Certificates

From Egbert's Wiki
Jump to navigation Jump to search

Key generation and server certificate request.

Several server and client software can use certificates. I use CAcert certificates since I'm a certifier myself and hold enough 'points' to issue client and server certificates for private use. See www.cacert.org. Login with username (email address) and password or certificate once it is installed in the browser.

Openssl can be used for all kind of certificate tasks. In Mnadriva Linux a handy Makefile is available in /etc/pki/tls/certs. Give 'make' on the connamd line to see a list of ways it can be used.

To request a certificate, create a Certificate Request first:

# openssl req -nodes -new -keyout server.key -out server.csr

or in two steps:
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr

Then the system will try to generate some very random numbers to get a secure key. This key should be safely stored in /etc/pki/tls/private (default location in Mandriva Linux). The file should be owned by root and be given 600 access. This key can later be used to request other certificates.

Generating a 1024 bit RSA private key
...++++++
....++++++
writing new private key to 'server.key'

You will then be asked to enter information about your company into the certificate. Below is a valid example:

Country Name (2 letter code) [GB]:NL
State or Province Name (full name) [NSW]:ZH
Locality Name (eg, city) [Sydney]:SCHIPLUIDEN
Organization Name (eg, company) [XYZ Corp]:THUIS
Organizational Unit Name (eg, section) [Server Administration]:IT
Common Name (eg, YOUR name) []:www.vandenbussche.nl (or server.vandenbussche.nl) This must be the name the clients use to contact the server.
Email Address []:egbert@vandenbussche.nl

Finally you will be asked information about 'extra' attribute, you simply hit enter to both these questions.

Remark: As already stated, the certificate should carry a CN *identical* to the name used by the client in connecting to the server. When you have a certificate for email 'server.vandenbussche.nl', use this name in the email client account settings. Using an existing alias like 'pop3.vandenbussche.nl' will give a certificate mismatch. When generating a client certificate to sign and encrypt email messages use your full name as CN.

Next step is that you submit the contents of server.csr to the CAcert website, it should look *EXACTLY* like the following example otherwise the server may reject your request because it appears to be invalid.

-----BEGIN CERTIFICATE REQUEST-----
MIIBezCB5QIBADA8MRcwFQYDVQQDEw53d3cuY2FjZXJ0Lm9yZzEhMB8GCSqGSIb3
DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
...
2SgVqHFrOisItrr7H0Dw2EcPhIrRokRdjIAwwlxG9v21eFaksZUiaP5Yrmf89Njk
HV+MZXxbC71NIKrnZsDhHibZslICh/XjdPP7zfKMlHuaaz1oVAmu9BlsS6ZXkVA=
-----END CERTIFICATE REQUEST-----

Once you've submitted it, the CAcert system will process your request and send an email back to you containing your server certificate. Save this block of text, exactly as it is, as server.crt in /etc/pki/tls/certs. This is nowadays the default location in Mandriva Linux.

Since no all applications (IE6/7, Thunderbird) have the CAcert root certificates (root and class3) installed yet, this must be installed by hand in these clients. Guidelines in the CAcert Wiki (HowTo Documents).

Postfix

During installation of the postfix rpm a self-signed certificate is created in /etc/postfix/tls. I preferred to keep the key and certificates in the /etc/pki/tls tree. Set the following variables in /etc/postfix/main.cf to reflect this:

# TLS PART START

smtp_tls_CAfile = /etc/pki/tls/certs/cacert_class3.crt
smtp_tls_cert_file = /etc/pki/tls/certs/server.crt
smtp_tls_key_file = /etc/pki/tls/certs/server.key
smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_tls_session_cache
#
smtpd_tls_CAfile = /etc/pki/tls/certs/cacert_class3.crt
smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt
smtpd_tls_key_file = /etc/pki/tls/certs/server.key
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_session_cache

# TLS PART END

The 'smtp(d)_tls_CAfile' is used to define the intermediate class3 certificate. The CAcert root cert is already included in most Linux distro's and can be found in the file /etc/pki/tls/certs/ca-bundle.crt (together with much more root certificates) and in separate files in /etc/pki/tls/rootcerts.

Dovecot

Dovecot can use the same server.crt and server.key as Postfix. Again the intermediate class3 certificate needs to be defined.

##
## SSL settings
##

# IP or host address where to listen in for SSL connections. Defaults
# to above if not specified.
#ssl_listen =
ssl_listen = 

# Disable SSL/TLS support.
#ssl_disable = no

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert_file = /etc/pki/tls/certs/server.crt
ssl_key_file = /etc/pki/tls/certs/server.key

# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter.
#ssl_key_password =

# File containing trusted SSL certificate authorities. Usually not needed.
# The CAfile should contain the CA-certificate(s) followed by the matching 
# CRL(s). CRL checking is new in dovecot .rc1
ssl_ca_file = /etc/pki/tls/certs/cacert_class3.crt

# Request client to send a certificate. If you also want to require it, set
# ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no

# How often to regenerate the SSL parameters file. Generation is quite CPU
# intensive operation. The value is in hours, 0 disables regeneration
# entirely.
#ssl_parameters_regenerate = 168

# SSL ciphers to use
#ssl_cipher_list = ALL:!LOW

# Show protocol level SSL errors.
#verbose_ssl = no
verbose_ssl = yes

Restart Dovecot:

service dovecot restart

Connecting IMAP and POP3 clients must use the name in the certificate when connecting.

Email clients

Before email clients can send signed and/or encrypted messages a client certificate must be loaded. Often this must be done via a pkcs12 formatted certificate. This can be created again using openssl. First create the csr and use this to request a client certificate on CAcert.org.

# openssl req -nodes -new -keyout client.key -out client.csr

Go to CAcert.org, login and request a new client certificate. Submit the csr in the space provided. Save the returned block of data as client.crt.

# openssl pkcs12 -export -in client.crt -inkey ../private/client.key -out client.p12 -name "Egbert Jan van den Bussche"

See Client certificates for email clients on CAcert.org to see how to import the certificate into the client.

OpenSSH and certificates (server)

Assuming OpenSSH is installed, one of the most important steps is to create a keypair for authentication. There are two possible ways of creating the keys. The first way is to create the keys with puttygen (a program of the Windows putty family), upload the public key to your server and use the private key with putty. Because of some problems with this approach, I prefer the other way. This way creates the keypair with the OpenSSH tool ssh-keygen om Linux, downloads the private key to your Windows client and converts the private key to a putty-style private key.

Lets do this step by step: login to your server. (change "passphrase" to a secret keyword only you know)

ssh-keygen -b 1024 -t dsa -N passphrase -f mykey
ls -l mykey*

We just created a SSH2 DSA key with 1024 bit keyphrase. You will see two files. One named "mykey" and one named "mykey.pub". As you might guess, the .pub file is the public key file, the other is the private one.

Create a new directory in the users home directory, called ".ssh":

cd /home/myuser
mkdir .ssh

Then go to the directory where you created your keys and copy the public key to the .ssh user folder with the following command:

cp mykey.pub /home/myuser/.ssh/authorized_keys

or if you already have some keys in place:

cat mykey.pub >> /home/myuser/.ssh/authorized_keys

Please pay attention to the filename, it really must be "authorized_keys". Now download the private key file to your client computer. Remember, the file was "mykey"

SSH key generation and connection check (client)

Grab the tools we need for doing SSH on windows on this site: http://www.chiark.greenend.org.uk/~sgtatham/putty/

Just go to the download section and get at least "Putty", "Plink", "Pageant" and "Puttygen" but the full Windows installer is even better.

In order to use the private key we get from the server, we have to convert it to a putty format. This is because the private key file format is not specified by some standard body. To do this we simple open "puttygen" and open the "conversions" menu and chose "Import Key". Then browse to your file "mykey" which you got from the server enter your provided passphrase upon creation of the key. Finally click "Save private key" and save the file as "mykey.PPK" somewhere on disk.

Now we are ready to use this key for the first time to test the connection. In order to do this, we open the program "putty" and create a new session like this:

Session->HostName: Hostname or IP Adress of your server
Session->Protocol: SSH
Session->Saved Sessions: MyConnection
SSH->Prefered SSH Protocol version: 2
SSH->Auth->Private Key file for auth: $PATH$\mykey.PKK (replace $PATH$ with real path to the mykey.PKK file)

Then go back to Session tab and hit "save" button. You will see "MyConnection" in the list of available connections.

Next click "open" and you should see a telnet login prompt. Use "myuser" as username (without double quotes of course) and if everything is OK, you don't have to provide a password to your system. If the system still requires a password, make sure you have added the key to "Pageant". Pageant should be visible in the system tray.