encryption from the RSA private key (while keeping a backup copy of the original file):

$ cp server.key server.key.org $ openssl rsa -in server.key.org -out server.key

  1. Make sure the server.key file is only readable by root:

$ chmod 400 server.key

Now server.key contains an unencrypted copy of the key. If you point your server at this file, it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the net. PLEASE make sure that the permissions on this file are such that only root or the web server user can read it (preferably get your web server to start as root but run as another user, and have the key readable only by root).

As an alternative approach you can use the SSLPassPhraseDialog exec:/path/to/program facility. Bear in mind that this is neither more nor less secure, of course.

Adding a cert to OpenSSL

Once the certificate is in PEM format and you know there's only one certificate in the file, you need to verify it. First up, find the fingerprint for the CA from a trusted source (and I can't stress this one enough). Now, calculate the fingerprint for the certificate you've downloaded, and ensure they're the same. To find the fingerprint, use:

openssl x509 -noout -fingerprint -in ca-certificate-file

Assuming they match (if they don't, you've either done something wrong, or its time to start panicing), we can install the certificate. As root (and now would be an ideal time to check you need to be root - only root should have write access, but the certs directory needs to be world readable). Copy your CA certificate to <ssl-base-dir>certs/ and finds out its Hash. OpenSSL looks for certificates using an 8 byte hash value. Calculate it with: openssl x509 -noout -hash -in ca-certificate-file

In order for OpenSSL to find the certificate, it needs to be looked up as its hash. Normally, you would create a symbolic link for a meaningful name of the CA to the hash value, rather than renaming the CA certificate. Ideally, create a symbolic link (or hard link if you must, but symbolic ones usually make spotting which hash is which certificate name that bit easier). The symbolic link must be for the hashed value above plus ".0" - if you forget the .0 then OpenSSL won't detect it, and you'll get lots of errors. Thus, I have for the current Oxford University CA: dbed1725.0 pointing to oxford-ca.pem (dbed1725 is the hash of the CA certificate)

For the lazy amoungst you, you might opt for the following: ln -s my_ca.crt openssl x509 -hash -noout -in my_ca.crt.0