A/I Orange Book (1.0): An how-to for the realization of a resilient network of self-managed servers | ||
---|---|---|
Prev | Next |
For the management of the various SSL connection of users on servers, we have considered it useful to create our own Certification Authority: with it we can sign all the SSL certificates used by the servers and make them easily verifiable by users and servers alike.
Since we needed to implement some non-trivial features (as the possibility of having certificates valid for several different names on a single server), we have added this chapter to the documentation, detailing a short how-to others could find useful.
We will use the /opt/ca directory as a place where to keep and manage certificates:
$ export CADIR=/opt/ca $ mkdir -p $CADIRThen we have to create the directory structure and some files needed by a CA:
$ mkdir $CADIR/certs $ mkdir $CADIR/conf $ mkdir $CADIR/crls $ mkdir $CADIR/ext $ mkdir $CADIR/newcerts $ mkdir $CADIR/private $ chmod g-rwx,o-rwx private $ echo '01' > serial $ > indexThe serial file will include the next serial to be used, while the index file is a database of all the references to the certificate signed by the CA.
Now we have to create a basic configuration for our CA, for example the one used as a default by OpenSSL in our Debian sarge distribution in /etc/ssl/openssl.cnf.
Our CA will use the /opt/ca/conf/ca.conf configuration file. To have openssl use it correctly without constantly having to specifying it in the command line, we can simply export it in the OPENSSL_CONF variable.
$ export OPENSSL_CONF=$CADIR/conf/aica.conf
The content of the ca.conf is as follow:
RANDFILE = $ENV::CADIR/.random [ ca ] default_ca = CA_default [ CA_default ] dir = $ENV::CADIR certs = $dir/certs crl_dir = $dir/crl database = $dir/index new_certs_dir = $dir/newcerts certificate = $dir/ca.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/ca.key x509_extensions = certificate_extensions email_in_dn = no default_days = 3643 default_crl_days = 31 default_md = sha1 preserve = yes policy = policy_match [ policy_match ] countryName = supplied organizationName = supplied organizationalUnitName = optional commonName = supplied emailAddress = supplied [ policy_anything ] countryName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 4096 default_md = sha1 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca string_mask = nombstr [ req_distinguished_name ] countryName = Country Name countryName_default = IT countryName_min = 2 countryName_max = 2 0.organizationName = Organization Name 0.organizationName_default = Intra.Org organizationalUnitName = Organizational Unit Name organizationalUnitName_default = commonName = Common Name commonName_max = 64 emailAddress = Email Address emailAddress_max = 60 emailAddress_default = ca@infra.org SET-ex3 = SET extension number 3 [ req_attributes ] [ certificate_extensions ] [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = critical, CA:true keyUsage = cRLSign, keyCertSign nsCertType = sslCA, emailCA, objCA nsComment = "InfraCA" subjectAltName=email:copy issuerAltName=issuer:copy