Generating SSL certs with ACF: Difference between revisions
(replace /etc/init.d with rc-service) |
|||
(13 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
You | You need to create certificates for servers or remote persons. You might need an SSL cert for your web server running lighttpd or mini_httpd. You might use something like openvpn or racoon for your VPN services. Wouldn't it be nice to have some way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it? | ||
Alpine, via ACF, has a nice web interface to use for this sort of job... | Alpine, via ACF, has a nice web interface to use for this sort of job... | ||
Line 20: | Line 20: | ||
{{Cmd|apk add acf-openssl}} | {{Cmd|apk add acf-openssl}} | ||
Browse to your computer https://ipaddr/ | Browse to your computer <nowiki>https://ipaddr/</nowiki> | ||
Log in as root. | |||
Click on the User Management tab and create | Click on the User Management tab and create an account. | ||
=== Acf-openssl === | === Acf-openssl === | ||
Line 30: | Line 30: | ||
From the navigation bar on the left, under the Applications section, click the Certificate Authority link. | From the navigation bar on the left, under the Applications section, click the Certificate Authority link. | ||
If you already have a CA that you would like to have the web interface manage you can upload it from the Status page (as a pfx). | If you already have a CA that you would like to have the web interface manage you can upload it from the Status page (as a pfx file). | ||
From the Status tab, Click Configure(to remove most of the error messages). | From the Status tab, Click Configure (to remove most of the error messages). | ||
If you do not have a CA, To generate a new | If you do not have a CA, To generate a new certificate: | ||
Click the Edit Defaults tab. Input the Items that will be needed for the CA and any other certs generated from it then Click Save. | Click the Edit Defaults tab. Input the Items that will be needed for the CA and any other certs generated from it then Click Save. | ||
Click the Status tab. Input values for the input boxes to generate a CA and click Generate. | Click the Status tab. Input values for the input boxes to generate a CA and click Generate. | ||
== Generate a certificate with ACF == | |||
=== Request Form === | |||
Provided Fields: | Provided Fields: | ||
* Country Name (2 letter abbreviation) | * Country Name (2 letter abbreviation) | ||
Line 52: | Line 52: | ||
<tt>[v3_req]</tt> | <tt>[v3_req]</tt> | ||
You | You can insert: | ||
* subjectAltName ="IP:192.168.1.1" | * subjectAltName ="IP:192.168.1.1" | ||
* subjectAltName ="DNS:192.168.1.10" | * subjectAltName ="DNS:192.168.1.10" | ||
Here is also where you would specify the CRL / OCSP distribution point, from where clients can query information: | Here is also where you would specify the CRL / OCSP distribution point, from where clients can query information: | ||
* crlDistributionPoints=URI:http:// | * crlDistributionPoints=URI:<nowiki>http://example.com/example.crl</nowiki> | ||
Once | Once the form is filled out and the password entered, click submit. | ||
=== View === | |||
Go to the View tab after you have the request form submitted. The view tab will show you pending requests | Go to the View tab after you have the request form submitted. The view tab will show you pending certificate requests. Also available from this tab are approved requests (generated certs), revoked certs, and the CRL. | ||
For a Pending request, make sure to review the cert before approving it. Once you have verified | For a Pending request, make sure to review the cert before approving it. Once you have verified there are no errors, approve the request. | ||
The file | The file generated can be downloaded from the ACF. Use the command lines below to extract the pkcs12 file into its part to begin using it. | ||
=== Extract PFX certificate === | |||
To get the CA CERT | To get the CA CERT | ||
Line 76: | Line 76: | ||
{{Cmd|openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem}} | {{Cmd|openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem}} | ||
Since this file contains the key without passsword protection, make sure to set restrictive permissions on this file. | |||
To get the Certificate | To get the Certificate | ||
{{Cmd|openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem}} | {{Cmd|openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem}} | ||
To get the Certificate and Private key in a single file (For lighttpd or mini_httpd for instance) | |||
{{Cmd|openssl pkcs12 -in PFXFILE -nodes -out server.pem}} | |||
Since this file contains the key without passsword protection, make sure to set restrictive permissions on this file. | |||
To get the CA Chain (For lighttpd for instance) | |||
{{Cmd|openssl pkcs12 -in PFXFILE -nokeys -cacerts -chain -out ca-certs.pem}} | |||
Display the cert or key readable/text format | Display the cert or key readable/text format | ||
Line 85: | Line 95: | ||
{{Cmd|openssl x509 -in mycert.pem -noout -text}} | {{Cmd|openssl x509 -in mycert.pem -noout -text}} | ||
==Examples== | |||
===Replacing the ACF SSL cert=== | |||
By default, setup-acf uses mini_httpd with a self-signed certificate for serving ACF webpages. We can replace the self-signed certificate with one signed by our new CA. | |||
Create a certificate of type 'ssl_server_cert' with appropriate settings (i.e. Common Name = server name) | |||
Download the certificate pfx file and upload it to the ACF server (remember, this is generally separate from the standalone Certificate Authority server) | |||
{{Cmd|openssl pkcs12 -in PFXFILE -nodes -out server | Replace the mini_httpd server certificate | ||
{{Cmd|openssl pkcs12 -in PFXFILE -nodes -out /etc/ssl/mini_httpd/server.pem}} | |||
Restart mini_httpd | |||
{{Cmd|rc-service mini_httpd restart}} | |||
===Generating server and client certs for OpenVPN=== | |||
For OpenVPN use, we need a server certificate and one client certificate for each user. ACF can be used to generate all of them, including allowing users to request their own client certificates. | |||
Generate a certificate of type 'ssl_server_cert' with appropriate settings for the OpenVPN server. | |||
Copy the server certificate pfx to the OpenVPN server and extract the certificate using the commands above. Configuration of the OpenVPN server is beyond the scope here. | |||
Create an ACF user account on the Certificate Authority server for each OpenVPN user. From the navigation bar, click on User Management under System. Click on Create. Create a user with CERT_REQUESTER role for each user. You can set the user Home directory to /openssl/openssl/read to default to showing that user's certificates. | |||
Each user can request their own client certificate. Log in as the new user. Create a certificate request for a certificate of type 'ssl_client_cert' with appropriate settings. | |||
You can view and approve the requested certificates as described above. | |||
The user can download and install the client certificate pfx file on their OpenVPN client. Once again, that is beyond the scope of this document. | |||
====OpenSSL command line to create your CA | ==Extras== | ||
The following command will need a password. Make sure to remember | ===OpenSSL command line to create your CA === | ||
The following command will need a password. Make sure to remember it. | |||
{{Cmd|openssl genrsa -des3 -out server.key 2048}} | {{Cmd|openssl genrsa -des3 -out server.key 2048}} | ||
Line 107: | Line 139: | ||
===Edits to /etc/ssl/openssl-ca-acf.cnf === | ===Edits to /etc/ssl/openssl-ca-acf.cnf === | ||
Via the expert tab on ACF edit the openssl-ca-acf.cnf file. Something like subjectAltName can be added to be used by the certificates | Via the expert tab on ACF, edit the openssl-ca-acf.cnf file. Something like subjectAltName can be added to be used by the certificates you generate. | ||
<tt>3.subjectAltName = Assigned IP Address </tt> | <tt>3.subjectAltName = Assigned IP Address </tt> |
Latest revision as of 10:10, 17 November 2023
You need to create certificates for servers or remote persons. You might need an SSL cert for your web server running lighttpd or mini_httpd. You might use something like openvpn or racoon for your VPN services. Wouldn't it be nice to have some way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it? Alpine, via ACF, has a nice web interface to use for this sort of job...
Installation Process
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on your VPN gateway, but use another machine to generate your certificates.
Install Alpine
Link below to the standard document.
Install and Configure ACF
Run the following command: This will install the web front end to Alpine Linux, called ACF.
/sbin/setup-acf
Install acf-openssl
apk add acf-openssl
Browse to your computer https://ipaddr/
Log in as root.
Click on the User Management tab and create an account.
Acf-openssl
From the navigation bar on the left, under the Applications section, click the Certificate Authority link.
If you already have a CA that you would like to have the web interface manage you can upload it from the Status page (as a pfx file).
From the Status tab, Click Configure (to remove most of the error messages).
If you do not have a CA, To generate a new certificate: Click the Edit Defaults tab. Input the Items that will be needed for the CA and any other certs generated from it then Click Save. Click the Status tab. Input values for the input boxes to generate a CA and click Generate.
Generate a certificate with ACF
Request Form
Provided Fields:
- Country Name (2 letter abbreviation)
- Locality Name (e.g. city)
- Organization Name
- Common Name (eg, the certificate CN)
- Email Address
- Multiple Organizational Unit Name (eg, division)
- Certificate Type
A box has been set aside for adding Additional x509 Extensions formatted the same as if you were to fill out a section directly in openssl.cnf. Section would be [v3_req]
You can insert:
- subjectAltName ="IP:192.168.1.1"
- subjectAltName ="DNS:192.168.1.10"
Here is also where you would specify the CRL / OCSP distribution point, from where clients can query information:
- crlDistributionPoints=URI:http://example.com/example.crl
Once the form is filled out and the password entered, click submit.
View
Go to the View tab after you have the request form submitted. The view tab will show you pending certificate requests. Also available from this tab are approved requests (generated certs), revoked certs, and the CRL.
For a Pending request, make sure to review the cert before approving it. Once you have verified there are no errors, approve the request.
The file generated can be downloaded from the ACF. Use the command lines below to extract the pkcs12 file into its part to begin using it.
Extract PFX certificate
To get the CA CERT
openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem
To get the Private Key
openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem
Since this file contains the key without passsword protection, make sure to set restrictive permissions on this file.
To get the Certificate
openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem
To get the Certificate and Private key in a single file (For lighttpd or mini_httpd for instance)
openssl pkcs12 -in PFXFILE -nodes -out server.pem
Since this file contains the key without passsword protection, make sure to set restrictive permissions on this file.
To get the CA Chain (For lighttpd for instance)
openssl pkcs12 -in PFXFILE -nokeys -cacerts -chain -out ca-certs.pem
Display the cert or key readable/text format
openssl x509 -in mycert.pem -noout -text
Examples
Replacing the ACF SSL cert
By default, setup-acf uses mini_httpd with a self-signed certificate for serving ACF webpages. We can replace the self-signed certificate with one signed by our new CA.
Create a certificate of type 'ssl_server_cert' with appropriate settings (i.e. Common Name = server name)
Download the certificate pfx file and upload it to the ACF server (remember, this is generally separate from the standalone Certificate Authority server)
Replace the mini_httpd server certificate
openssl pkcs12 -in PFXFILE -nodes -out /etc/ssl/mini_httpd/server.pem
Restart mini_httpd
rc-service mini_httpd restart
Generating server and client certs for OpenVPN
For OpenVPN use, we need a server certificate and one client certificate for each user. ACF can be used to generate all of them, including allowing users to request their own client certificates.
Generate a certificate of type 'ssl_server_cert' with appropriate settings for the OpenVPN server.
Copy the server certificate pfx to the OpenVPN server and extract the certificate using the commands above. Configuration of the OpenVPN server is beyond the scope here.
Create an ACF user account on the Certificate Authority server for each OpenVPN user. From the navigation bar, click on User Management under System. Click on Create. Create a user with CERT_REQUESTER role for each user. You can set the user Home directory to /openssl/openssl/read to default to showing that user's certificates.
Each user can request their own client certificate. Log in as the new user. Create a certificate request for a certificate of type 'ssl_client_cert' with appropriate settings.
You can view and approve the requested certificates as described above.
The user can download and install the client certificate pfx file on their OpenVPN client. Once again, that is beyond the scope of this document.
Extras
OpenSSL command line to create your CA
The following command will need a password. Make sure to remember it.
openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl rsa -in server.key. -out server.pem
openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem
mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/
Edits to /etc/ssl/openssl-ca-acf.cnf
Via the expert tab on ACF, edit the openssl-ca-acf.cnf file. Something like subjectAltName can be added to be used by the certificates you generate.
3.subjectAltName = Assigned IP Address
3.subjectAltName_default = 192.168.1.1/32