Generating SSL certs with ACF 1.9: Difference between revisions
(→OpenSSL command line to create your CA: Moving a command to own row to make it more clear) |
m (Removed a hyperlink to a hypothetical URL.) |
||
| (10 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services.<BR> | You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services.<BR> | ||
But wouldn't it be nice to have some sort of way to... | But wouldn't it be nice to have some sort of way to... | ||
| Line 10: | Line 9: | ||
==Installation Process== | ==Installation Process== | ||
This will somewhat guide you through the process of creating this type of server.<BR>It is suggested to | This will somewhat guide you through the process of creating this type of server.<BR>It is suggested not to host this on your VPN gateway but to use another machine to generate your certificates. | ||
=== Prepare hardware and install Alpine === | === Prepare hardware and install Alpine === | ||
| Line 17: | Line 16: | ||
=== Install and configure ACF === | === Install and configure ACF === | ||
Install the web front end to Alpine Linux, called ACF. | Install the web front end to Alpine Linux, called ACF. You will be prompted to create the password for the ACF root user. | ||
/sbin/setup- | /sbin/setup-acf | ||
Install acf-openssl (ACF for openssl) | Install acf-openssl (ACF for openssl) | ||
| Line 29: | Line 28: | ||
== Configure == | == Configure == | ||
Start by browsing to your openvpn-server by entering https://{ipaddr}/ in your browser | Start by browsing to your openvpn-server by entering <nowiki>https://{ipaddr}/</nowiki> in your browser and login. The user is 'root' and the password is as entered above. | ||
=== Certificate Authority === | === Certificate Authority === | ||
| Line 43: | Line 34: | ||
It should give you a page with 'System info' and a lot of red error messages. | It should give you a page with 'System info' and a lot of red error messages. | ||
Click on the [Configure] button at the bottom of the page to generate some initial configuration. | |||
Click on the [Configure] button at the page | |||
Go to the {Edit Defaults} tab and enter the values you want to become default (this information appears when you are creating new certificate requests).<BR> | |||
Save your settings by clicking [Save]. | Save your settings by clicking [Save]. | ||
| Line 62: | Line 48: | ||
'''''Note:''' This action can only be done once. In the future, the {Status} page will show the CA-information.''<BR> | '''''Note:''' This action can only be done once. In the future, the {Status} page will show the CA-information.''<BR> | ||
''The [Generate] button | ''The [Generate] button will not exist any more.'' | ||
=== Request Form === | === Request Form === | ||
| Line 69: | Line 55: | ||
Fill in your values in the fields and finish your request with [Submit]. | Fill in your values in the fields and finish your request with [Submit]. | ||
Provided Fields: | Provided Fields (based upon the default cnf file): | ||
* Country Name (2 letter abreviation) | * Country Name (2 letter abreviation) | ||
* Locality Name (e.g. city) | * Locality Name (e.g. city) | ||
* Organization Name | * Organization Name | ||
* Common Name (eg, the certificate CN) | * Common Name (eg, the certificate CN) '''<<< This name should be unique for this certificate''' | ||
* Email Address | * Email Address | ||
* Multiple Organizational Unit Name (eg, division) | * Multiple Organizational Unit Name (eg, division) | ||
| Line 82: | Line 68: | ||
==== x509 extensions example ==== | ==== x509 extensions example ==== | ||
subjectAltName ="IP:192.168.1.1 | [ v3_req ] | ||
subjectAltName ="IP:192.168.1.1, DNS:*.alpinelinux.org, DNS:redmine.alpinelinux.com" | |||
=== View === | === View === | ||
The {View} tab gives you the possibility to | The {View} tab gives you the possibility to: | ||
* View/Approve/Delete pending certificate requests | * View/Approve/Delete pending certificate requests | ||
* View/Download/Renew/Revoke/Delete approved certificates | * View/Download/Renew/Revoke/Delete approved certificates | ||
| Line 97: | Line 83: | ||
==== Download the .pfx ==== | ==== Download the .pfx ==== | ||
For each approved certificate you can download | For each approved certificate you can download a .pfx file containing the certificate.<BR> | ||
With this .pfx you can extract the certs that you will need. | With this .pfx you can extract the certs that you will need. | ||
| Line 133: | Line 119: | ||
mv server.pem /etc/ssl/private | mv server.pem /etc/ssl/private | ||
mv cacert.pem /etc/ssl/ | mv cacert.pem /etc/ssl/ | ||
[[Category:Networking]] | |||
[[Category:ACF]] | |||
[[Category:Security]] | |||
Latest revision as of 22:20, 20 December 2021
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services.
But wouldn't it be nice to have some sort of way to...
- create and manage certs
- view all the certs you have given to everyone
- revoke certs
- review the certificate before you issue it
- etc.
Alpine, via the ACF, has a nice web interface to use for this sort of job...
Installation Process
This will somewhat guide you through the process of creating this type of server.
It is suggested not to host this on your VPN gateway but to use another machine to generate your certificates.
Prepare hardware and install Alpine
Start by setting up a box that will serve as your openvpn-server.
Please read 'Installing_Alpine' for instructions on how to do this.
Install and configure ACF
Install the web front end to Alpine Linux, called ACF. You will be prompted to create the password for the ACF root user.
/sbin/setup-acf
Install acf-openssl (ACF for openssl)
apk add acf-openssl
Now you should be ready to start browsing to your OpenVPN-server by using a web-browser at another computer.
Note: Assuming you have configured and attached this openvpn-server to a network.
Configure
Start by browsing to your openvpn-server by entering https://{ipaddr}/ in your browser and login. The user is 'root' and the password is as entered above.
Certificate Authority
Click on 'Certificate Authority' on the menu.
It should give you a page with 'System info' and a lot of red error messages.
Click on the [Configure] button at the bottom of the page to generate some initial configuration.
Go to the {Edit Defaults} tab and enter the values you want to become default (this information appears when you are creating new certificate requests).
Save your settings by clicking [Save].
Generate a certificate with ACF
Create the ca.crt
First we need to create the CA-certificate (this is the cert used when creating other certificates).
Now go to the {Status} tab.
Click [Generate] button to generate your CA-certificate.
The ca-certificate information will be displayed.
Note: This action can only be done once. In the future, the {Status} page will show the CA-information.
The [Generate] button will not exist any more.
Request Form
The {Request} form is used to create new certificate requests.
Fill in your values in the fields and finish your request with [Submit].
Provided Fields (based upon the default cnf file):
- Country Name (2 letter abreviation)
- Locality Name (e.g. city)
- Organization Name
- Common Name (eg, the certificate CN) <<< This name should be unique for this certificate
- Email Address
- Multiple Organizational Unit Name (eg, division)
- Certificate Type
- x509 extensions
Note: The x509 Etensions box should be formatted the same as if you were to fill out a section directly in openssl.cnf.
Section would be [v3_req]
x509 extensions example
[ v3_req ] subjectAltName ="IP:192.168.1.1, DNS:*.alpinelinux.org, DNS:redmine.alpinelinux.com"
View
The {View} tab gives you the possibility to:
- View/Approve/Delete pending certificate requests
- View/Download/Renew/Revoke/Delete approved certificates
- View/Delete revoked certificates
- Download list of revoked certs
Pending certificates
For a Pending request make sure to review the cert before approving it.
Once you have verified that all the information is correct, no mis-types or spelling mistakes Approve the request.
Download the .pfx
For each approved certificate you can download a .pfx file containing the certificate.
With this .pfx you can extract the certs that you will need.
Expert
Via the {Expert} tab you will be able to edit the '/etc/ssl/openssl-ca-acf.cnf' configuration file.
If you want to save your certs on USB-mem (or somewhere else), this is where you should do such change.
Something like subjectAltName can be added to be used by the certificates that you generate.
3.subjectAltName = Assigned IP Address 3.subjectAltName_default = 192.168.1.1/32
Start using the PFX certificate
Extract PFX certificate
The next examples are executed by entering the commands on a console (not in ACF).
Extract the 'CA CERT' from the .pfx:
openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem
Extract the 'Private Key'
openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem
Extract the 'Certificate'
openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem
View PFX certificate information
Display the cert or key readable/text format
openssl x509 -in mycert.pem -noout -text
OpenSSL command line to create your CA
The following command will need a password. Make sure to remember this.
openssl genrsa -des3 -out server.key 2048 openssl req -new -key server.key -out server.csr openssl rsa -in server.key. -out server.pem openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem mv server.pem /etc/ssl/private mv cacert.pem /etc/ssl/